William Yang - Talks and Tutorials

Using Internet Standards to Control the Cost of Spam

A standards-based attempt to control the cost of unsolicited bulk electronic mail at the Greater Columbus Free-Net.

With the explosion of the number of Internet-connected hosts and the unprecidented growth of the number of people using the Internet, clear erosion on the 'Information Super Bike-Path' is becoming apparent. One of the most visible problems for the Internet is the issue of 'spam' -- unsolicited bulk electronic mail which is generally of a commercial nature. It is possible to define patterns with which we can identify spam and thus put into place measures which will reduce the volume (and cost) of running electronic mail services, without undermining legitimate use of such systems.

COPYRIGHT

This presentation and area are:

Copyright ©1997-8 by the Greater Columbus Free-Net.
All rights reserved.

HISTORY

1. 23 Jul 97 to the Ohio State University Security Working Group.
2. 23 Oct 97, Network Security '97 birds-of-a-feather session.
3. 12 May 98, SANS '98 peer-reviewed session

SUMMARY

The Greater Columbus Free-Net (GCFN.ORG) has become concerned about the issue of unsolicited, unwelcome, unwanted, high-volume electronic mail, which for the purposes of this discussion shall be called "spam."

Spam is problematic for a number of reasons, the most important of which is that the real cost of such traffic is carried by people other than those who benefit from it. In terms of the GCFN.ORG problem, by early June, 1997, spam had become such an incredible drain on our staff time that, in order to guarantee project continuation, some controlling measures had to be put into place. Our analysis of many of the numerous spam complaints we've received determined that there are patterns to at least the kinds of spam that users get upset about. Our analysis seems to indicate that certain parts of the published standards for e-mail communication were not being followed in many spam incidents.

Thus, an effective method for controlling spam would be to enforce standards compliance on incoming electronic mail. Using the Berkeley sendmail package (version 8.8), we implemented two standards-compliance checks against the SMTP (e-mail) delivery transactions. The result: a drop in spam volume -- over a quarter million attempts to deliver non-compliant mail were rejected -- with exactly no legitimate messages being blocked over the 3-week examination period following our changes.

Following the initial successes of the sendmail defensive measures, users experienced a second wave increase in spam volume. Through the creation of an anti-spam filtering system that users have direct control over resolved the staff commitment and gave the users a sense of self-determination and allowed them to re-take control of their electronic mail usage once more.

The technical portion of this talk discusses the technology and standards of electronic mail transmission, with a strong focus on effective choke points that can be utilized to reduce unsolicited, unwanted, unwelcome electronic mail. Specifically, we consider run-time and compile-time options to reduce the cost of running an electronic mail service within the context of the sendmail v8.8 software and the procmail 3.11pre7 mail processor.

The policy portion of this talk discusses the current legal status of electronic mail defense mechanisms, consideration of some of the management issues involved in determining the cost that spam is inducing on a system.

This material requires aproximately one-hour. It is written to the interested site administrator or policy maker audience.

REFERENCES

• sendmail, 2nd edition by Bryan Costales with Eric Allman. ISBN 1-56592-222-0. Publishing information is available at the O'Reilly and Associates web page, http://www.ora.com

• Sendmail Home Page, http://www.sendmail.org
• Using the check_* rulesets in sendmail 8.8, http://www.informatik.uni-kiel.de/~ca/email/check.html
• The Procmail FAQ (original location).
  • Mirror site (United States)
  • Mirror site (United Kingdom)
• Fight Spam on the Internet! http://spam.abuse.net

• RFC 821: Simple Mail Transfer Protocol
• RFC 822: Standard For the Format of ARPA Internet Text Messages
• RFC 1034: Domain Names - Concepts and Facilities
• RFC 1123: Requirements for Internet Hosts - Application and Support
• RFC 1893: Enhanced Mail System Status Codes
• RFC 1173: Responsibilities of Host and Network Managers: A Summary of the "Oral Tradition" of the Internet

• Spam Gift Catalog - Here as a reminder that you shouldn't lose perspective when spam fighting.

Biography

William Yang is the State IT Security Policy Officer for the State of Ohio, responsible for enterprise information assurance/security strategy and policies. In addition to standard assurance activities in relation to information crime, he is actively involved in regulatory compliance, critical infrastructure protection, and homeland security efforts for the government of Ohio. His prior experience includes being the director of operations for a managed security service company, and extensive experience with OSC (Ohio Supercomputer Center), leading software development projects and handling the application of Internet technologies to the cultural, social, and political enrichment of communities.

Mr. Yang has been actively involved in fostering cooperation, information sharing, and trust between law enforcement and private industry since 1995. He was one of six founding members of the InfraGard Provisional National Executive Committee in 1998 and served on the National InfraGard Executive Board through 2003. He was the first elected leader of the public-private partnership organization, InfraGard, serving as Chair of the Executive Board from 2001-2002.

Mr. Yang graduated with a bachelor of arts in Philosophy from the Ohio State University in 1995. He is the founder of GCFN.NET, a network service based on the process of building trust and community to better deliver real solutions.