Luke Haber
Team Leader- Client Technical Support, Information Technology and Teleommunications
Services, Southern Cross University, PO BOX 157 Lismore NSW 2480
Research Masters Student, Graduate Research College, Southern Cross University,
PO BOX 157 Lismore NSW 2480
Spam is an annoyance to users, just as it is a threat, as organisations face
challenges to protect email account holders from unwanted and unsolicited
bulk email attacks. Spammers collect email address's by harvesting from websites
to flood our In boxes, take up storage, costing time and money to
remove and implement controls. Spam works toward eroding the validity of email
and in some cases, our mailboxes fill with as much spam as
legitimate mail.
The majority of spam is from offshore sources which make local legislation difficult
to enforce and track spammers. Spam is a global problem in which
countries need to collaborate together to combat and ban. This paper outlines
some best practices for users to reduce the risk of being spammed.
The global cost of spam was estimated by the Radicati Group in 2003 to be $20.5
billion or $49 per user mailbox. [HREF1]
"Spamming is the scourge of electronic-mail and newsgroups on the Internet.
It can seriously interfere with the operation of public services, to say nothing
of the effect it may have on any individual's e-mail mail system. Spammers are,
in effect, taking resources away from users and service suppliers without
compensation and without authorisation."
-- Vint Cerf, Senior Vice President, MCI and acknowledged "Father of the
Internet" [HREF
2]
Spam to the normal person is a form of tinned meat. The word "Spam"
as applied to email, means Unsolicited Bulk Email ("UBE"). Unsolicited,
means
that the Recipient has not granted verifiable permission for the message. Bulk,
meaning that the message is sent as part of a larger collection of messages,
all having substantial identical content. [HREF3]
- There is no cost to the sender – that is why they send it.
- It costs to download, and costs you, your employer or organisation.
- Takes time to look through and delete, & and to implement controls to
reduce.
- For some users spam exceeds the volume of legitimate emails.
- Not implementing controls and just deleting does not work as the spammer will
continue to send more spam.
- Overseas sources are hard to trace and locate offenders.
The Spam Act 2003 (Cth) bans most commercial spam, with penalties of
up to $1.1million applying for breaches of that Act as of April 10th 2004.
Under the act it is illegal to send or cause to be sent unsolicited commercial
electronic messages that have an Australian link. [HREF4]
The Privacy Act 1988 (Cth) generally requires organisations collecting
electronic mail addresses to seek permission from the address holder in order
to use the address for direct marketing purposes.
Other laws that cover practices that spammers use such as Trade Practices
Act 1974 (Cth), relate to false and misleading claims and the
Crime Act 1914 (Cth), which relates to offences that interfere with, interrupt
or obstruct the lawful use of a computer by means of a carrier (ISP). [HREF
5]
In June 2005 the Australian Communications Authority (ACA) announced that it
was taking action in the Federal Court against an alleged global spammer
based in Perth . The ACA alleges that Clarity1 Pty Ltd (which used the trading
names Business Seminars Australia and the Maverick Partnership) and
its managing director Wayne Mansfield sent at least 56 million commercial emails
during the year after commencement of the Spam Act 2003, with most
of those messages "believed to have been unsolicited and in breach of the
Act".
Clarity1, listed by anti-spam watchdog Spamhaus as allegedly one of the world's
top 200 spammers. [HREF
6]
Due to the low response rate of advertising through unsolicited email, it is
important for a spammer to have a comprehensive list of email addresses.
Because few people would be prepared to knowingly hand over their address to
a spammer, addresses are usually collected from the public domain.
Common methods and locations spammers use for automatically harvesting addresses
include;
- Web pages (especially guestbook’s and forums)
- Posts to UseNet with your email address.
- Mailing lists
- Various web and paper forms
- Domain contact points
- Dictionary attacks on both username or domain
- Predictable email address patterns
- From white and yellow pages
- Chat rooms [HREF7]
Other spam comes from sources you know and is named “acquaintance spam”
[HREF8].
Your address is obtained from:
- Product registration cards
- Registrations with web servers
- Companies that you do business with
- Online purchases
- Other forms that require your email address
- Limit postings to newsgroups and forums with your email address
- Use ISP’s/Hosts that have free SPAM filtering
- Use alias’s on websites, thus hiding your actual email address i.e. sales@yourcompany.com,
Service@yourcompany.com
- Use a separate email address for work and personal. Ask work colleagues, friends
and family not to give out your email address without your
permission. Limit personal emails to your work address.
- Internet search your email address and limit the number of websites it appears
on. Ask sites to remove references to your address.
- Remove references of mailto: from websites and replace email address with
graphics or clear text which hide the @ symbol. Often called “Address Munging”,
the practice of disguising an email address to prevent it being automatically
collected [HREF9]
- Hide your email address in IRC and ICQ programs and do not select usernames
that are simular to your email address.
- Turn up privacy in browser settings to block cookies that do not have a privacy
policy. Also turn up security in browsers to prevent downloading files without
consent. Delete Cookies, Temp internet files daily/weekly
- Be wary who you give out your business cards to as they contain your email
address.
- Use a combination of firewall, AV, Spyware products together to prevent your
email address from being stolen when online.
- Report Spammers in Australia by visiting Australian Communications and Media
Authority website:
http://www.acma.gov.au/ACMAINTER:STANDARD::pc=PC_2008
If you are from a public organisation, you will face greater challenges as
your email address may be required to be on publiclly available websites for
people
to contact you. Look at graphics instead of text or using email alias’s
instead of the actual address.
“Just delete” is a time consuming and frustrating task and not a
long term solution. Implementing an action plan to reduce spam through the use
of software,
hardware and technical controls is the most effective organisational solution.
Install Anti-spyware software and use a personal firewall to prevent email
address’s from theft while online.
Legislation will not work unless a global agreement is found to fight spam
and prosecute offenders with tougher penalties. As a last resort change your
email
address if spam becomes un-manageable.