Subject: Security UPDATE, May 14, 2003

1.

IN FOCUS

(contributed by Mark Joseph Edwards, News Editor, mark@ntsecurity.net)

ยท EMAIL ONSLAUGHT: CANNING SPAM

Is everybody tired of junk email yet? Everyone but the spammers, I think. Lately, people have dedicated much energy to ending unsolicited commercial email (UCE). Some, though not all, of the traffic deserves to be stopped. For example, you might want to receive unsolicited ads from your favorite vendors. However, you might not want another unsolicited ad for a cheap cable TV descrambler or another guaranteed-get-rich-quick scheme.

At least one ISP has lashed back at a devious and corrupt spammer. EarthLink won a judgment against a spammer to the tune of $16.4 million dollars. The perpetrator, Howard Carmack, of Buffalo, New York ("the Buffalo Spammer"), lied, cheated, and stole to get his spam out the door. EarthLink said Carmack has sent over 825 million junk emails since March 2002.

To cover his tracks, he and his associates stole credit cards, used them to establish bogus Internet access accounts, performed bank fraud, and presumably raked in loads of money in the process. According to EarthLink, he favored sending out advertisements for computer virus scripts, "work at home" and get-rich-quick schemes, bulk email software and lists other spammers could use, and cable TV descramblers. EarthLink is getting adept at chasing down spammers. In 1998, EarthLink won a $2-million-dollar judgment against Sanford Wallace of Cyber Promotions and last year, a $25-million-dollar judgment against KC Smith, whose operation purportedly generated more than a billion pieces of junk mail.

But we need an easier way than litigation to stop spam. The Federal Trade Commission (FTC) recently held a 3-day forum \[http://www.ftc.gov/opa/2003/02/spamforum.htm\], April 30 through May 2, to discuss the proliferation of UCE. The forum explored the technical, legal, and financial concerns associated with such email. I don't have follow-up information about the forum, but the FTC Web site has a page that offers tips \[http://www.ftc.gov/bcp/conline/pubs/online/inbox.htm\] about preventing spam and reporting fraudulent advertisements.

One highlight of the forum was a proposal for a new standard, the Trusted Email Open Standard (TEOS), designed to augment current SMTP email technology to help prevent unwanted email from reaching users' Inboxes. Various organizations, including the ePrivacy Group, developed the TEOS draft proposal and published it in a white paper.

Stephen Cobb, who worked on the proposal, outlined 10 basic points \[http://2cobbs.com/spam/teos.html\] that serve as a road map for understanding TEOS. Cobb said that the nature of STMP-based email makes spam possible because it lets senders lie about who they are to lure users into reading the email.

The TEOS approach tries to address matters of technology and human behavior--while taking into consideration the legitimate ways people use email. Any solution to spam should try to avoid requiring that people replace the widely used SMTP-based mail servers and instead enhance existing technologies. TEOS proposes that such enhancements include a way for email senders to more reliably identify themselves. Enhancements can let senders make assertions about messages (included in SMTP message headers) so that mail servers know how to process email. For example, a magazine could assert that the message contains a user's copy of a newsletter.

TEOS also proposes including a "trust stamp" in messages. Trust stamps would be encrypted and unique to an individual message. Mail servers and users could use the stamps to verify whether a message sender is a member in good standing of a "responsible email" organization. An international oversight board would certify organizations.

Obviously, TEOS will work only if the proposal is widely accepted. If it were adopted, TEOS would stop dishonest people from sending spam because if senders lied about who they were and what their messages contained, those messages wouldn't be delivered. It's a good plan that makes sense.

Other solutions to junk mail add on to existing mail platforms. For example, whitelist and blacklist solutions automate the process of building lists of verified and unacceptable email senders. Mail-filtering packages help trim the amount of received junk mail at the gateway, and add-ons for mail clients trim junk at the desktop by using virtual networks of people to identify and tag spam as it travels the Internet.

One irony about this push to stamp out junk mail is that we still often overlook paper-based junk mail. People everywhere still receive reams of unsolicited paper mail. By now, each of us has probably received enough pizza coupons in the mail to wallpaper an entire college dormitory. Countless others and I toss those ads straight into the trash along with reams of other unwanted paper junk mail. Should the fact that we haven't solved the paper junk-mail problem serve as a warning about the difficulties to be encountered in ending spam? Naah. Cyberspace is different.