>
>
>Cameron Spitzer
>
>
>Secrets of Spam: Where it Comes from and How to Stop it
>
>
>The public email system we have known for twenty years is in crisis.
>Junk email now accounts for more than nine tenths of all email and
>it's the most common way for Americans to have their identities stolen.
>Cameron Spitzer set up his first email server in 1985 and has been
>running email systems for hundreds of friends since 1991. He also
>publishes a list of spam sources for administrators of email systems
>to use to protect their servers from incoming junk email.
>
>Cameron will explain the strange crisis that currently faces the public
>email system.  We'll examine some junk email messages, showing
>where spam comes from and how to report it. Finally, we'll talk about
>how to get less spam, what the media aren't telling you about it, and
>what to do about the problem.


We spent too much time on why the email system is in crisis
and who the bad guys are and not enough on what to do.

Spam defense strategy.
There no super spam filter.  You have to do it in layers.

Layer 1, protect your mailbox.  For consumers and
home business people this means choose a real
email expert to operate the system that receives
your email from the Internet.  If you are trying to
do real work from home, the email service that comes
with your phone or cable company high speed link
probably isn't good enough.  A competent commercial
ISP will not let much malware into your mailbox, and will
stop 90% of the junk.

If you're running an
email server, subscribe it to a few of the more conservative
Domain Name Service-based Block Lists (DNSBLs).
I like the sbl-xbl.spamhaus.org and njabl.org lists.
Your email server software has a place where you can
tell it which DNSBLs to use.  If you use the programs
tcpserver and rblsmtpd, feel free to copy my list from
http://greens.org/etc/r.txt every few weeks.

Layer 2,  protect your workstation from malware that arrives
in email.  Do not use email programs like MS Outlook Express
or Qualcomm Eudora that are based on or part of web browsers.
Use something reliable like Mozilla Thunderbird or PC Pine
instead.

Layer 3, backups.  Often, spam will contain image files
or "screen saver" programs containing hostile code.
As long as you're using MS-Windows, you're
going to get malware: viruses, trojans, and worms.

Use a backup program to take a snapshot
of your hard drive after you configure or install software
and things look okay.
Take a snapshot of your work files every night.  Be able to
restore your system from the two most recent snapshots.
Your MS-Windows installation is expected to get file system
problems and malware any old time.  That's just how
MS-Windows is.  But if you can just roll it
back to the last time it was happy, that doesn't matter.
This is far more effective than commercial "anti virus"
or "personal firewall" software.  If you make your living
with this computer, invest in a high speed tape drive
or a second hard drive to "mirror" the first.

Layer 4.  Filtering at the workstation.  If you are in business you
cannot afford to miss a single email from a customer, even if the
customer lives on The Planet of Spam.  So the best anybody can
do is give you a high value mailbox and a low value mailbox.
Even if they block 90% of the junk before it gets to your desk,
you're still going to get half junk and half legit, and you need
something to try to sort it into high value and low.

The most effective kind of filter in wide use is called "Baysian."
When you look at your two mailboxes, the filter marks each message
as "probably junk" or not.  It's usually right.  When it's wrong,
you tell it, and it gets smarter for next time.  If you go to the trouble
of correcting it for the first few weeks it will learn your mail habits
and be right almost all the time.  You'll always have to glance through
the trash before throwing it out, but there will be hardly anything
to fish out.   Most popular email programs have Baysian
filters now.  Get one and use it.  Get Thunderbird for that feature alone.


Layer 5.  Return fire.  How to report spam.

You can't get "removed" from the spammer lists.  You can't convince
spammers to stop.  (Spammers have mental problems.  Spamming
is an addictive compulsion, as gambling can be.  Don't bother to try
to communicate with them.) You can't get the government to do anything.

But you can complain to the various ISPs that somehow support
the spammers.  They support spammers because not enough people
are complaining.  Now and then you can get something taken
away from a spammer: his web hosting, his zombies, his
mailbox at Hotmail, sometimes his domain name.

Open a few email messages with the "View -> Message source"
feature in your email program.  Or save them as files and open them
with a text editor.  Notice the blob of stuff at the top where the To:
and From: and Subject: lines are.  That blob is called "the headers."

Notice there are a few lines in the blob that begin "Received:",
that are almost the same in all your messages.  Those are the
things you trust.  Then there is one Received: line that varies
a little among the messages.  Most of it is the same, but there
is an IP address and maybe some names that are different in
each message.  That is the magical Received line that shows
where on the Internet the message came from.

Look at the magical Received line carefully.
If it's a spam, you get the temporary IP address of a malware
victim someplace, who doesn't even know his computer is
being misused, or maybe a giant spam server in Korea or Russia.
You also get whatever name the spamware is pretending
to be.  Often they will pretend to be you.  The "Received from"
IP address is reliable.  Ignore the "HELO=" name, that's the lie
the spamware told to your server.  Sometimes he will
try to fool you by HELO announcing himself as an IP number
instead of a name.  Ignore it.

Then there may be a few more Received lines.  In a legitimate
message, they tell you boring things about the sender's
network environment.  In a spam or malware, they are almost
always fake.  Ignore them.  In a spam, the rule is to ignore
everything the spammer created.

Get a whois program or use Geektools.com's whois form.
Plug the sender's IP address into whois.  forward it
to abuse@SBC.com or whatever the appropriate domain is.
(You can look up abuse reporting addresses by domain at
http://abuse.net/lookup.phtml
or go whois -h whois.abuse.net example.net)

Did the spammer want you to visit his Web site?
Get a traceroute program or use Samspade.org
or DNSstuff.com.   Trace the route to the hostname
in his URL.  Or just grab the IP address out of the
beginning of the traceroute and plug it into Whois.
If it's China or Korea, complain to the US-based
corporation that maintains a link to the Chinese carrier.
You can see who it is, it's where the names stop in the trace.
abuse@Savvis.net or ATT.net or MCI.com or whatever.

Just forward the junk message.  Put the offending
IP address (sender or Web host) in your Subject line.
There is no need for an essay on why spam is bad.

Cameron Spitzer