ࡱ> &6'k bjbj "$}}_zl8 (:LLL'''1333333$h  W'''''WLLl'LL1'1T11L \LnZ1101 yd 1Technology Utilities Council Spam Discussion 12-SEP-2002 I) Background The TSC receives user inquiries on a regular basis about spam e-mail why am I receiving this? Can you make it stop? etc. We also see the consequences of spam e-mail in our mail processors with periodic large queues caused by "bounced" e-mail that the system tries to return to the spammers with their fake addresses. To address this item, there are some "spam guards" that we can put in place on the new ɫӰ.EDU e-mail server. Basically, we reference some formal sites that track spammers and related open mail relays. Mail from these sites is then bounced with a message stating that the site is block listed for spam and provides an iup e-mail address where they can write if needed to discuss this issue with us. In our lower volume early summer period, we completed some experiments with the spam guard on ɫӰ.EDU and monitored both the bounce logs and the follow-up inquiries that we received. With a spam guard, we now believe that we would "bounce" at least 11,000 spam messages a day (one spam messages may actually be delivered to many ɫӰ e-mail addresses). In our experiments, .00005% of the bounces prompted an inquiry. II) Implications The implementation of spam guards would result in a substantial reduction in spam e-mail received by ɫӰ accounts; it will not eliminate all spam. The proposed spam guards (detailed in the Technical Details section below) can be implemented with minimal expense. The downside of such an implementation is the possible rejection of legitimate e-mail. II) Technical Details The proposed approach for ɫӰ spamguards is to use real-time block lists that identify known spammers and open relays. Using these lists, messages are rejected at the SMTP level based on the IP address of the senders e-mail server. With this model, the message is never accepted and the contents of the message are never examined by the server (i.e. the envelope is never opened). The block lists proposed by the TSC were identified based on e-mail administrator experience and feedback from other administrators trying to address the same issues. There are two lists. For open relays, we will use HYPERLINK "http://www.ordb.org/"www.ordb.org. For spam, we will use HYPERLINK "http://www.spamhaus.org/"www.spamhaus.org. Each of these sites have more detailed information on their www page. Spamhaus describes their service as follows: The Spamhaus Block List (SBL) is a free realtime DNS-based database of IP addresses of verified spammers, spam gangs and spam support services. The SBL is used by ISPs and corporate networks worldwide to protect customers and mail servers from persistent spammers and currently protects the mailboxes of an estimated 80 million Internet users. The block list is built based on a database of known hard-line spam operations ("spam gangs") that have been thrown off Internet Service Providers 3 times or more. We believe these few determined spammers are responsible for 90%+ of current spam on the Internet. This database collates information and evidence on each gang to assist ISP Abuse Desks and Blocklist maintainers. SpamHaus uses a "3 strikes" register. They don't list inadvertent spammers or newbie marketing departments spamming 'by mistake'. To get to 3 strikes (i.e.: 3 terminations for spam offences) requires a determined spam outfit. Being thrown off an ISP takes a lot of doing, nobody is thrown off ISPs without having been given ample warnings and chances to stop violating the ISPs Terms of Service. Being thrown off ISPs *twice* for the same offence means the spammer is determined, knows the consequences, and has signed up to a new ISP with the intention of breaking the ISPs Terms of Service. Being thrown off *three* ISPs for the same offence means the spammer is a committed hard-line spam operation that regards all ISPs as simply throwaway resources. These are the outfits that end up in SpamHaus. Their existence, methods and history is need-to-know information for the ISP industry. ORDB.org is an Open Relay Database which stores a IP-addresses of verified open SMTP relays that are, or are likely to be, used as conduits for sending unsolicited bulk email. Using these sources, messages are rejected at the SMTP level based on the IP address of the senders e-mail server. The rejection is done at the SMTP level, so it is either ON or OFF for the entire ɫӰ mail server. As noted in the Background section above, messages in this category are returned to the sender with a message that notifies the sender that their server is block listed for spam and provides an iup e-mail address where they can write if needed to discuss this issue with us. Follow-ups to the ɫӰ postmaster would typically result in directing the person to have their e-mail administrator contact spamhaus or ordb to be removed from the block lists. At this time, the only option for doing user by user spam filtering is via the use of rules on the ɫӰ.EDU server. Such rules, however, will become very complex and will require on-going maintenance to address the creative approaches of the spammers. Implementation of the block lists can be accomplished with minimal implementation effort and moderate on-going effort to monitor any follow-up inquiries from the bounces. A future option to implement user by user choices for spam guards may be possible, but such an undertaking will require high implementation and operational support and would need to be a TUC project. Moreover, such a project would also involve content filtering where the envelope is opened and messages are rejected based on certain content within the message. TUC Document for ACPAC & ACOC Review  FILENAME TUC Spam Discussion 9-12-2002.doc Page  PAGE 1 of  NUMPAGES 2 >L9 S " # $ 4 5  mHnHujU0JjU jU>*>*CJ';<=>LM; < = S T ^$a$_HI_ 1h/ =!"#$%DyK yK *http://www.ordb.org/DyK yK 2http://www.spamhaus.org/ i8@8 NormalCJ_HaJmH sH tH 0@0 Heading 1$@&CJ<A@< Default Paragraph Font.U@. Hyperlink >*B*ph>V@> FollowedHyperlink >*B* ph<C@< Body Text Indent ^,@", Header  !, @2, Footer  !$    HI_0000000000000@0@0@0 0&&yyy|# 4 XX&1S[bditv|t!tt8@0(  B S  ?r| h q FI#^_ /5tL P "q}_3333333333-./:<<^_ Samuel Puleio Samuel Puleio Samuel Puleio Samuel Puleio Samuel Puleio Samuel Puleio Samuel Puleio Samuel PuleiospuleiojrmcferrZ:\acpac\Spam-Discussion.doc@tP@UnknownGz Times New Roman5Symbol3& z Arial"1hbibisbi<r 'V  (!20d_3QHTechnology Utilities Council Samuel PuleiojrmcferrRoot Entry Fyt7Data 1TableWordDocument"$  !"(-./%Spam-Discussion$cbennett Mr. Christopher G. Bennett$cbennett Mr. Christopher G. Bennett՜.+,D՜.+,|8   ,' 2 Root Entry FMj:7@ Data 1TableWordDocument"$  !"(*+,)SummaryInformation(DocumentSummaryInformation8 CompObjjObjectPoolLnZLnZG. Bennett cbennett$Mr. Christopher G. Bennett cbennettArchived ACPAC FileArchived ACPAC File՜.+,D՜.+,|8   ,' 2  Technology Utilities Council TitleX@H(0<|     L _PID_HLINKSEktContentID64EktContentLanguageEktFolderId64 EktQuickLinkEktContentTypeEktFolderName EktCmsPath EktExpiryType EktDateCreated EktDateModified EktTaxCategory EktCmsSizeEktSearchableEktEDescriptionekttaxonomyenabledEktShowEvents EktInPermA WWhttp://www.spamhaus.org/HShttp://www.ordb.org/zX ;DownloadAsset.aspx?id=88186e@ сs@ tr Summary ArchivedEktTaxCategory ACPAC FileArchived ACPAC File#  Technology Utilities Council Title$,  `h t     _PID_HLINKSEktContentID64EktContentLanguageEktFolderId64 EktQuickLinkEktContentTypeEktFolderName EktCmsPath EktExpiryType EktDateCreated EktDateModified EktTaxCategory EktCmsSizeEktSearchableEktEDescriptionekttaxonomyenabledEktShowEventsA WWhttp://www.spamhaus.org/HShttp://www.ordb.org/zX ;DownloadAsset.aspx?id=88186e@ сs@ trArchived ACPAC File   !"$%58#Root Entry Fqt7Data 1TableWordDocument"$SummaryInformation(HDocumentSummaryInformation8 TCompObjjObjectPoolLnZLnZ "  !#$  FMicrosoft Word Document MSWordDocWord.Document.89qOh+'0p((x @4 Hd@G@:1mcZ@H.nZ@H.nZ<rSpam-Discussion$Mr. Christopher