Previous Issue | Search NetBITS | NetBITS Home Page | Next Issue
Every day you wake up and find a new case of spam - Unsolicited Commercial Email - in your electronic mailbox. Can you prevent this early morning indigestion? Adam Engst examines anti-spam techniques and ideas - including some pending legislation. In FAQtoids, we travel through time and space and blow the cover on TCP, and in NettersLetters we learn about the flip side of spam filters and the - allegedly - canonical pronunciation of GIF.
Contents:
Copyright 1997 TidBITS Electronic Publishing. All rights reserved. To subscribe to our weekly list, email <netbits-on@netbits.net>. Thanks to our sponsors for their financial support of NetBITS.
Ethernet and Internet -- Rob Russell of Auckland, New Zealand <rob@sumware.co.nz> pointed out what seemed to be a contradiction in the second installment of the Hey, I'm Talking To You article (see NetBITS-002) about how machines find each other over an Ethernet network and over the Internet. The article stated the Internet doesn't use Ethernet, because Ethernet LANs - segments in which all the machines "see" each other - only work over short distances. But if you hadn't read part 1, last week's sequel seemingly implied TCP/IP couldn't run over Ethernet.
The confusion probably stems from writing about physical protocols (like Ethernet) and data protocols (like TCP/IP) at the same time. Data you send, such as a Web page request, is encoded into a set of TCP packets with IP addresses on them. Once the packets leave the application that assembles them on a particular machine, the physical protocols take over to move the packets along the machine's physical network connection. One Ethernet device talks to another to pass along the TCP packets; if the packets are bound for an outside network, they may go over a serial line that uses a different physical protocol. So regardless of whether you're sending data over a local Ethernet or between routers using leased telephone company lines, the data format is still TCP using IP addressing. The medium, in this case, is not the message, just the carrier. [GF]
by Adam C. Engst <ace@netbits.net>
All right, I'm angry. I'm fed up with spam (junk email, sometimes known as unsolicited commercial email), and I'm almost as fed up with the hopelessness of the current methods of stopping it. I assume you're all familiar with spam - if by some stretch of luck you're not, you probably will be before long, especially if you post to Usenet or put your email address on a Web page.
We all saw the rise of spam coming: unlike paper-based bulk mail, spam is essentially free to send, and so purveyors of spam are happy with a response rate far lower than the standard 1 to 2 percent achieved by traditional direct response campaigns. Now, the spam problem is getting ridiculous, with no signs of abatement in sight. In the last two months, I've gotten about 250 individual pieces of spam. Sure, I have a well-known address, but that's a lot of spam, and it's increasing in volume all the time.
In this article, I'll examine the efficacy of some anti-spam tactics and technologies. In an upcoming issue, Glenn Fleishman will cover the upstream part of this problem - how to stop spam at the source and how to keep your own or your ISP's mail servers from being hijacked.
Delete -- The simplest method of dealing with spam is the Delete command in your email program. It probably takes a few seconds for you to recognize that a message is spam, and only a few more to delete the message. Even multiplied by the number of messages I received since I started counting, I would only have spent two or three minutes of those months dealing with spam. This technique also has the advantage of being familiar - we do exactly the same thing with paper junk mail. However - in the United States at least - we don't directly pay to receive paper junk mail, whereas we all pay in some form or fashion to receive spam. More concerning, what happens when the ratio of spam to real email flips, so we're getting 98 percent spam? The Delete command won't work so well then, and believe me, it's only a matter of time before that would be true.
Complaints -- You can also complain about spam. You can return nastygrams to the spammers, ask to be removed from their lists, and complain to the postmasters of the ISPs involved.
At this point, however, replying to spammers has an efficacy of about zero. Sure, you might hit a novice spammer at some point who doesn't realize that no good email ever comes from spamming, but that's an exception. Most spam is forged in such a way that there isn't a valid email address to which you can reply. This makes pointless the idea of replying with a note that tells spammers that the next time you receive spam from them, they'll owe you money.
Using remove features when offered sounds like a nice idea, but why would a spammer want to honor remove requests? After all, getting a remove request means that the recipient has a valid email address and actually read the message. To the scarred and twisted minds of spammers, that must mean that the person sending the remove request is a prime target for more spam. Replying to an email address in spam that actually works virtually always gets you added to more lists.
Of these ideas, complaining to postmasters (nicely) is the only tack that has any hope of succeeding. I wrote and used a KeyQuencer macro that actually did all of these things (it replied to the message with full headers, put the word "remove" in the Subject line, put abuse and postmaster addresses at the domain involved in the CC line, and typed a short and pointed note at the top of the message). In several months of using my macro, I got email from a couple of abuse addresses (most of the big ISPs were pretty good) thanking me for the information and saying that they had kicked the person off. Most of the time, though, there was no recourse, and all my messages either bounced or disappeared. I figure I had at best about a 2 percent success rate.
Filters -- What about using the filtering capabilities built into all good email programs, like Qualcomm's Eudora and Claris Emailer? All you have to do is identify common aspects of spam and then you can filter it all to the Trash, or (until you're confident of your filters) into another mailbox where any real messages caught by your filters can survive. If you don't have the time or energy to create your own filters, others have done so for Eudora and other programs.
<http://www.public.usit.net/nwcs/Spam/Spam.html>
Unfortunately, filters are problematic for several reasons, and although you're welcome to use them, in the long term they're simply not the solution.
Most spam email has been forged anyway - how can you possibly hope to keep up with spammers who can just forge another address?
Filtering on the Received lines in the message header fails if the spammer hijacks an SMTP server to force it to deliver the spam. It's far too easy to do.
Filtering requires constant updates and constant vigilance to make sure real mail hasn't been captured accidentally.
To filter email, you must first receive it, which means in essence that you're paying for it, either in money directly (not everyone has flat-rate Internet access) or in time or bandwidth.
Filtering on the domains of network service providers (the most notable one being filtered is a company called Apex Global Information Systems or AGIS) casts far too wide of a net. For instance, it turns out that the first part of the IP address we had some time ago for our mailing list machine, 205.199.*.*, is the same as the first part of the IP address used by arch-spammer Cyber Promotions. People who thought they were being clever by filtering on the start of that IP address effectively filtered TidBITS out as well, causing us major headaches when we got the complaints about missing issues. Also, since it's so easy to hijack an SMTP server, filtering on IP addresses is just as doomed as any other technique. Cyber Promotions recently got kicked off this network by AGIS; they're threatening to build their own network - which would make them much easier to filter out.
<http://www.news.com/News/Item/0,4,14907,00.html>
ISP Filters -- Perhaps the problem should be pushed upstream, to the Internet service providers? After all, if they filtered the spam out before it hit our mailboxes, we wouldn't have to deal with it all.
Nice idea, but I think it's fatally flawed. After all, who's to say that ISPs can avoid filtering real email any better than you can? And if the ISP was doing the filtering, you'd never even know that email from some friend of yours was being caught by the filter. Besides, even if you're not receiving, and thus paying for, the spam, the ISP is. Why should an ISP want to pay to carry spam any more than you?
Glenn has a slightly different viewpoint on this and will discuss it in his upcoming article about stopping spam at the source.
Voluntary Restraint -- Spammers had talked about forming a voluntary organization, and the Internet Email Marketing Council (IEMMC) was formed under the aegis of AGIS to develop industry guidelines for unsolicited commercial email, establish lists of people who didn't want to receive spam, and monitor compliance. However, according to news accounts (see URL above), the IEMMC was allegedly thrown out of AGIS's headquarters at the same time AGIS discontinued service to three major spam companies. It's unclear what will happen next with the IEMMC. In any case, this idea was flawed from the start. Anyone who believes this kind of a proposal will stop (or even stem) the tide of spam, should look into the purchase of this very nice bridge I have for sale. It's just not logical - anyone can spam, and whether or not the industry group has good intentions, they can't stop others from spamming any more than anyone else can.
<http://www.iemmc.org/>
<http://www.agis.net/press26.htm>
Legislation -- The final and, I've come to believe, only effective method of stopping spam is by legislation. If sending spam is illegal, then spammers will be subject to civil penalties, which, of all the methods discussed so far, pushes costs back on the spammers rather than forcing all of us to bear the costs of being spammed. Unfortunately, all the bills currently introduced just allow victims of spam to recover damages; none of them actually turn the spammers into real criminals.
Keep in mind, we're talking about legislation in the United States. But since the U.S. represents the largest consumer market on the Internet, bills that ban spam here should have repercussions elsewhere, especially in places where electronic privacy rights are already more highly protected, such as the European Union. If these bills drive spammers outside the U.S., it will become even easier to filter those sites out completely - cutting them off from the Internet, effectively - until they agree to stop. Most Internet traffic in and out of the United States flows over networks owned by a few U.S. companies; these companies might face fines if they fail to block spam from international sources.
There are four anti-spam bills being introduced before the U.S. Congress. The most direct is by Representative Christopher Smith (R-NJ); the other three are by Senator Frank Murkowski (R-AK), Representative Billy Tauzin (D-LA), and Senator Robert Toricelli (D-NJ). The four bills (others may be on the way) are not equal; three focus on opting out, and Smith's focuses on opting in.
Opting out means you have to ask to be removed from a list, but your request must be honored or the sender will face civil penalties which you can collect from them. However, there could be thousands or tens of thousands of lists you'd have to opt out from. Opting in means that a company can't send you a single piece of email without your request or your setting up a documented business relationship with them.
A small clarification about U.S. civil and criminal law, too, for those of you fortunate enough to never have had to tangle with either: Criminal law covers crimes prosecuted by the government. These may be ridiculous, but the penalties involve fines, jail time, community service, and other court-imposed duties. Civil law governs individuals' and companies' actions against each other, in which the final settlement generally involves either injunctions or consent decrees (in which one side agrees to stop or start doing something) or civil penalties (in which one side wins a monetary judgement against the other). The bills below all involve civil penalties, which mean you personally could file suit against the offender and, if you can prove their violation of the act, get cash money. In the case of spam, thousands or even hundreds of thousands of individuals could file civil claims across the country against single companies. Failure to appear in response to a suit often means a forfeit and having to deal with court-sanctioned liens. Since spammers annoy so many people, their financial risk would be enormous.
Current Bills -- Let's look at the current anti-spam bills. Senator Toricelli's <senator_torricelli@torricelli.senate.gov> bill, to start with, makes a civil offense of any attempt to forge email addresses or create fake domains. Further, it requires that if you request to be removed from a list (opt-out), these requests must be honored. The civil penalties are $500 for sending mail to you after you opt out, and $5,000 for various forgeries or misuse of service provider resources. The bill doesn't provide for specifics of how fast you have to be removed from lists. It also doesn't specifically limit coverage to commercial email, so anonymously sent private email could be covered. It's possible that legislating private speech in this manner could be unconstitutional; commercial speech has always had less constitutional protection.
<ftp://ftp.loc.gov/pub/thomas/c105/s875.is.txt>
<http://www.senate.gov/~torricelli/>
Representative William Tauzin's bill is also an opt-out bill, but is exceptionally vague. It essentially says that spam might be bad, and that spammers should voluntarily join an organization that will create guidelines for the industry. It doesn't specify civil penalties, and only appears to recommend that spammers honor opt-out requests. The bill provides relief to spammers in that if they join the trade organization, they're exempted from most penalties if they follow guidelines the group develops.
<ftp://ftp.loc.gov/pub/thomas/c105/h2368.ih.txt>
<http://www.house.gov/tauzin/>
Senator Frank Murkowski's <email@murkowski.senate.gov> bill is problematic. It would require spammers to label spam and avoid forgeries so ISPs can filter the spam at the server. Murkowski's bill graciously gives large ISPs one year to set up such filters, whereas smaller providers get two years. There are other provisions: users can request to be removed from spam lists, and must be removed within 48 hours; furthermore, ISPs would be forced to terminate service to anyone using their network to send spam without the required labelling and identification information. Penalties would range up to $11,000. These penalties could apply to ISPs if they fail to meet the bill's requirements, too, which has ISPs a bit nervous - it's not quite the Communications Decency Act, but it's potentially a case of "killing the messenger."
<http://www.senate.gov/~murkowski/press/EMail052197.html>
<http://www.senate.gov/~murkowski/commercialemail/>
<ftp://ftp.loc.gov/pub/thomas/c105/s771.is.txt>
Unfortunately, Murkowski's bill forces the ISPs to pay for carrying the spam, not to mention the costs of setting up and maintaining software to do the filtering. The basic problem, though, is that Murkowski's bill is an "opt-out" system (I'm sure there are a few people who like to receive spam, but there are people who enjoy self-mutilation as well). Cyber Promotions, one of the largest of the spam companies, brags about having 9,000 customers. I really don't want to spend my days removing myself from every spam list around, especially when they can just be regenerated from new sources.
Representative Smith's bill is based on an amendment to the Telephone Consumer Protection Act 47 USC 227, the law that makes it illegal to transmit junk faxes and sets a fine of $500 per incident, payable to the recipient, and $1,500 per incident if it can be proven that the originator of the junk fax knowingly violated the law. The amendment resembles suggestions from CAUCE (Coalition Against Unsolicited Commercial Email), and would expand the law and the penalties to apply to junk email as well. The existing law has been tested, both in the real world and in court, and has been found both effective and Constitutional. Junk faxes are essentially unknown now because of it.
<http://www.house.gov/chrissmith/>
<http://www.law.cornell.edu/uscode/47/227.html>
<http://www.cauce.org/amendment.html>
I've read through all of CAUCE's material, and I find them to be realistic and level-headed about the entire situation. I strongly encourage you to go to their site and read their explanations of why they feel legislation is the only course of action remaining. Essentially, CAUCE recommends an "opt-in" solution, where the only commercial email you receive is that which you ask for. If you agree with CAUCE's stance, consider joining and helping to spread the word... through non-spam techniques, of course.
There are tons of anti-spam resources available on the Internet these days - here are a few that I've visited. Note that they may have different opinions or propose different courses of action than I have above. Take everything you read here and elsewhere with a grain of salt. No one has a monopoly on the truth or even the one right way.
<http://www-fofa.concordia.ca/spam/>
<http://www.cnet.com/Content/Features/Howto/Spam/index.html>
<http://www.csn.net/~felbel/jnkmail.html>
<http://spam.abuse.net/spam/>
<http://www.mcs.com/~jcr/junkemail.html>
This week we cover time and space, two small concepts that will help you travel back to 1956, or around the world in 24 hours. Then we try to expand on what TCP really stands for (and have to flee the country).
Question: Where Do Time Zones Come From? In email headers after the time, I sometimes see a time zone indication like EDT or CET. I am looking for a complete list of these codes, but couldn't find it on the Web. - Andree Hollander <andree_hollander@spidernet.nl>
Answer: There are 24 time zones around the world, as you might expect, given the length of the day. The U.S. Naval Observatory has a map of these divisions and the exceptions to them; some states and provinces use half-hour offsets to avoid being further out of sync with the rest of their country or region.
<http://aa.usno.navy.mil/AA/faq/docs/world_tzones.html>
Most mail programs include not only local time, but an offset from what used to be known as Greenwich Mean Time (GMT) but is now known as Universal Time (UT) or a similar variant. GMT is the abbreviation used in mail headers, but the offset you see - like +0700 - is the number of hours to add to local time to equal GMT.
It was peculiarly hard to find a complete list of time zones by country and designation. In the above question, EDT is Eastern Daylight Time and CET is Central European Time. Those are easy enough. But when you get outside of the U.S. and Europe, time zone names become a little... weird. After a long search, I found a list of time zones in a Unix tar archive that had been "gzipped" (compressed using GNU ZIP software), and we've put that on the NetBITS site. There's also an excellent site that explains how the International Standards Organization (ISO) thinks time should be displayed.
<http://www.netbits.net/resources/country-timezones.txt>
<http://www.ft.uni-erlangen.de/~mskuhn/iso-time.html>
On a separate but related note, you'll notice that if you use a big service provider, like AT&T WorldNet, or a commercial online service, like America Online, the timestamp of your outgoing mail is that of the time zone in which the mail servers physically reside - not necessarily the time zone of your machine. So if you send mail to yourself on the West coast of the U.S. via AOL, it looks like you sent it three hours after you've received it.
That reminds me of an anonymous limerick often cited by Isaac Asimov:
There once was a lady named Bright,
Who travelled much faster than light.
She started one day
In a relative way,
And returned on the previous night. [GF]
Question: Blast from the Past? Since we're on the subject of time on the Internet, we'd like to thank Sylvia Belgodere for subscribing to NetBITS... from 1956 (according to the date line of her email message). We had no idea that NetBITS was popular back in 1956! Is Sylvia a time traveller reading her email while on a trip to the past using a Time & Location Manager-equipped PowerBook? Or is there some other reason why her mail (and that of many others on the Internet) has a weird time?
Answer: Most, if not all email programs pick up the current date from the system clock of the computer they're on. Since it's all too easy to set a clock wrong, and since computer clocks also control the date setting, you should check the time and date setting to make sure it's correct. On a Macintosh, use the Date & Time control panel; in Windows, use the Date/Time control panel. While you're there, make sure your time zone and daylight savings time settings are correct for your location.
Although this may seem like a minor problem, remember that many email programs sort incoming messages by date. So, in my copy of Eudora Pro, for instance, if a message comes in with the year set to 1956, Eudora will sort it to the top of my In mailbox. However, since most incoming messages sort to the bottom of my In mailbox (and since I receive hundreds of messages each day), I may not even notice an incorrectly dated message for a while.
Perhaps in a future FAQtoids we'll report on how to have your computer set its clock automatically from an atomic clock when you connect to the Internet. [ACE]
Question: Terrifying Capitals or Pointless? Every introductory article on TCP/IP explains what IP stands for but not what TCP stands for. This trend is so consistent that I must assume it is intentional. I do not want to know what TCP stands for, I just want to know: why is it a secret? Is this an acronym which someone forgot to explain to someone else at a crucial moment in history and today there is not a person alive who knows what TCP is? - Bill Freese <iedbf@montana.edu>
Answer: If you think TCP is an odd acronym, look at TWAIN. A scanner protocol developed by a consortium, it used to stand for Technology Without An Important (or Interesting) Name. However, the TWAIN Working Group denies TWAIN was ever an acronym.
<http://www.twain.org/faq/faq.html>
TCP is Transmission Control Protocol, but it's one of those acronyms that's just so rooted (not routed) in history, that it doesn't really mean anything now. What the heck does "transmission control protocol" mean? It could be the way you move a car's gear shift in geek speak.
TCP is vastly confusing. The protocol is a seven-layer cake (literally seven layers but not literally a cake), with each layer being a further abstraction. You have an application layer, where programs talk one kind of language. You have deeper layers were data gets packaged, and even deeper ones where the TCP stack of layers talks to a physical device, like an Ethernet controller, and keeps track of how well the data is transferring and retransmits packets as needed. We might get into this in future issues, or might run screaming into the night. Now that we've given out the secret of the acronym, we might no longer be safe. [GF]
<http://oac3.hsc.uth.tmc.edu/staff/snewton/tcp-tutorial/sec2.html>
Question: Big Brother Is Clicking Here? Every so often I hear or read that Government / Big Business / The Trilateral Commission / AOL / Mom / (fill in the blank) is tracking everything I do on the Internet. Is this possible? Is it likely? Should I start packing for Bolivia now? - Mark Pearson, <pearsonm@aol.com>
Answer: Yes. I just blew the cover on TCP, so it's all over. [GF]
[Please send us any and all Internet questions (even if you think everybody knows the answer!) to <faqtoids@netbits.net>, and include your full name and email address. Questions may be edited for content and length. We cannot guarantee publication or a reply.]
Speed Freaks -- Bob Nirenberg <RNIRENBE@us.oracle.com> points out a missing element in FAQtoids 001 about ISDN and serial port limitations.
I noticed you talked about the 115 Kbps limit for Mac serial port connections to ISDN, but you could have mentioned that some ISDN devices connect to your Mac via Ethernet, which relative to ISDN has unlimited capacity.
Another reader noted that you can buy and install cheap, high-speed serial cards in Macs that have card slots and achieve the same results without buying a GeoPort compatible device.
It's "Jiff" and I Don't Want to Hear Another Word -- Logic may dictate the "g" in GIF (Graphic Interchange Format) is pronounced hard, like gift or gefilte fish, but that didn't stop dozens and dozens of readers from offering opinions, many of them hilarious.
However, several people wrote to say that they either worked with folks at CompuServe or read the original GIF specification, all of which specified a soft "g". None of us at NetBITS understand why we haven't seen the definitive word before, so here it is. Charlie Reading <charlier@kreber.com> writes:
I worked with the creator of GIF (Steve Wilhite) when I was still employed by CompuServe. Steve always pronounced it "jiff" and would correct those who pronounced it with a hard G. "Choosy developers choose GIF" (spinning off of a historically popular peanut butter commercial).
If you want to make a difference in this pronunciation conundrum, print this piece of NetBITS out and send it to the person who writes your local newspaper's technology or Internet column. We now have the specification's authoritative pronunciation. Let's stamp out the hard "g," however logical, once and for all.
AOL and Innocent By-Senders -- AOL offers an anti-spam feature called PreferredMail that its subscribers can activate. By doing so, an AOL account can bounce all mail from a list of offenders that AOL is constantly compiling. This may be problematic when they sing "Return to Sender" to the wrong person. John Bowden <jbowden@theramp.net> writes of his difficulty.
John attempted to send email to a company's AOL account, but they couldn't receive his mail. After two months, he found a non-AOL address for the firm and was able to contact the company. He writes:
The AOL postmaster was contacted (and to date has ignored [the company's representative] and myself); my ISP's postmaster says things are working okay. For whatever reason, [the person I was trying to contact] had the thought to turn off the AOL's PreferredMail. Lo and behold, all of the email I had told her I sent flowed into her mail box.
Somehow the AOL folks have determined I am a source of email spam, and have programmed their filter appropriately. So I can't communicate with any friends or businesses that have AOL accounts using AOL's PreferredMail feature.
John also notes PreferredMail can only be active or inactive, and there's no way to use only part of AOL's PreferredMail site list without going to a lot of trouble. We've heard this comment from others, and it's a real problem. Unless AOL implements some reasonable procedure discussing how ISPs and individuals get added to this list, AOL may become isolated. As Glenn points out, forgery is a piece of cake, so AOL may be blocking dozens or thousands of addresses and service providers who had nothing to do with spam - they were just "innocent by-senders."
[Please send letters to the editor to us at <letters@netbits.net>. Please include your full name and email address. Letters may be edited for content and length. All letters become the property of TidBITS Electronic Publishing. We cannot guarantee publication or a reply.]
Non-profit, non-commercial publications and Web sites may reprint or link to articles if full credit is given. Others please contact us. We do not guarantee accuracy of articles. Caveat lector. Publication, product, and company names may be registered trademarks of their companies.
Previous Issue | Search NetBITS | NetBITS Home Page | Next Issue