Post on 24-Dec-2015
INDIANA UNIVERSITYC A N N I N G S P A M A T
Copyright Notice
• Copyright Merri Beth Lavagnino, Marsha Waren, and Rick Jackson, 2003. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the author.
INDIANA UNIVERSITYC A N N I N G S P A M A T
Canning SPAM at Indiana University:
What’s Possible & What’s Not
Merri Beth Lavagnino, Deputy IT Policy OfficerMarsha Waren, Senior Communications Specialist
Rick Jackson, Manager, Messaging
INDIANA UNIVERSITYC A N N I N G S P A M A T
Outline of Presentation
• Merri Beth: Overview of the problem and the legal issues to be considered
• Marsha: Educational campaign
• Rick: Technical options
INDIANA UNIVERSITYC A N N I N G S P A M A T
What Was the Problem?
0
500
1000
1500
2000
2500
3000
1998 1999 2000 2001 2002
Number of “Unsolicited Commercial Email” reports to IT Incident Response
INDIANA UNIVERSITYC A N N I N G S P A M A T
Who Needed to Be Involved?• Information Technology Policy Office: handles
Incident Response• Messaging Team: manages the email systems • Support Center: provides user support, for example,
on how to set your filters in email• Departmental Services: provides support to
computer professionals in departments• Communications and Planning Office: coordinates
user and public communications about information technology
• University Counsel: legal counsel for the university
INDIANA UNIVERSITYC A N N I N G S P A M A T
Education Project
• To engage our users in protecting their IU email addresses
• FTC found that:– 100% of email addresses posted in CHAT
ROOMS received spam– 86% posted at NEWSGROUPS or on WEB
PAGES– 50% at free WEB PAGE SERVICES– 27% from MESSAGE BOARD postings– 9% from EMAIL SERVICE DIRECTORIES
INDIANA UNIVERSITYC A N N I N G S P A M A T
Technical Project
• Our goal a year ago:– To assist our users in dealing with spam
when they do receive it, by providing an opt-in filtering service
• Our goal today:– To keep our email systems running!
INDIANA UNIVERSITYC A N N I N G S P A M A T
Legal Issues to Consider
• First Amendment– Does NOT apply to fraudulent emails, deceptive
advertising, illegal activities
• To burden free speech, must show compelling governmental interest– Degradation of service, inability to deliver email in a
timely manner, etc.
• Take all possible actions to avoid the necessity of burdening free speech and to remove the constraints as soon as possible
INDIANA UNIVERSITYC A N N I N G S P A M A T
Legal Summary
• To the maximum extent possible, keep control of communications in the hands of the individual users
• If central action taken:– Document the problem– Actions narrowly tailored to fit the problem– Apply to fraudulent communications only
INDIANA UNIVERSITYC A N N I N G S P A M A T
Educating Users
• Initiated University-wide Spam Communications Campaign
• Technology organization (UITS) to serve as model. Advance compliance requests to:– UITS staff– IU webmasters– Departmental technology support providers
INDIANA UNIVERSITYC A N N I N G S P A M A T
• Updated our Knowledge Base (KB) about spam– "What is spam e-mail?"– "What does Indiana University do about
spam"– "What is e-mail fraud, and what should I do
about it?" – "What can I do to avoid spam e-mail?”– "What should I do when I get spam e-mail?"
Educating Users
INDIANA UNIVERSITYC A N N I N G S P A M A T
Educating Users
• Pervasiveness of e-mail address harvesting
• Created new KB articles: – Protecting Web pages from harvesting
• With email form template
– Protecting newsgroup & chat postings– The risks of autoresponse (“vacation”) email
INDIANA UNIVERSITYC A N N I N G S P A M A T
Educating Users
• Included info in educational materials
• Published two-part article in faculty/staff newspaper
• Announced in technology newsletters on both core campuses (40,000 recipients)
• Presented at committee meetings, Infoshares, departments, etc.
• Developed spam brochure
INDIANA UNIVERSITYC A N N I N G S P A M A T
Educating Users
• Incident Response modified communications with users:– New email autoreply to address spam
complaints– New boilerplate message to inform users with
spam problems how to protect themselves and where to get help
INDIANA UNIVERSITYC A N N I N G S P A M A T
Educating Users
• Teaching users how to protect themselves was very effective in reducing the number of complaints about spam.
INDIANA UNIVERSITYC A N N I N G S P A M A T
Technical Options
• Definition
• Environment
• Anti-SPAM Measures
INDIANA UNIVERSITYC A N N I N G S P A M A T
Technical Options
• SPAM:– Special– Processed– Annoying– Mail
INDIANA UNIVERSITYC A N N I N G S P A M A T
Technical Options
• Environment:– ~ 1.5-3 Million inbound messages/day– ~ 1 Billion/year– ~100 % increase in six months
INDIANA UNIVERSITYC A N N I N G S P A M A T
Technical Options
• IU Email Environment:– Mail Services for all campuses – 120,000 IMAP users– 30,000 Exchange users
INDIANA UNIVERSITYC A N N I N G S P A M A T
Technical Options
• How much spam is too much?– Two occasions with multi-day delays in
processing mail – Data suggest that since October 2002 spam
accounts for 40-60% of all inbound mail to IU.
INDIANA UNIVERSITYC A N N I N G S P A M A T
Technical Options
• The Plan:– 1st Amendment concerns – Build a system users to choose to use
INDIANA UNIVERSITYC A N N I N G S P A M A T
Technical Options
• Three-prong Attack:– SPAM Filtering– Black Lists– White Lists
• All measures should be ‘opt-in”
INDIANA UNIVERSITYC A N N I N G S P A M A T
Technical Options
• Spam Filtering:– Inbound mail examined – Confidence levels assigned– Rules applied on mailbox servers– Action taken defined by individual
INDIANA UNIVERSITYC A N N I N G S P A M A T
Technical Options
• Black Lists:– Mail rejected based on sender– Lists created by filtering software– Individuals will be able to look up what is
being blocked
INDIANA UNIVERSITYC A N N I N G S P A M A T
Technical Options
• White Lists:– Individuals create lists of domains or of
individuals from whom they will accept mail – Senders not on the list, must reply correctly
to a message in order for your mail to be delivered.
INDIANA UNIVERSITYC A N N I N G S P A M A T
Technical Options
• Reality Part 1:– These measures WILL NOT stop SPAM!– These measures WILL have a huge impact
on resources
INDIANA UNIVERSITYC A N N I N G S P A M A T
Technical Options
• Reality Part 2:– Spam level spikes caused denial of service.– Spam levels continue to cause problems with
mail delivery– After second spam induced denial of service
we took action to try and block inbound spam– Currently unable to implement opt-in solutions
due to flood of spam
INDIANA UNIVERSITYC A N N I N G S P A M A T
Technical Options
• Real-time Block Listing:– DNS-based database of IP addresses of
spam sources – Queried in real time by mail systems – ~8,000 messages per hour blocked
INDIANA UNIVERSITYC A N N I N G S P A M A T
Technical Options
• Future Reality:– Spam will continue to increase at alarming
rates in lieu of legislated restrictions.– Spammers are working to circumvent anti-
spam measures. – The solution will be multi-faceted and will
have to be updated constantly.
INDIANA UNIVERSITYC A N N I N G S P A M A T
Technical Options
NOTHING WILL STOP SPAM!
Goal is to make it more manageable.