IT Times LogoIT 
   Times Logo
IT Times Logo

in this issue...
New Response and Reporting Team Focuses on Computer Security Incidents

Banner, DaFIS, and Modem Pool Upgrades

Campus Directive on Caller ID

Campus Directory Updates Needed

CENIC '99 Conference

CUMREC '99 Conference

Now Hear This: Uploaders, Downloaders Need to Mind Their Ps and Qs When it Comes to MP3s

Myths About MP3s

New Open Access Lab

Site Licensing News

Email s-p-a-m: It comes in many forms, but none have any meat

You Asked... about linking to commercial sites from official university Web pages

Volume 7, Number 6 - May 1999
feedback archives search the IT Times IT Times home

Email s-p-a-m:

It comes in many forms, but none have any meat

by Ann Mansker

Everyone who has email has received spam of some kind by now. Spam comes in many forms, some that are obvious and some less so. Unknowingly, you may even be guilty of spamming. As the volume of spam increases, it becomes more important for all of us to be cognizant of what we can do to fight back. The Incident Response and Reporting team selected spam reporting as its first project because it is a common problem affecting campus computer system administrators and the campus computing community. (See "New Response and Reporting Team" in this issue.)

What is spam?
Technically, SPAM (TM) is a potted meat product composed of chopped up pork shoulder and ham, invented by Hormel Foods, Inc. in 1937. The word was originally adopted as slang for unsolicited commercial email (UCE). It is now commonly extended to several varieties of email and newsgroup abuse, loosely categorized by using the Internet to deliver inappropriate messages to unwilling recipients. Hormel Foods has posted its admirable position on UCE and the use of the word "spam" on the Web at http://www.spam.com/ci/ci_in.htm.

Spam Cartoon
Illustration by Steve Oerding/IT-Creative Communication Services

Spam is:
  • Unsolicited commercial email (UCE), such as advertisements for goods and services, which may be anything from discount office supplies to XXX-rated adult Web sites. Though some offerings may be more offensive than others, they are all fundamentally the same kind of abuse.

  • Chain letters. The most infamous example is any variation on "Make Money Fast!" but there are others that don't involve money. The ones that do are a felony (mail fraud) in addition to being a form of spam.

  • Off-topic or otherwise inappropriate posting. This can be either to a mailing list or to a newsgroup, and includes cross-posting messages to numerous unrelated newsgroups and posting many single identical or nearly identical messages to many groups. It is usually, but not always, commercial in nature. An example of this form of spam is posting a message concerning your litter of kittens (free to a good home!) on a mailing list devoted to NT security updates. Another example is posting an incensed reply regarding someone else's litter of kittens to the entire list, rather than to the sender.

Spam isn't:
  • Posting to a newsgroup or list messages that castigate the subscribers as for engaging in whatever activity the newsgroup or list is concerning. This is known as "trolling," and exposes the troll as immature and socially backward, but is almost by definition on topic for its target.

  • Using email or newsgroup posting to publicly or privately harass another person. Harassment is a violation of the UC Davis Acceptable Use Policy and may result in disciplinary action. In some cases it could even result in arrest and prosecution.

  • Forwarding false virus warnings. The "virus" in this case is the warning itself, which is almost invariably a hoax (see http://www.symantec.com/avcenter/hoax.html for a list; many will no doubt sound familiar). This is a particularly nasty and insidious thing. It abuses the concern that people have for their friends and co-workers, and uses naive goodwill to waste network bandwidth.

Please notice from the examples that spam isn't the only way to abuse campus computing resources. There are lots of other ways, but they happen to be outside the scope of this article.

Are you part of the problem?
If you engage in any of the activities mentioned in what "spam is," you are a "spammer" and may be subject to disciplinary action. No one in the academic community is exempt. It's also possible to be part of the spam problem without actually generating any mail yourself. If you are responsible for a computer that is on the network and is capable of functioning as a mail server, you could be providing a service to spammers by giving them a conduit to get around the efforts of other administrators to block the unwanted traffic. The service, called "relaying," is enabled by running mail server software configured to accept and forward messages that are neither from nor to a ucdavis.edu address. Spammers love to find relay-enabled hosts, especially in a respectable domain such as ucdavis.edu, because it lets them spout thousands of messages that would be blocked if they were coming directly from their true source.

Any system that supports mail transport may have a default configuration allowing mail relaying. It is the responsibility of the system administrator to check the mail transport application configuration. In the past few years, system administrators have become more savvy about setting this configuration properly. According to the Mail Abuse Prevention System, "In February 1998, the Internet Mail Consortium (IMC) released a survey reporting that 55 percent of the Internet mail servers remain vulnerable to unauthorized third party relay. Not too long ago, nearly every mail server was vulnerable to relay. So, although there is a lot of work left to do, we've made remarkable progress over the past few months."

If you have Microsoft Exchange Server, don't feel smug. Relaying was the default configuration for Exchange Server when it first came out. Are you sure you've fixed it? If you are not running server software, you aren't relaying, so all the people using Eudora to download their mail from the central campus POP servers can breathe a sigh of relief.

You're wondering why you should care, aren't you?
The two spam issues that have the most direct impact on the campus are relaying through a campus host, and spam generated at UCD that is directed at least in part to off-campus addresses. Both of these, if unchecked, can lead other sites to block mail from the ucdavis.edu domain. This can have very negative effects on you as an innocent end user. Imagine you're submitting an application for a grant that will support your entire lab for three years. Or, imagine you're in the midst of negotiating the summer internship of your dreams with the company you hope will give you a terrific job when you graduate. Or, imagine you've just finished the final corrections on the manuscript that the department chair has assured you will make him world famous, and email it to the journal a healthy two hours before the final deadline. Now imagine that your mail bounces because that site has just blocked delivery from ucdavis.edu because of spam originated at, or relayed by, UCD.

If you're not an innocent bystander, direct consequences of spamming could include losing your computing account, having a reprimand in your personnel file, or facing a lawsuit. Being a mail relay is bad for your computer because it diverts CPU and memory from your applications. Since spammers generously share the addresses of relaying systems with each other, the end result can be that your system's resources are overwhelmed by the volume of mail, locking you out entirely or crashing your system.

How to tell if your system is relaying, and what to do if it is
There are online resources available for system administrators who wish to make sure their site is not being used for mail relay.

The key links are:

What to do if you're spammed
First, retaliation is a bad idea. Deliberate spammers often forge the return address on the message to deflect retaliation efforts, so you may end up punishing the wrong person. In addition, some forms of payback are themselves grounds for disciplinary action. Last, but certainly not least, replying directly to the spammer (if it is a real address) just confirms that your address, at least, is live.

The amount of spam infesting the Internet increases daily. UCD blocks a long list of well-known spam domains, but there are always more where those came from. You have three or four options for dealing with spam that lands in your mailbox:

  1. Delete and ignore it.
  2. Filter it (not readily accomplished by Pine users and can be difficult to set up effectively for others).
  3. Complain to the spammer's Internet Service Provider (ISP), but make sure you know how to read headers, so you're complaining to the right person.
    • Open the message and expand the headers (see sidebar).
    • Forward the message with full headers to abuse@ or postmaster@ followed by the ISP's domain.
  4. Report it to abuse@ucdavis.edu.

    To ensure that action is taken against the appropriate entity, the forwarded message must contain the full headers. Many of these complaints are investigated each month, so if you do not get a personal response immediately, please understand that it doesn't mean the complaint is being ignored.

Ann Mansker is a member of the Incident Response and Reporting team. She is also assistant postmaster and an IT representative with the Technology Support Program (TSP).

Resources:
Coalition Against Unsolicited Commercial Email: http://www.cauce.org/

Resources: