How Spam Works - Essay Example

Security Topic Analysis Assignment - Spam Email Spam Overview According to Australian legislation about Spam policies, spam has been defined as "unsolicited commercial electronic messaging", embracing email, mobile text messaging (SMS) and some other electronic messaging.1 The methods employed by spammers to exploit the e-mail differentiate. First, it is needed to say that e-mail operates on the Simple Mail Transfer Protocol ("SMTP") (Klensin, 1995) The protocol was written in 1982, (Postel, 1982) when the problem of spam has not yet emerged. Therefore, the protocol was not intentionally designed to cover the issue of spam. It was not allowed to authenticate users, verify the identity; no guarantee of message privacy or integrity was made. The only way recipients could determine the source of spam was to rely on the "From:" field and "Received:" headers. (Internet Engineering Taskforce, 2001) A sample, taken from Stopping Spam, is shown below: From you@earth.solar.net Sat May 9 12:40:45 1998 Received: from jupiter.solar.net (jupiter.solar.net [1.4.4.7]) by pluto.solar.net (8.8.7/8.8.7) with SMTP id KAB00332 for ; Sat, 9 May 1998 12:40:45 -0600 Received: from earth.solar.net (earth.solar.net [1.4.4.4]) by jupiter.solar.net (8.8.8/8.8.8) with SMTP id MAA00395 for ; Sat, 9 May 1998 12:40:40 -0600 Date: Sat, 9 May 1998 12:40:30 -0600 From: you@earth.solar.net To: Chris Subject: Steel Pulse concert date Message-ID: X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 X-UIDL: 179c97f481a77a5da1a8109409a00afe Hi Chris! (15) The "From:" field is the most noticeable way to identify the sender, but it is also a very unpredictable way. It can be easily thought out by the message sender. (Lentczner, 2003) Spammers not often use an address they can be found at in the "From:" field, and usually, the address has either been forged or is the e-mail address of someone else. The "Received:" headers are a more obvious way of disguising spammers. A "Received:" header is added by each host that relays the message from its source to its eventual destination. Each of these headers contains the name and address of a system that relayed the message, as well as the name and address of the system that just passed it the message. Spammers are not abe to prevent intermediary systems from adding these headers while the headers provide only minimal protection because a thorough examination of the "Received:" header will be required to identify the real source of the message. There are two popular techniques used by spammers to puzzle message recipients: using open relay sites (Yahoo! Anti-Spam Resource Center, 2004) to send messages and adding "Received:" headers of their own creation when sending a message. Open relay sites refer to servers that are generally allowed to be used by unknown computers in order to to send e-mail messages. Mail can be traced back to these relays, but it is unlikely that the relay operator will be able to identify the system that passed it the message. While servers that allow relaying are becoming less common as a result of the spam problem, they still exist and are well-known by spammers. These relay sites are often blacklisted, meaning that certain ISPs will not accept messages from them. While this is helpful, it has the effect of blocking not only spam, but also legitimate messages by other senders that may depend on the relay for mail transport. The second technique is the adding of bogus "Received:" headers. However, this technique is not so effective as the first one. The bogus headers usually contain errors, but are not able to prevent the addition of accurate "Received:" headers. This means that recipient can believe the header that the own server added (jupiter.solar.net in the example) and work back from one header to the next, identifying whether the server is one he trusts at each step. (Klensin, 1995) The message "id" can be utilized to authenticate the validity with the administrator at each intermediary. Ultimately, the false headers can be identified. When speaking of valid legislation that identifies spam policies in Australia, it is need to mention the 2003 Spam Act and associated Spam (Consequential Amendments) Act 2003 passed by Parliament in December 2003. The two Acts came into effect on 10 April 2004 and are to be reviewed within two years. The Spam Act 2003 prohibits the sending of unsolicited commercial messaging within Australia or on behalf of Australian entities. That prohibition reflects the Government's statement that spam is typically anonymous, indiscriminate and global. With these characteristics spam has become a popular vehicle for promotions that can be illegal, unscrupulous or use tactics that would not be commercially or legally viable outside the virtual environment. Some of the key issues raised by spam include privacy, illegal/offensive content, misleading and deceptive trade practices and burdensome financial and resource costs. There are significant privacy issues surrounding the manner in which e-mail addresses and personal information are collected and handled. It is not uncommon for address collectors to covertly harvest e-mail addresses from the Internet, as users visit certain sites, and buy and sell them in bulk without the knowledge or consent of the owner. A report to the US Federal Trade Commission (FTC) estimates that roughly half of all unsolicited commercial e-mail contains fraudulent or deceptive content. There are obvious community and regulatory agency concerns with the illicit content of a considerable amount of spam - including those that promote pornography, illegal online gambling services, pyramid selling, get rich quick schemes or misleading and deceptive business practices. The indiscriminate method of distribution is of particular concern as it is common for minors to receive spam that is pornographic, illegal or offensive. The associated Spam (Consequential Amendments) Act 2003 makes various amendments to the Telecommunications Act and the ACA Act to enable effective investigation and enforcement of breaches of the Spam Act. Another legislative effort is the Privacy Act which its current forms precludes spammers from harvesting email addresses without the consent of their owners. This must in general be consent to the use of the address for spam, as a person who has consented to the collection of their email address for a particular purpose does not thereby consent to it being used for other purposes. According to Criminal Code Act, liability will attach if the offender institutes or assists in the institution of an unauthorised connection to an open relay server, provided that the connection is either initiated in Australia, or if results of the abuse occur in Australia, or if the offender is an Australian citizen. The significance of worldwide regulation in managing spam means that Australia will come under pressure to match its legislation with that in the EU and to move beyond broad statements about bilateral cooperation, such as the July 2004 Memorandum of Understanding (MOU) between the Australian Competition & Consumer Commission (ACCC), the Australian Communications Authority (ACA), the US Federal Trade Commission, the UK Department of Trade & Industry, the UK Information Commissioner and UK Office of Fair Trading. Spam Proliferation and Costs The problem of spam has grown intensively since the emergence of the Internet. During the period of 2001-2002, spam increased by 450 percent or 12.4 billion messages per day (Edwards, 2002). Spam is considered to be highly challenging problem because it mostly contains pornographic advertisement or fraudulent, get-rich-quick schemes sent from a cautiously disguised source. Spam is also a computer security risk since it spreads computer viruses that then turn infected computers into spammers (See Spam Zombie). The sending of spam results in a substantial shifting of costs from advertisers to ISPs and e-mail recipients. In 2003, spam is counted to have cost companies worldwide $20.5 billion. Spammers are able to send messages for minimal cost--the cost of their Internet access and mailing lists. The costs of relaying messages, storing them, and downloading them are borne by others. The extent of other forms of commercial advertising that occurs is limited by the cost of the advertising. With e-mail, the cost is higher on the recipients than on the advertisers, with an estimated margin of $270 million for spammers versus an inflicted cost of $8-10 billion on the rest of the world in 2002. Given this cost imbalance, there is no effective economic limit on the amount of spam that can occur, other than the limits of the ability of end-users to shoulder the costs. Functional Description of Spam Controls Suggested spam control program looks as it follows: the public key infrastructure is extended to generate not only signed e-mail messages, but also opt-in and opt-out signatures. Opt-in requests should be generated by those who create a signed request using their private key, either by Web or e-mail. The signed requests are then sent to the specified bulk mailer, who will be able to verify the signature with the certificate authority and keep the signed request as proof of the opt-in request. This process is then automated by email clients who want to incorporate this filtering technology. The opt-out process should be also automated so that individuals could send a signed request using private keys and an automated response then would be sent back by the bulk mailer. This response would serve as a proof that the opt-out request has been received. If the automated response is not received from the bulk mailer, the individual's e-mail program should send an automated complaint to agency servers. The signed requests are essential because they are retained to provide documentary evidence to each party of its compliance or non-compliance with agency regulations. A signature can also require the entry of a password, an additional step that would make the use of spam zombies to create signed messages considerably more difficult. Spam filters must identify most bulk messages and distinguishing between signed and unsigned messages should be relatively easy. Users will be able to choose unsigned bulk messages filtered and spammers will have to point whether their signed messages are solicited or not. All e-mail users, whether participants in this regulatory framework or not, should freely send unsigned bulk messages. Their messages risk being filtered before reaching some users, but this filtering will be the result of individual preferences and not government censorship. Users will still be able to send anonymous messages in bulk. Critique of Possible Spam Control Strategies Privacy Preserving The proposed system does lead to the loss of some privacy. Signed messages are by their very nature not anonymous. This loss in privacy is alleviated by the optional nature of the system and the fact that only the sending of signed bulk messages is affected. Messages, even bulk messages, are not required to be signed. Unsigned messages simply have a greater probability of being filtered. The intent of the system is to motivate most senders of bulk e-mail to sign their messages, but the lack of a requirement that messages be signed is constitutionally significant. (108) Political speech, protest speech, and the like can still be sent anonymously. None of it is required to be filtered by law. Other aspects of the system are quite successful in preserving privacy, particularly the privacy of e-mail recipients. Users can filter unsolicited messages without ever having to indicate to their ISPs or a governmental authority which senders' messages they wish to solicit. The indication of whether a message is solicited is made by the sender, and the mechanisms of the opt-in system enable the sender to be held accountable for his affirmation. The threat of ISPs attempting to retain this information and use it for data-mining purposes remains. This threat should be dealt with by appropriate legislation prohibiting the retention of any solicitation information for any longer than is necessary to deliver a message. Cost-Effectiveness Making systems for spam regulation is an expensive task as it includes payment for spam-filtering services and software, legal actions against spammers, and the social costs associated with spam, such as unsolicited pornography sent to minors. The proposed system imposes high financial and technical costs. It requires governmental administration and enforcement. It asks ISPs and software developers to expand the functionality of their products and services. Nevertheless, these financial costs are justified by the increasing costs inflicted by unwanted spam. One technical cost imposed by the proposed system is that it does not claim to be able to stop the sending of spam. It instead focuses on enabling e-mail users to avoid ever receiving the unwanted spam messages. Spam can still be sent and passed across the Internet, all the way to the recipient ISP before finally being dropped by the ISP on the basis of a recipient's e-mail receiving preferences. Only in the limited circumstance where a signature is forged can a message bedropped by the sending e-mail server or an intermediary before it consumes bandwidth and storage space at the receiving end. This system does take some steps to minimize its technical costs. Most significantly, only signed and bulk messages will be affected by the changes. Unsigned messages may be treated just as they were before, although ISPs may begin to presumptively filter unsigned, bulk messages. Most personal messages will likely not be signed and have no need to be signed. Transparency A central filtering system that relays/drops messages based on the decisions of an undisclosed filtering algorithm refers to transparency. Blacklists are particularly vulnerable to claims of a lack of transparency. (Sorkin, 2001) IP addresses can be added to the blacklists according to an unidentified set of criteria, without worry for whether specific users may want to receive messages from that address. The criteria for accepting or refusing e-mails should be user-controlled. The proposed system promotes more transparency by virtually putting all filtering decisions in the hands of intended message recipients. Blacklists and filters operate under criteria unknown to users. By allowing users to set separate rules for unsigned bulk messages, unsolicited bulk messages, and solicited bulk messages, the end-to-end architecture of the Internet is maintained and the transparency of the system is maximized. Bibliography: 1. Alex Salkever, Yahoo's Risky Antispam Gambit, Bus. WEEK ONLINE (Jan. 13, 2004), at http://www.businessweek.com/ technology/content/jan2004/tc200401133442_tc047.htm. 2. Associated Press, Your Computer Could Be a 'Spam Zombie' (Feb. 18, 2004), at http://www.cnn.com/2004/TECH/ ptech/02/17/spam.zombies.ap/index.html [hereinafter Spam Zombie]. 3. David E. Sorkin, Technical and Legal Approaches to Unsolicited Electronic Mail, 35 U.S.F.L. REV. 325, 347 (2001). 4. Edward Brunet, Defending Commerce's Contract Delegation of Power to ICANN, 6 J. SMALL & EMERGING BUS. L. 1 (2002). 5. Hiawatha Bray, Tech Experts Say Spammers Are on the Run, BOSTON GLOBE, Jan. 26, 2004, at C3, available at http://www.boston.com/business/technology/articles/2004/01/ 26/tech_experts_say_spammers_are_on_the_run/ [hereinafter Spammers Are on the Run]. 6. J. Klensin, RFC 1869: SMTP Service Extensions, THE INTERNET SOCIETY: Internet Engineering Task Force (Nov. 1995), at http://www.ietf.org/rfc/rfc1869.txt. 7. Jonathan B. Postel, RFC 821: Simple Mail Transfer Protocol, THE INTERNET SOCIETY: Internet Engineering Task Force (Aug. 1982), at http://www.ictf.org/rfc/ rfc0821.txt. 8. Kevin Murphy, Gates Backs Away from Postage Stamps Idea in Spam Vision, COMPUTER BUS. REV., June 29, 2004, at http://www.computerbusinessreview.com/ research_centres/59984863230a118e80256ec20032dda4. 9. Mackenzie, Kate. "Privacy delays cybercrime code", AustralianIT, 6 December 2002, http://australianit.news.com.au/articles/0%2C7204%2C5628313%5E15319%5E%5Enbv%5E15306%2C00.html. 10. Michael B. Edwards, A Call to Arms: Marching Orders for the North Carolina Anti-Spam Statute, 4 N.C.J.L. & TECH. 93, 93 (2002). 11. Michael Froomkin, Wrong Turn in Cyberspace: Using ICANN to Route Around the APA and the Constitution, 50 DUKE L.J. 17, 21-22 (2000). 12. Microsoft Corp., Anti-Spam Technical Alliance Publishes Recommendations to Help Stop Spain (June 22, 2004), at http://www.microsoft.com/ presspass/press/2004/ jun04/06-22ASTAPR.asp. 13. Nick Wingfield, VeriSign Files Antitrust Suit Against Web-Address Overseer, WALL ST. J., Feb. 27, 2004, at A3. 14. ORGANISAT1ON FOR ECONOMIC DEVELOPMENT AND CO-OPERATION, BACKGROUND PAPER FOR THE OECD WORKSHOP ON SPAM, at 14, at http://www.olis.oecd.org/olis/ 2003doc.nsf/LinkTo/dsti-iccp(2003)10-final (Jan. 22, 2004). 15. THE INTERNET SOCIETY: Internet Engineering Taskforce (Apr. 2001), at http://www.faqs.org/rfcs/rfc2822.html. 16. Tony Bradley, Solving the Spam Epidemic: Can You Legislate Spam Away, ABOUT.COM (May 16, 2004), at http://netsecurity.about.com/cs/emailsecurity/a/ aa051604.htm. 17. Utah Code tit 13, Chapter 36, applied in Terry Gillman v Sprint Communications, an unreported case against Sprint Communications noted at http://www.adlawbyrequest.com/inthecourts/SprintSpam081202.shtml. 18. Wong & Lentczner, SENDER POLICY FRAMEWORK, A Convention to Describe Hosts Authorized to Send SMTP Traffi'c (Feb. 2003), at 3, at http://spf.pobox.com/draftmengwong-spf-00.txt (Internet draft, expiration date July, 2004). 19. Wong & Lentczner, SENDER POLICY FRAMEWORK, A Convention to Describe Hosts Authorized to Send SMTP Traffi'c (Feb. 2003), at 3, at http://spf.pobox.com/draftmengwong-spf-00.txt (Internet draft, expiration date July, 2004). 20. Yahoo! Anti-Spam Resource Center: Domain Keys, at http://antispam.yahoo.com/domainkeys (last visited Oct, 5, 2004). Read More