Earlier this year, the Australian division of the Coalition Against Unsolicited Bulk Email (CAUBE) revealed that the volume of spam in 2001 increased six-fold over that for 2000.

It also showed that record levels were seen over the Christmas 2001/January 2002 period, and the first 10 days of January 2002 witnessed a spam volume of almost 30 percent of the total for all of 2000.

Undoubtedly, spam is frustrating a huge number of Internet users, from webmasters (who are often wrongly blamed for sending spam) to just about everyone with an email account. Part of the reason for this upsurge is that in recent months the methods used by spammers have become more sophisticated and harder to detect.

How Does Spamming Work?

Spammers mail in bulk, programmatically, but first they need to obtain email addresses. One simple way that they do this is by joining a mailing list and gathering addresses from the mailing list software. They may also buy mail lists from other spammers, often supplied in their hundreds of thousands on CD-ROMs. Once an email address has been harvested it will probably be copied around for years.

Other spam offenders use special software called spambots to automatically scour newsgroups for addresses and web pages for 'mailto' links. Some spammers also use software to guess likely email addresses. Messages informing the reader to reply to the mail with a subject of "REMOVE," to prevent further postings, represent a cynical ploy to validate 'live' addresses.

Remaining anonymous is key to a spammer's success since most ISPs will close culprits' accounts when they receive complaints regarding spam. For this reason, spammers will seek to obscure their identity by exploiting open mail relays, so that the origin appears to be the intermediate server. In order to trace the spammer, the unwitting relay owner may need to be made aware of the activity. However, some sites are either reluctant to act or willingly abet spammers. Furthermore, even when spammers are identified and an ISP removes their account, they will often open a new one immediately and carry on their activities.

Many system administrators have become wise to the tricks of the spammer and have configured mail servers accordingly. However, the war has escalated as spammers have discovered the capability of using common web mail form handling utilities as open relays. Many sites provide form applications such as MAILTO.EXE and the enhanced FormMail perl script to allow users to construct forms, the input to which can be automatically forwarded to a specified email address for collecting information.

A simple spam application can automatically forward mail to any number of email addresses using the form handlers. Furthermore, the spammer can fake the "From" address. Recipients will not have any record of the sender's IP address, although this may be logged on the web server. Even if it is stored, tracing back will more than likely lead no further than some anonymous HTTP proxy. This development may account for some of the recent upsurge in spam volumes.

In addition to attempts to hide behind intermediaries, spammers also use numerous URL disguise techniques to foil trace attempts.

Counter-measures

There are a number of ways to counter spam and there is a role for all people within an organization to play - from the everyday desktop user to the network manager.

The place to start should be your access point to the Internet. Many ISPs and ASPs adhere to codes of practice set by their professional bodies, so when selecting an ISP check for membership of the international Internet Service Providers Association (ISPA) to be assured of at least some level of spam filtering.

You can also protect yourself against known spam offenders. The Mail Abuse Prevention System (MAPS) project (http://mail-abuse.org) maintains a list of hosts and networks known to either tolerate or support spammers. A mail server can be configured to perform a domain name system (DNS) query to determine the spam status of an IP address and if is listed, then bounce the email. This not-for-profit service provides some protection against spammers but it cannot achieve 100 percent effectiveness as spammers move rapidly from account to account and from ISP to ISP.

Most spam filtering systems use blacklists, where mail from known offending addresses or with certain text patterns is rejected. This is partially effective and requires a sustained ongoing effort to maintain. An alternative approach involves the whitelist, where only mail originating from known 'bona fide' addresses is accepted. This can be highly effective in reducing spam, but at the expense of rejecting or delaying a proportion of legitimate mail. However, to the chagrin of whitelisters, spammers have recently responded by spoofing real sender addresses. Thoughts now turn to whitelisting mail relays rather than From: addresses.

If your SMTP server can accept incoming TCP connections, it can be used by spammers as a mail relay engine to send a copy of a message to hundred or thousands of addresses. To prohibit unauthorized relaying, only internal network addresses or authorized domains should be able to use the server to relay mail to the Internet. The technical configuration details differ from mail product to product, but a comprehensive list of instructions and limitations can be found on the MAPS web site.

Webmasters can evade the unwanted attentions of spambots, harvesting email addresses by replacing HTML Mailto tags with other means of displaying the address. For example, the "@" symbol can be replaced by &#064. This may fool most spambots, but better approaches include the use of HTML tables or pull-down menus in conjunction with Javascript.

Webmasters running the FormMail perl script should upgrade to version 1.9, which performs some checks on the recipient address in an effort to combat spamming. They would also be well advised to check out several ways in which these defenses can be circumvented (see for example, www.itsecurity.com/papers/rfg1.htm). Most emphatically, FormMail should not be run on a server alongside any kind of auto-responder, as this can be exploited to launch an untraceable mail-bombing attack against some third party.

Users can protect their privacy by exercising great care about revealing their corporate email address on the web. A separate personal address can be used specifically as a lost cause account. Given the increasing prevalence of spam, there may be a very good case for specifying this condition in the corporate email usage policy. If a user should fall prey to the spammer, the last thing they should do is reply to the email: this merely confirms that the account is live.

Various desktop products exist on the market, but their effectiveness and immediacy are questionable. Ideally a solution needs to sit at the SMTP gateway or on a proxy. Here no single silver bullet will suffice: a battery of technical measures is needed to combat spam in a comprehensive manner.

Legislation

Anti-spam legislation has at last begun to be drafted. In December 2001 the European Union Council voted to ban the use of electronic mail for advertising, without the prior consent of the recipient. It also prohibited the practice of disguising or concealing the identity of electronic mail senders and recommended that all electronic mail should require a valid address for opting out of future communications.

These measures are likely to become law later this year but undoubtedly there will always be those who ignore them and the legislation will prove difficult to police. In other words, the menace of spam is not going to go away and organizations should do all they can to protect themselves.

Pete Simpson is ThreatLab manager at Clearswift (www.clearswift.com).