INDIANA UNIVERSITYC A N N I N G S P A M A T

Copyright Notice

• Copyright Merri Beth Lavagnino, Marsha Waren, and Rick Jackson, 2003. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the author.

INDIANA UNIVERSITYC A N N I N G S P A M A T

Canning SPAM at Indiana University:

What’s Possible & What’s Not

Merri Beth Lavagnino, Deputy IT Policy OfficerMarsha Waren, Senior Communications Specialist

Rick Jackson, Manager, Messaging

INDIANA UNIVERSITYC A N N I N G S P A M A T

Outline of Presentation

• Merri Beth: Overview of the problem and the legal issues to be considered

• Marsha: Educational campaign

• Rick: Technical options

INDIANA UNIVERSITYC A N N I N G S P A M A T

What Was the Problem?

0

500

1000

1500

2000

2500

3000

1998 1999 2000 2001 2002

Number of “Unsolicited Commercial Email” reports to IT Incident Response

INDIANA UNIVERSITYC A N N I N G S P A M A T

Who Needed to Be Involved?• Information Technology Policy Office: handles

Incident Response• Messaging Team: manages the email systems • Support Center: provides user support, for example,

on how to set your filters in email• Departmental Services: provides support to

computer professionals in departments• Communications and Planning Office: coordinates

user and public communications about information technology

• University Counsel: legal counsel for the university

INDIANA UNIVERSITYC A N N I N G S P A M A T

Education Project

• To engage our users in protecting their IU email addresses

• FTC found that:– 100% of email addresses posted in CHAT

ROOMS received spam– 86% posted at NEWSGROUPS or on WEB

PAGES– 50% at free WEB PAGE SERVICES– 27% from MESSAGE BOARD postings– 9% from EMAIL SERVICE DIRECTORIES

INDIANA UNIVERSITYC A N N I N G S P A M A T

Technical Project

• Our goal a year ago:– To assist our users in dealing with spam

when they do receive it, by providing an opt-in filtering service

• Our goal today:– To keep our email systems running!

INDIANA UNIVERSITYC A N N I N G S P A M A T

Legal Issues to Consider

• First Amendment– Does NOT apply to fraudulent emails, deceptive

advertising, illegal activities

• To burden free speech, must show compelling governmental interest– Degradation of service, inability to deliver email in a

timely manner, etc.

• Take all possible actions to avoid the necessity of burdening free speech and to remove the constraints as soon as possible

INDIANA UNIVERSITYC A N N I N G S P A M A T

Legal Summary

• To the maximum extent possible, keep control of communications in the hands of the individual users

• If central action taken:– Document the problem– Actions narrowly tailored to fit the problem– Apply to fraudulent communications only

INDIANA UNIVERSITYC A N N I N G S P A M A T

Educating Users

• Initiated University-wide Spam Communications Campaign

• Technology organization (UITS) to serve as model. Advance compliance requests to:– UITS staff– IU webmasters– Departmental technology support providers

INDIANA UNIVERSITYC A N N I N G S P A M A T

• Updated our Knowledge Base (KB) about spam– "What is spam e-mail?"– "What does Indiana University do about

spam"– "What is e-mail fraud, and what should I do

about it?" – "What can I do to avoid spam e-mail?”– "What should I do when I get spam e-mail?"

Educating Users

INDIANA UNIVERSITYC A N N I N G S P A M A T

Educating Users

• Pervasiveness of e-mail address harvesting

• Created new KB articles: – Protecting Web pages from harvesting

• With email form template

– Protecting newsgroup & chat postings– The risks of autoresponse (“vacation”) email

INDIANA UNIVERSITYC A N N I N G S P A M A T

Educating Users

• Included info in educational materials

• Published two-part article in faculty/staff newspaper

• Announced in technology newsletters on both core campuses (40,000 recipients)

• Presented at committee meetings, Infoshares, departments, etc.

• Developed spam brochure

INDIANA UNIVERSITYC A N N I N G S P A M A T

Educating Users

• Incident Response modified communications with users:– New email autoreply to address spam

complaints– New boilerplate message to inform users with

spam problems how to protect themselves and where to get help

INDIANA UNIVERSITYC A N N I N G S P A M A T

Educating Users

• Teaching users how to protect themselves was very effective in reducing the number of complaints about spam.

INDIANA UNIVERSITYC A N N I N G S P A M A T

Technical Options

• Definition

• Environment

• Anti-SPAM Measures

INDIANA UNIVERSITYC A N N I N G S P A M A T

Technical Options

• SPAM:– Special– Processed– Annoying– Mail

INDIANA UNIVERSITYC A N N I N G S P A M A T

Technical Options

• Environment:– ~ 1.5-3 Million inbound messages/day– ~ 1 Billion/year– ~100 % increase in six months

INDIANA UNIVERSITYC A N N I N G S P A M A T

Technical Options

• IU Email Environment:– Mail Services for all campuses – 120,000 IMAP users– 30,000 Exchange users

INDIANA UNIVERSITYC A N N I N G S P A M A T

Technical Options

• How much spam is too much?– Two occasions with multi-day delays in

processing mail – Data suggest that since October 2002 spam

accounts for 40-60% of all inbound mail to IU.

INDIANA UNIVERSITYC A N N I N G S P A M A T

Technical Options

• The Plan:– 1st Amendment concerns – Build a system users to choose to use

INDIANA UNIVERSITYC A N N I N G S P A M A T

Technical Options

• Three-prong Attack:– SPAM Filtering– Black Lists– White Lists

• All measures should be ‘opt-in”

INDIANA UNIVERSITYC A N N I N G S P A M A T

Technical Options

• Spam Filtering:– Inbound mail examined – Confidence levels assigned– Rules applied on mailbox servers– Action taken defined by individual

INDIANA UNIVERSITYC A N N I N G S P A M A T

Technical Options

• Black Lists:– Mail rejected based on sender– Lists created by filtering software– Individuals will be able to look up what is

being blocked

INDIANA UNIVERSITYC A N N I N G S P A M A T

Technical Options

• White Lists:– Individuals create lists of domains or of

individuals from whom they will accept mail – Senders not on the list, must reply correctly

to a message in order for your mail to be delivered.

INDIANA UNIVERSITYC A N N I N G S P A M A T

Technical Options

• Reality Part 1:– These measures WILL NOT stop SPAM!– These measures WILL have a huge impact

on resources

INDIANA UNIVERSITYC A N N I N G S P A M A T

Technical Options

• Reality Part 2:– Spam level spikes caused denial of service.– Spam levels continue to cause problems with

mail delivery– After second spam induced denial of service

we took action to try and block inbound spam– Currently unable to implement opt-in solutions

due to flood of spam

INDIANA UNIVERSITYC A N N I N G S P A M A T

Technical Options

• Real-time Block Listing:– DNS-based database of IP addresses of

spam sources – Queried in real time by mail systems – ~8,000 messages per hour blocked

INDIANA UNIVERSITYC A N N I N G S P A M A T

Technical Options

• Future Reality:– Spam will continue to increase at alarming

rates in lieu of legislated restrictions.– Spammers are working to circumvent anti-

spam measures. – The solution will be multi-faceted and will

have to be updated constantly.

INDIANA UNIVERSITYC A N N I N G S P A M A T

Technical Options

NOTHING WILL STOP SPAM!

Goal is to make it more manageable.