RMIUG Meeting Minutes - SPAMFest 2000
Dan Murray called the meeting to order
at 7:00. About 40 people were in attendance.
He introduced Art Smoot and Tom Bresnahan
from the RMIUG executive committee.
Next, Dan opened the floor for announcements:
- Eric Payne, a MicroStaff recruiter,
introduced himself and invited all interested
parties to view the available positions
on the MicroStaff web site: http://www.microstaff.com
- Tom Bresnahan reminded Colorado SuperNet
dialup users to check their mail for the
USWest.net CD containing the letter canceling
SuperNet dialup accounts as of Oct 6, first
posted on the RMIUG-discuss mailing list
by Alek Komarnitsky on Sept 11. Many have
already thrown away this CD without realizing
it was a notice of cancellation.
- Jeff Finkelstein firstname.lastname@example.org
announced: I wanted to give everyone an
early alert on two free consumer privacy
products that our company is about to release.
The first is a downloadable toolbar called
Valet that is a P3P-reader, an enhanced
cookie-blocker, and also has server-side
bookmarks and auction search function. The
second product is called PersonaMail, and
is a server-based email spam filtering and
forwarding service. A user will register
for an email address @personamail.com, and
set server-based rules on what email will
be forwarded to their primary email account
(block by sender, domain, or create more
advanced rules). The filtered mail is stored
on our system, and a summary email containing
the from and subject lines of the filtered
emails is sent to the user on a daily or
weekly basis. Please contact me by email
at if you are interested in either of the
two products; I will let you know as soon
as the products are available.
- Marci Bowman/Boulder/Contr/IBM email@example.com
recommended a web page concerning privacy
issues that makes "interesting (and scary)
- The Boulder Community network needs
help and volunteers. Contact Jim Harrington
The first speaker was Charlie Oriez firstname.lastname@example.org,
a leading anti-Spam expert. He has almost
30 years in the I.T. industry, including
over 5 years on the Internet as a web author
and owner and/or administrator for a number
of domains. He is also National Legislative
Chair and past Mile High Chapter chair for
the Association of Information Technology
Professionals. He regularly comments on
spam and other Internet issues for the Information
You don't need to be an expert to fight
Spam has a cost. In a survey of Internet
Service Providers (ISP's) (1): - 94.0% reported
that spam irritates their subscribers. -
79.5% reported that UCE (unsolicited commercial
e-mail) slows system performance. - 75.9%
stated that it increases operating costs.
- 33.7% said it creates system outages.
- 58.5% reported daily or more frequent
impact. - 28% said weekly impact. Source
CIX (Commercial Internet eXchange Association)
Q. How can spam cause a system outage? A.
Excess mail can clog up the mail servers,
preventing non-spam e-mail from getting
America Online testified to the Federal
Trade Commission that one-third of their
capacity was used to carry spam.
Netcom reported that their cost was one
million dollars per year.
Brightline estimated a cost of $225 million,
based on 5 seconds of processing time to
hit the Delete key, with an average of 200
spam messages per year (a very low estimate).
An estimated 25 million spam messages are
sent each day.
What are some of the top lies of spammers?
Lie - They have the right to talk. First
amendment right. Truth - You have the right
Lie - They're just honest businessmen
trying to make a buck. Truth - Most ISP's
have an acceptable use policy (AUP) prohibiting
spam. All users, including spammers, agree
to this policy when they set up an account
with the ISP. If the spammers lie to their
ISP, can you believe what they tell you?
Q. Some marketers set up their own ISP's
to get around this requirement. A. Even
ISP's have to sign with upstream provider
that they won't spam. Q. What if I buy a
T3? A. IP level service requires the same
Lie - There's no cost if you hit Delete.
Truth - You're still paying for the cost
of the ISP's servers and bandwidth, not
to mention the cost of your time to read
the headers and hit the Delete key.
Lie - You're saving trees with spam. Truth
- Have you ever gotten spam from someone
who previously sent you something on paper?
No. The Sierra Club's position is that it
degrades signal to the point that e-mail
is losing usefulness. They use MAPS to block
spam. Q. What is MAPS? A. It's a set of
databases that ISP's use to block spam.
Q. SB 1618 says this isn't spam because
there's a remove address. A. Two problems
with this. 1) 1618 doesn't define spam,
it just says the message can't have forged
headers. 2) 1618 died 2 years ago.
Q. Should I respond to the spam address
to have my name removed? A. No. You're validating
your address and saying you read spam, so
he can sell at a higher rate. It's probably
not a valid address anyway. Hotmail and
Qwest say never respond to spam.
Spam Law 101. IANAL (I Am Not A Lawyer)
The Colorado anti-spam law CRS 6-2.5-101
was passed Aug 2. You can sue the spammers.
You can't sue in small claims court unless
they're in Colo, and you have to sue in
their county court. Provisions: - Have to
have ADV in Subject, this might get struck
down. - Can't have forgeries. Handout example
shows invalid return address techspot.com.
- Have to have a valid remove address, but
even a valid address could get killed by
the ISP if they get complaints about spam
from that address.
HR 3113 passed the House, now in Senate.
They might not get to it, not scheduled
for a vote, so not likely to pass in next
three weeks. Any bill that has not passed
when the legislature adjourns in an election
year is dead.
Q. What is your view of Colorado bill
that seems to sanction spam as long as it
has ADV in the header? A. The Colorado bill
says that no ISP can be sued for blocking
spam. Harris (the pollster) met the criteria.
MAPS but them on the list. Harris wasn't
doing single opt in, verifying that you
were the one subscribed.
Q. Are there any cooperative agreements
between states? A. Not that I know.
Some laws are effective, like ISP contracts
that prohibit spam and support services.
I-Bill used to handle credit card for porn
spammers. I-Bill no longer supports spammers.
- Trespass to chattel. Flowers.com was
forged by a domain in San Diego. The flowers.com
servers were down for 3 days. They sued
and collected from spammer.
Cyberpromo sued AOL on the basis that
they had a monopoly on ads. Didn't work.
Most Rogue spammers pay cash for a cheap
account, spam for 24 hours, then get out.
Most find open servers that aren't secure.
Open to mail that anyone sends.
Things your ISP can do to fight spam:
- Have an AUP acceptable use practices (contract).
If you breach contract, you agree to pay
$50 per complaint and cleanup costs per
bounce received. Cancellation of spammer
should be as fast as possible. If the ISP
takes it's time, you'll get reputation with
spammers that you're friendly. -RBL DUL
RSS are databases supported by MAPS (spam
spelled backwards) Mail Abuse Prevention
System. RBL blocks traffic to 40 % of the
Internet. It's a list of IP addresses of
spammers. - RSS is the Relay Spam Stopper.
17% of mail servers are insecure. RSS is
an open server list that is verified. MAPS
will send email to postmaster@badserver
saying that mail is being blocked, here's
how to fix it. MAPS checks RSS, RBL. Redmond
WA. If make you make an unverified complaint
and the ISP doesn't respond, you should
call the ISP next. RSS is more technical
because they can test the open relay. DUL
is the DialUp List. The ISP's provide list
of IP's that will never send valid e-mail.
ORBS works like the RSS relay detector with
a difference: ORBS will list open relay
servers even if spam isn't sent through.
ORBS checks a lot, and ISP's may consider
this abuse of network and block ORBS. If
you block ORBS, they will list you as a
Q. Are there more Insecure severs because
of Linux? A. I don't know.
Things NOT to do: - Don't respond to Remove.
- Don't mail bomb. Don't assume address
on spam is where it's from. - Don't buy
Things you can do: - Complain effectively.
- Find an ISP that uses MAPS. I get 3 a
spams per week from Nilenet vs 10 a day
from RMI. - Protect your email address.
Don't give a valid address. Don't use a
made up address, it may exist. Use email@example.com
when giving an address. Use a throwaway
address on Usenet newsgroups. - Always uncheck
the consent to spam boxes on signup forms.
How to complain effectively: - Spam cop
generates complaint emails with expanded
headers. It's gotten a lot better. - Sam
Spade is his favorite (Windows based). -
Combat is an online version of Sam Spade.
- Abuse.net (Internet for dummies guy runs
this). He maintains list of correct addresses
to complain. If you send complaint to firstname.lastname@example.org
, it is forwarded to the right address.
Download the PowerPoint slides for this
presentation at: http://oriez.org/spam.ppt
The next speaker was Geoff Mulligan email@example.com,
CEO of Interosa. He is an experienced leader
in developing new technologies. Before joining
Interosa, Geoff was a founder and senior
engineer for Geocast Network Systems where
he was focused on system software and network
design. Prior to that, while at Sun Microsystems
as a Senior Staff Engineer he was the principal
architect for Sun's premiere firewall product
- SunScreen and a founding member of the
Internet Commerce Group. While on a sabbatical
from Sun, Geoff helped start USA.NET, a
global eMessaging Service Provider. Prior
to joining Sun, Geoff worked at Digital's
Network Systems Laboratory developing the
DEC SEAL firewall, developing Networking
courseware and researching email issues.
Before working at Digital, he spent 11 years
in the Air Force working at the Pentagon
on computer and network security, building
local and wide area networks and teaching
computer science at the Air Force Academy.
Geoff received a master of science degree
in Computer Information Systems from the
University of Denver and a bachelor of science
degree in Computer Science from the United
States Air Force Academy. He authored the
book "Removing the Spam" and holds patents
in network security and electronic mail.
Spam is like junk mail that you have to
pay for (with postage due). It doesn't cost
a spammer much, just pennies to send to
millions of messages. They use dictionary
attacks, like name in the book at aol.com
and sun.com just to get two hits. So they
don't care if they waste bandwidth.
Definitions: UCE - unsolicited commercial
mail. UBE - unsolicited bulk mail. There's
nothing for sale, but they may be trying
to get you to do something.
Spam used to mean crossposting to different
Usenet newsgroups where it shouldn't be,
like posting a UNIX question in a Windows
group. The first case of spam was a DEC
sales person who decided to send it to ARPAnet.
If you're interested in DEC computers give
him a call. He sent 3000 messages in 1975.
The green card lawyers in Arizona crossposted
to 5900 newsgroups. They were roundly chastised,
then they went on the book tour. Now they
are disbarred for another reason; they didn't
do what they advertised.
Usenet software started blocking crossposting,
so spammers came up with using email instead
with open relay servers. They can send one
2K message with 1000 addresses, and the
ISP has to send out 2 MB worth of messages.
Half the messages are not valid, so they
bounce back to the server, slowing it to
a crawl. It happened to me when I was working
for an ISP in Maryland, but I was in Colorado.
I researched what to do to prevent it, and
wrote the book.
Q. How will it affect companies like MessageMedia
that send lots of permission based e-mail?
A. Send messages round robin to several
mail servers at one company so you don't
hit the timer limit. Sendmail can limit
number of addresses in each message.
Stopping spam starts with you. Don't have
open relays. The original version with Solaris
was an open relay. Linux - Red Hat current
versions have newer sendmail so it blocks
open relays by default.
As soon as an anti-spam book comes out,
spammers come up with a way around it. Get
the latest version of whatever you're using,
like sendmail 8.11.0.
Turn on anti-spam options like RBL (Realtime
Blackhole List. RBL is supported by sendmail
8.10 and 8.11. The original Blackhole list
used routing tables that routed packets
to a black hole. This was an effective way
to stop access to their web site, mail,
ftp, everything. An easier way is to block
it in sendmail, and the spammer gets a bounce
saying we don't accept mail from you. You
used to have to maintain your own list,
but now that it's maintained, it's easier
to get the good ones off the list, get the
new ones on the list.
Q. How big is the RBL? A. Thousands. The
open relay list is 50,000.
Filtering on the server (like procmail)
better than filtering on your end.
Educate users. Teach what it means to
be a spammer. The e-mail about the little
boy who needs get well cards was a hoax.
This type of mail, and chain letters are
spam. You've got to pass it on to see the
flying horse on the screen. Bill Gates will
not donate money if you forward spam.
Q. What is the response rate? A. Since
it only costs a spammer $10 to send spam,
a one out of a million response is enough
for them to make money.
Spammers should have to find those who
want to see spam. Some people do buy from
What you should do when receiving spam:
- Don't respond. - Don't attack them back.
Could mail bomb the wrong person. - Do report
them to MAPS or Abuse@isp.address.
See also http://www.abuse.net.
After this section of the talk, Dan gave
away a copy of Geoff's book, courtesy of
SoftPro ( http://www.softpro.com
The third speaker was Steve Senator firstname.lastname@example.org.
He has over 25 years experience in computing,
having served as a programmer (scientific,
systems, and network programming), analyst/programmer,
systems and scientific systems analyst,
systems and network architect, fault tolerant
system designer, project leader, independent
consultant, teacher and engineering manager.
Steve's professional passion is problems
of fault tolerant system design, the inception
of which was his work on whole operating
system checkpoint-restart mechanisms at
Tandem Computers. Recently, Steve has applied
lessons learned there to file system hardening
at Sun Microsystems, on virtual private
networking at the Granite Canyon Group,
and as a consultant on numerous Internet-enabled
projects. Steve holds six patents, chiefly
in the area of file systems and device drivers.
Steve holds a bachelor of arts degree in
geological sciences from the University
E- mail is the most widely used application
on Internet. In 1969 people were sending
files. SMTP grew out of this. Protocols
at that time were trusting. The community
was different then than now.
E-mail protocols lacked: - Integrity to
detect modification of data. - Identification
to label originators and recipients. - Authentication
to verify identity. - Privacy to recode
content for authorized parties only. (Note:
this is not the same as confidentiality.)
- Non-repudiation to certify message composition,
transport, and receipt.
Efforts to add these features to e-mail
include: - Privacy Enhanced Mail (PEM).
- Multipurpose Internet Mail Extensions
(MIME). - MIME Object Security Services
(MOSS). - Pretty Good Privacy (PGP, OpenPGP).
- Secure MIME (S/MIME).
Security features are not necessarily
convenient. PGP only had a 50% adoption
rate at a university where it was mandated.
Secure MIME is gaining some ground.
Convenience and Security Bruce Schiner
quote: "Given a choice between dancing elephants
and security, most people will choose dancing
elephants." People will choose features
and convenience over security. However,
Ben Franklin said: "Those who prefer security
to freedom are destined to achieve neither."
Sever-based protocols exist to build in
trust. - DNS SEC (RFC 2535, March 1999)
- to construct the "web of trust" of SMTP
servers - Secure SMTP (RFC 2487, Jan. 1999)
- to implement transport security These
aren't widely used. They are brought down
by Least Common Denominators. People want
to communicate with untrusted sources.
Products: The only one is Wietse Vanema's
PostFix (open source).
The Zen of combating spam: It's not products
or technology, the community needs to be
Social protocols - MTA filtering MAPS
ORBS - Mail storage mailbox filtering. Implement
at server level - MUA filtering - Mail User
Agent like in Outlook.
Public DNS Spam Anecdotes - Public DNS
servers have to adhere to AUP (Acceptable
Use Policy). No money collected is collected,
but it's not acceptable to send spam. -
These servers redirect all web traffic to
anti-spam resource pages such as the Coalition
Against Unsolicited Commercial E-mail (
) and the Federal Trade Commission ( http://www.ftc.gov
). - There are approximately two spam incidents
Spammers are trying to establish a brand
with a domain name. Public DNS sends a message
to any domain name referred to in spam.
If a domain moves to another provider,
TTL (time to live) is set to 6 months.
Create anti-spam communities by talking
to upstream providers, talk to friends,
other fighters, post anti-spam web pages.
References: - Crocker: "Internet Data
Object Security" ( http://www.brandenburg.com/articles/datasecurity/
) - IBM AlphaWorks, "SecureMail". - David
Brin, "The Transparent Society". This book
details how society must change in a networked
world. Basically he says to let everyone
see his stuff, but charge them for it or
at least notify him. - Lawrence Lessig,
"Code and Other Laws of Cyberspace". Source
code can regulate our cyberspace activities
more thoroughly than any law. - Amitai Etzioni,
"The Limits of Privacy". He says that the
FBI should be able to override privacy if
reading encrypted messages would prevent
a terrorist attack like the Oklahoma City
Read Woody's Office Watch to see what
Microsoft is doing with your Passport ID
in the Save My Setting wizard. ( http://www.woodyswatch.com/office/archtemplate.asp?5-n17
Trivia question What is the origin of
the word spam? It's from the Monty Python
skit about a restaurant where everything
is spam and it drowns out everything else.
Q. Any good filtering clients? A. - Eudora
has good filtering. - Outlook Express has
a learning feature. But you can't be sure
what it's focusing on. - Spam Buster is
a good tool. You should have a way so you
can check to see what it's doing. - Spam
Blocker (Windows). Procmail under Linux,
Unix. Not easy, but a good tool.
Q. Jeff Finkelstein email@example.com
announced that his company is coming out
with a server tool for filtering spam. Sign
up for a throw away account that will keep
all your e-mail and send you just the headers.
A. Geoff - The problem with client side
software is that it has to come all the
way across the Internet. Charlie - There
was an IP address that was used by an old
spammer. A new company came in that used
that IP address. Local lists aren't cleaned
up as often, so if an IP is reused, it could
be a valid non-spammer. POP or IMAP read
the headers first and use that to filter
so it uses less bandwidth. Steve - A filter
should look at the header and content on
the server side so you don't have to download
them all. You'll want to check for rules
that are used for the filter. If you filter
for "!!!!!", and your a friend uses lots
of exclamation points, his mail won't get
through, so you may need to modify the rules.
People in newsgroups use xxxNOSPAM@xxx.com
for their return address, with the instruction
to delete the "NOSPAM" to respond.
You could get a free geographic domain
like yourname.boulder.co.us, and use different
addresses in different newsgroups and mailing
lists to track where the address is harvested.
Q. Does the anti-fax law apply to spam?
A. Probably not according to the legals.
- Fighting spam is not about content.
However a lot of the content is illegal.
If you get spam selling pirated copies of
Microsoft programs, send it to Microsoft
so they'll go after the spammer. If you
get a spam with a "pump-and-dump" stock
scheme, complain to the SEC. Chain letters
that have you send a buck are violations
of US Postal Service law. They have a web
form to report this. (http://www.framed.usps.com/websites/depart/inspect/fraud/MailFraudComplaint
Dan adjourned the meeting at 9:00 pm.
Respectfully submitted by Tom Bresnahan.