Windows & .NET Magazine Security UPDATE--July 16, 2003

1. In Focus: Antispam Movement: Readers Respond

by Mark Joseph Edwards, News Editor, mark@ntsecurity.net

In last week's Security UPDATE commentary \[http://www.secadministrator.com/articles/index.cfm?articleid=39554\], I discussed spam and presented some news stories that reveal the tug-of-war taking place between lawmakers and companies whose interests might be jeopardized in one way or another by various proposals for legal solutions. Several readers wrote to share their opinions about unsolicited email. I thank everyone who responded and offer you some of those responses.

Jay C. described his concerns about do-not-spam lists. Using such lists might become cost-prohibitive for companies that rely on unsolicited commercial email (UCE) to gain new business leads. Legitimate small businesses rely on email advertising to help them compete against large corporations. He believes that the opt-in approach offers a better direction because it lets advertisers target people who've indicated that they don't mind receiving the advertising from a reputable source.

For example, when you sign up for newsletters from Windows & .NET Magazine, you can choose whether you want to receive email from third parties connected with the company. That's a responsible opt-in policy, I think. However, some companies sell their email lists to anyone who pays for them. You can help avoid such UCE messages by looking for a privacy policy when vendors ask for your contact information. Try to learn how they might use your information before you provide it.

Steve W. wrote that he's concerned about the ever-increasing sophistication of spammers, who continue to discover ways to get their messages past spam filtering systems. Steve is also concerned about the increasing amount of malicious software (malware) that email messages help propagate, which affects many e-commerce companies, including banks and supply chains. He thinks the best solution will be authenticated email, the use of IP Security (IPSec), and encryption. Steve points out that standards and applications to handle junk email and address other privacy concerns will emerge because they're in demand.

Pat M. wrote that identity management could help curb UCE. If email were authenticated, taking action against abusers would be easier. Pat also thinks that "truth in advertising" laws should apply to advertising message subjects, which would make the email messages far easier to filter.

George S. wrote, "You mentioned some possibilities for controlling spam but left out the most important and effective one: Make spamming a capital crime." I laughed because junk mail obviously aggravates George. I also sympathize--but hope he was joking about the "capital crime" designation.

Greg F. points out that a big problem with stopping spammers is that many of them aren't located in the United States or in countries that might take action against them. Furthermore, he points out that even when an entity is found to have an open SMTP relay (or proxy for that matter), you can't necessarily find someone to contact to close it--because it's often difficult to determine exactly who was using a given IP address. In addition, few people want to do the work to trace a spammer who uses open relays and proxies--the work is tedious.

Bill P. points out that open proxies, open relays, and open Wi-Fi (the 802.11b wireless standard) networks contribute hugely to spam. Tracking spammers who use such gateways is difficult but not impossible. However, Bill acknowledges that sometimes even when you successfully track a spammer to a given domain, you encounter another problem in trying to identify the culprit: false domain registration information.

Bill also notes that antispam legislation probably won't do much good unless technological provisions back it up. For example, you'd have to disable registrars who don't enforce accurate contact information; disable domain names that contain inaccurate contact information; disconnect any site that operates (knowingly or not) an open proxy, mail relay, Wi-Fi network, or another device that spammers can use; and cancel peering agreements between ISPs when an ISP is lax about preventing spam. You would also need legal exceptions that would let someone probe a mail-sending service to determine whether it's spammer-friendly because it operates an open relay or proxy. (Currently, people can be charged with a crime in some areas of the country for simply probing a system without first getting permission to do so.)

David Norris Carden sent me a copy of "Federal SPAM Legislation," a paper that he wrote while working on his master's degree in Information Security at Capella University. In the paper, he examined various proposals for legislation. Of the eight proposals he analyzed, he found that several would do little to mitigate the overall problem of junk email. However, one stood out as having more preventive measures than the rest: H.R. 2515, dubbed "The Anti-Spam Act of 2003."

If passed into law, the act would require email advertising to contain a subject ID, adult-content ID, opt-out mechanism, valid return address, and physical address. In addition, it would make false email headers and subject lines illegal, restrict the harvesting of email addresses, and let victims bring civil action against violators.

Norris's "Federal SPAM Legislation" paper \[http://rasquel.com/security.htm\] is online; read it to learn more about antispam legislation. To read more about H.R. 2515, visit the Spamlaws.com Web site \[http://www.spamlaws.com/federal/108hr2515.html\].

Spamlaws.com is a great place to review existing and proposed laws from all over the world. You can drill down (e.g., to a given state) to see the local issues. You can also look at case law, such as the recent Intel versus Hamidi case in California. Check out the Web site \[http://www.spamlaws.com\] periodically; it's a great resource.