Cruzio's Focus On Spam
   Cruzio/The Internet Store Newsletter - Number 64, May 20, 2003

A few announcements below, followed by a newsletter devoted to
junk email, or spam, the topic Cruzio members ask us about most. 

*********Announcements:
1. Free: "Getting the Most Out of Your Basic Cruzio Account"
2. One more week for Dialup Sale
3. DSL Sale in July

*********News and Views on Spam:
4. Numbers
5. Cost
6. Why Can't Cruzio Block 100% of Spam?
7. Why do People Think It's Effective to Send Me the Same Offer
	10 Times in One Day?
8. Some Possible Technical Solutions
9. The Legal Scene
10. What Motivates Spammers
11. But I *Want* People to Find Me, Just Not Spam Me
12. Are There Good Offers in Spam?
13. How to Avoid and Block Spam
14. How Do Cruzio Filters Work?
15. An Interview With Cruzio's Engineers
16. Activating the Spam Filter: One Woman's Story
17. Interesting Links
18. About This Newsletter
19. How to Reach Cruzio (dial-in or tech support)


*********Announcements
1. Free: "Getting the Most Out of Your Basic Cruzio Account"
	Thursday, May 22, 2003 -- from noon to 1:30 pm
	at Cruzio's downtown Santa Cruz store
This is one of Cruzio's most popular Brown Bags. Come in
and learn about:
	- Cruzio's email options
	- Your FREE spam filter
	- Online support services
	- Local online resources
	- The Cruzio Customer Page
and be sure to bring your questions! The workshop will be
led by Cruzio Marketing and Tech Support Staffers, the dynamic
Ezra, Krissie and Bhag. Register at http://www.cruzio.com
or call the events hotline: 831 459 6301 extension 247.
	

2. One more week for Dialup Sale
Until May 31st, Cruzio Dialup Internet Access is on sale. New
signups get the 3rd month free. Time to get that extra account
if you need one, and remember that you get a $10 credit on your
account if you recommend Cruzio to a friend! (The friend must
give us your email address, account number, or full name when
they sign up.)


3. DSL Sale in July
Looks like another DSL sale is coming in July. More details to
follow in next month's newsletter.


*********News and Views on Spam:
4. Numbers
The Radicati Group predicts that this year, 45% of all email
will be spam, and that the percentage of spam will increase to 
70% by 2007.

The Eprivacy group estimates that spam volume increases by 18%
per month. 

In February 2003, AOL disclosed that it blocks 780 million spams
per day. (Cruzio, with a much smaller user base, blocks hundreds
of thousands.)

Harris polls showed that the number of people who find spam
"very annoying" grew from 49% to 80% from 2000 to 2002.

0.00036% (36 sales from 10,000,000 emails) is the percentage of
sales in response to spam in a recent Wall Street Journal case
study. The spam house still made a profit.

Ferris Research released a study in January 2003, which  
found spam costs U.S. businesses $8.9 billion each year.


5. Cost
How much time do you waste each day sorting spam out of your
mailbox? Multiply that by hundreds of millions of people
trying to read their email and you have an idea of the user cost.

Not to mention how you might have spent your time more
enjoyably or profitably if you hadn't spent it on spam
(economists call this opportunity cost.)

How much does Cruzio spend per month on spam? We buy equipment
and software that receives -- and sometimes rejects -- email
messages; pay for the bandwidth to transfer these messages from
the Greater Internet into our servers; and pay staff to try to keep
the servers afloat when spam threatens to sink them. Cruzio
spends hundreds of thousands of dollars a year on spam. Multiply
that by all the other ISPs out there: the big ones, like AOL,
spend many millions of dollars per year.

Spam costs users and ISP's a ton of money. Spam costs spammers
almost nothing.


6. Why Can't Cruzio Block 100% of Spam?
Customers often ask us to block all their spam, and we would
like to prevent people from getting unwanted email. But it is
difficult to block unwanted mail without blocking some legitimate
mail as well, and Cruzio has tried to avoid this.

Spammers write as if they are friends or family, and disguise their
messages so that sometimes no one but you can tell the difference.
We block the obvious spam that floods our servers from addresses
we know to be fake or from known sources of spam ("spam houses.")
For the rest, we provide you the best tools we can for you to block
the spam at the level you prefer.


7. Why do People Think It's Effective to Send Me the Same Offer
	10 Times in One Day?
We don't understand that either. Even assuming that we would
be interested in a Get-Rich-Quick scheme, wouldn't one offer
suffice? It is so cheap to send spam that it means nothing
to send the same email to the same person over and over and over.


8. Some Possible Technical Solutions
According to Cruzio Chief Technical Officer Chris Neklason,
technical solutions offer the most hope against spam. Here
are some possibilities:

o Change the protocols
	The email industry could change the way that email is
	sent and delivered, so that the sender becomes more
	easily identifiable. 
o Charge some tiny amount for sending email
	If everyone had to pay even a fraction of a cent to send a
	message, it would barely affect normal emailers but would
	make spamming far less economical.
o New and better filters
	There are some promising ideas for smarter filtering systems,
	such as Bayesian filters which combine information from many
	sources to separate out spam. (A human can tell spam easily,
	but automated processes have a much harder time.)
o Challenge-response
	Recipients using this system only receive email from known
	senders. Any mail from someone not in the "accept" list is
	bounced back to the sender with a request for action. For
	example the sender might need to repeat back a code word
	or perform some other simple task. The theory is that human
	beings would simply perform the task and re-send the mail,
	but an automated program couldn't do it.

Each of the above solutions has disadvantages along with its
advantages: some are more trouble for users or administrators,
some make email more costly. But as spam worsens, the comparative
costs look more manageable.


9. The Legal Scene
A major problem with legal remedies to spam is that the Internet
is international. What's outlawed in the U.S. can simply move
overseas: much of it is there already.

Also, political pressures from lobbyists can cloud and delay
legislation. For example, business interests often succeed
in pushing "opt out" schemes -- that is, someone can send you
ads until you tell them not to. Current California law and the
Burns-Wyden Act now pending in Congress suffer from this failing.

There are some major flaws in "opt-out": It is difficult to find
spammers to tell them to stop. They move often and falsify
addresses. And imagine having to opt out of hundreds of lists
per day -- why should the recipient bear this burden? Cruzio
generally favors "opt-in" for mailing lists.

Another difficulty: many politicians, judges, and even news reporters
are not long-time users of email. Non-geeky folks tend to compare spam
to junk mail delivered via post; they do not realize that it's as if
you had hundreds of (often) blatantly offensive junk mail letters per day, 
and had to search for bills and correspondence in the huge pile. To make
matters worse, you would have paid the postage for the senders. Not 
everyone currently suffers so much from spam, but those whose addresses
have somehow fallen into spammers' hands do experience something much
more serious than paper junk mail.

Cruzio supports well-crafted anti-spam legislation but we
believe the solution will more likely come from the technical
side.


10. What Motivates Spammers?
On the surface, this seems like an easy question: money. The costs
to spam are low, so even a small return can be profitable. And
surely, the large spam houses are making a lot of money.

But if we examine some spam, we can't help but notice that
many messages don't seem to expect or want a return. For
example, some spams are set up to get around filters that
block words like "Porn". The spammer will write "P_o_r_n"
to get by the filter. But why would someone who had taken
the trouble to block "Porn" want to get a message about
"P_o_r_n"? Surely the rate of positive response would be
very low.

Indeed, as Cruzio Engineer Mark Hanford says, "legitimate companies
don't spam. They know it would cause a negative response." What's
left are small-potato, fly-by-night companies and people who
have other motives for sending the junk mail (spite? creative
license?) Cruzio CEO Chris Neklason says, "It's like graffiti."


11. But I *Want* People to Find Me, Just Not Spam Me
Some email addresses are easy for spammers to guess or find
by doing random letter combinations. You can also expose your
email address by putting it on a Web site, or filling it in when
browsing the Internet, joining some organization or buying something.

But these are also positive things. It's nice to have a simple
address so friends and family can remember it. It's good business
to put a working email address on your Web site to get orders and
comments. You don't want to make your family, friends and customers
jump through hoops to reach you!

When openness is important to you or your business, we recommend
using a filter rather than obscurity as protection against
spam. Check "How to Block and Avoid Spam" below for more tips
about avoiding spam while still using email addresses well. 


12. Are There Good Offers in Spam?
There are rarely good offers in Spam, because spammers will
be chased off their ISP's as soon as they are identified, and
that takes only a matter of days. So a spammer will have to
"leave town" quickly. A business that's interested in providing
good customer service, or indeed any customer service at all,
cannot therefore engage in spam. The offers in spam are shady and
misleading at best, and often downright fraudulent.


13. How to Block and Avoid Spam
Blocking Spam:
--------------
-- Use your Cruzio Mail Filter. It's easy and free. To activate the
filter, go to your Cruzio Control Panel and press the "Enable Junk
Email Filter" button. Relief is immediate and impressive. (See
"One Woman's Story", topic #16, for a real-life example.) If
you're not sure how to get started using your filter, please drop
by our Brown Bag Workshop on May 22nd (see item #1 above)
or contact Cruzio Technical Support. We are happy to help.

(Cruzio is confident that our free filter will make a marked
difference. We've had the filter for two years now and are constantly
making improvements on it. If you wish to go even further, there
are other steps you can take, listed below. But please try the filter
first; it can save you a lot of time, money and trouble!)

-- The email program on your computer -- most people use Outlook
Express, Netscape, or Eudora -- often has filtering features.
Activate the filter according to instructions from the program's
maker (check their help or Web sites for their guidelines.)

-- You can install a dedicated spam-killing program on your computer.
One program tested by vigilant Cruzio Tech Support staffer Bhag
is called ChoiceMail. It's found at
	http://www.digiportal.com/choicemail.html

Avoiding Spam
-------------
-- Consider using separate email addresses, each for a different
purpose. Cruzio email accounts come with 6 addresses, so this is
easy and free of charge. Set up one of your mailboxes to receive
purchase confirmations and sweepstakes; another for chat rooms
and newsgroups, etc. That way, your private mailbox stays
relatively private.

-- Don't create an email address that's easy to guess. Spammers
often do "dictionary" lists or combinations of letters, just
trying every combination until they hit an active mailbox.
If your address is abc@cruzio.com, more spammers will happen upon
it than if the address is a1b2c3@cruzio.com.  Of course there is 
a trade-off -- the second address is harder for friends to remember,
too!

-- Never engage spam. If you click on a link in the spam, it's 
counted as a successful "hit" from that email. Those numbers
are used to attract customers to spam houses.

-- Guard against address sharing by reading fine print when
joining or ordering online. Sometimes the company reserves the right
to sell your information. You would want to avoid that. Of course,
the fine print is sometimes long and difficult to read, so it can
be hard to find these clauses.

-- Once your address is on spammer's lists, it will, unfortunately,
stay on those lists and as the lists are sold from spammer to spammer
you will continue to receive junk email. If you cannot stand the level
of spam you get, even with your filter on, you may eventually opt for 
the ultimate (and inconvenient) step of abandoning the mailbox
and starting all over with a new one. If you need to do this, let
Cruzio know that you want to switch your address and we will help
you do so.

We often receive email from our customers about spam, and we
welcome your questions, comments, and suggestions. If you have
found effective ways to avoid spam, please send them in to
office@cruzio.com, and we will publish the most practical ones
in the next newsletter.


14. How Do Cruzio Filters Work?
Cruzio customer email is not filtered until a customer goes to the
Cruzio Control Panel, selects "Junk Mail Filtering" and presses the
"Enable Filtering" button. Once activated, the filter combines many
techniques to block spam:

Is the Sender a spoofed address? Does it match identified spam
from lists? Some organizations hire people who mark specific emails
as spam. Messages matching these are then blocked by the filter.
Or, spam may be identified automatically from words on the subject
line or within the body of the message.

Also, spam can be identified by the number of emails coming rapidly
from one server. (Cruzio sometimes receives thousands of messages
from a single source in a matter of minutes.) Or by the method of
sending: spammers often use the "blind cc:" feature so that they
can send to hundreds of people in one shot without having an
enormous header on the message.

Once suspect mail has been identified, Cruzio's filter puts it into
a "filtered" mailbox. You may examine this mailbox to see if anything
in it is a wanted piece of email, and by clicking on it you ensure
that anything coming from that address in the future will be accepted.


15. An Interview With Cruzio's Senior Engineers
We met in the small, non-luxurious office of Cruzio's co-CEO
and Chief Technical Officer, Chris Neklason. Senior Engineer
Mark Hanford joined us. Both men spend a large percentage
of their time researching and enacting Spam solutions.

Q: Chris, can you describe the current situation?

Chris: Our users should understand that Spam is an arms race of
constantly shifting measure vs. countermeasure. We just keep
upgrading our filters and our servers to deal with increasing
volumes of spam.

In 2002-2003 four or five jumps in the estimated amount of spam
occurred, each jump close to doubling the junk email on the
Internet. It's been very significant for our servers. We are
spending a lot of money and staff time, more R&D dollars,
against spam. In any given week in Engineering, 40 hours is spent
on Spam. Two years ago, we spent very little time on it.

Mark: There are 20 or 30 big spam houses who process most of the
junk email on the Internet. Those 20 or 30 change domain names 
every few days and move. We sometimes can find out spam's
coming from them and intercept it. But it would be a more than
a full time job to try to determine what's spam and block it.
That's not the best way to solve the problem.

Q: How does spam affect an ISP?

Mark: [When spammers send large amounts of mail to us] it hurts
our ability to operate. Even "legitimate" ones connect so much
it requires a lot of computer power to handle it. Our mail
servers are rack-mounted multi-processor servers running the
latest greatest software, but spam can still overwhelm them
if we don't watch out.

We've had a very open policy, and it's a shame we've had to
change that somewhat. For example we can't allow servers with
open relays to send email to Cruzio any more [open relays are
often commandeered by spammers unbeknownst to their owners]
We have to reject open relays, or our servers are overwhelmed.
The server can send us email again once they fix the problem.

Chris: Customers think we're somehow responsible for spam. We spend
lots of money on it, lose customers who think they can find another
provider who doesn't have spam, and we lose opportunities. It's the
single most impactful thing in our environment.

Q: Are the same people advertising repeatedly, sending multiple
messages?

Mark: If someone signs up with a spam house the same messages are
sent out again and again. Even a small, fly-by-night company can
send millions of messages for almost nothing. We get hundreds of
thousands of messages per day that can be generated by a single
person.

Q: How many companies actually sell Viagra over the Internet?

Chris: Far fewer than it would seem to appear. It's the tragedy of
the commons. 99.9999% of companies don't contribute. 

Q: What can be done?

Chris: We need to move to "sender pays" or get away from the
IPv4 (a protocol assigning address space) and SMTP (Simple Mail
Transfer Protocol) model. People who put together IPv4 and SMTP
did not anticipate that email would be abused. Till the
Internet switches to protocols that better authenticate the route
a message has taken, which enforces the inability to send things
anonymously, spam will continue.

The effort being made by AOL, Microsoft, Yahoo et al is the greatest
hope because we can switch the protocol. They have almost 2/3 of
the whole user base, they need to back the change to more
robust standards or else we'll see the situation get worse.
Once they change, everyone else will have to follow.

Mark: We are always working on technology.

Q: Is spam like a virus? It seems to do damage, like a virus does.

Chris: Spam is a distributed denial of service attack [a method
hackers use maliciously to bring down a server on the Internet
by overwhelming it with requests.] It has the same impact; we
have to take the same measures. Spam threatens to make email
ineffective by lowering the signal to noise level precipitously.

It's an asymmetric use of force. A bunch of guys with some
addresses and spam software are able to do a disproportionate
amount of harm. 

Q: What are Cruzio's plans?

Chris: Improving filtering technology. We just keep upgrading
our filters and servers to deal with increasing volumes of spam.
We'll coordinate with other ISPs, follow standards, educate users.
We also police our own users so they are unwilling and unable
to send spam.


16. Activating the Spam Filter: One Woman's Story
This true story was submitted by a Cruzio employee:

I get a lot of spam, because I've had my simple email address
since 1989 and I've posted it in many public places. I get hundreds
of spams per day, way more than most people. So at last, I decided
to see what Cruzio's filtering would do.

My filter had to be switched on differently from most Cruzio
members', because my work account has no control panel, and
Cruzio's in-house filters are slightly different from the ones
our customers use. But all in all, my story should be fairly
typical.

On Friday at 1 pm, my filter was turned on. In the next several
hours I obsessively checked my email every 15 minutes (I always
read email often, but now I was even more eager to see what would
happen.)

Messages dribbled in. A few spams, but mostly real messages.
Every so often I'd check my filtered mailbox to see what 
the filter had separated out. My filtered mailbox filled up
with 5 or more junk messages every hour and I deleted them happily.
I did find one message in my filtered mail that I wanted: my
Web page has a form on it which sends me inquiries. I fixed my
filter to allow messages from that sender to come through.

The weekend is the real test. Those spammers operate most often
in the dead of night, on weekends particularly so there are fewer
system administrators on hand to stop them.

I came in on Monday morning and had 43 spam messages. The filtered
mailbox had over 10 times that many. I found two more messages
that I wanted that the filter had blocked, and adjusted my filters
again. Cruzio advises me to keep looking carefully for a few weeks.
After that, it's up to me to decide how much time to spend looking
for that occasional unexpected message in the haystack.

I'm very happy with my filtered mail. It's saving me time: I can
quickly scan my mailbox to see if I've got important mail, I don't
get alerted "You have new mail" all the time only to see that it's
just more junk.  Well worth the minimal effort!


17. Interesting Links
	http://www.cruzio.com/support/email/junk_mail.html
	    (Cruzio's own informative page)
	http://www.digiportal.com/choicemail.html
	    (Anti-spam software)
	http://democrats.sen.ca.gov/senator/bowen/
	http://www.cobb.com/spam/numbers.html
	    (Costs and figures were taken from the above 2 sites)
	http://www.spamlaws.com
	    (Great source for info about legislative and court progress)
	http://www.itworld.com/Net/3241/030203spam/page_1.html
	http://www.cauce.org
	http://www.junkbusters.com
	    (The above 3 sites are full of information, resources and tips)


18. About This Newsletter
Cruzio doesn't like to waste bandwidth with extra email, but we sometimes
have events and announcements that users need to know about. This seems
like the most efficient way to let people know what's happening. Hope
it's helpful. Please email support@cruzio.com with any comments or questions. 
By the way, we would love to have a regular, predictable schedule
for this newsletter...but we simply do not send it unless there is real
news enclosed. Thus the haphazard datelines.


19. How to Reach Cruzio (dial-in or tech support)
To reach the Cruzio Information Center, for online technical and
sales information:
	http://www.cruzio.com/support 
  
To dial in to Cruzio, set your software to dial one of the numbers
below (note: we've expanded and joined modem pools, so you may be 
using another number. If so, don't worry, it still works just fine).
   
   56k: 459-9408

   33.6 kbps and under: 459-6230 
   
   To call Cruzio:
         459-6301............Use this number to check Cruzio's system status,
            pay your Cruzio bill, find out more about our hours and location,
            or to reach someone in customer service and technical support.
   
   To send email to Cruzio, use one of these addresses:
   	support@cruzio.com ......for technical support
	office@cruzio.com .......for billing and ordering information

    Cruzio's location:
	903 Pacific Avenue, Suite 101, Santa Cruz, CA 95060

    Cruzio's hours:
	Sales hours: 10am-6pm, Monday through Friday; 10 am - 2 pm Saturday
	Technical support: 10-6 pm, Monday through Friday, 10am - 2pm Saturday
	System monitoring, including customer-alerted emergencies, 24 hours
		per day, 365 days per year (leap years, 366 days)

Thanks very much from Cruzio:
	Chris, Peggy, Julianne, Kathy, Mark, Martin, Georgette,
	Tapati, Pedro, Brittany, Alec, Stephen, Paul, Gershom,
	Jessi, Ben, Edgar, Michael, another Kathy, Bhag, another
	Chris, Maria, Ezra, James, Juana, Krissie, Nikkie, and Mike,
	and our groovy intern, Janet (the grownups); Jake, Annika,
	and Carly (the kids);


This month, a spam story. This is my favorite spam. I have
received this several times:

"message: If you are a time traveler or alien disguised as human
and or have the technology to travel physically through time
I need your help!

"... I have a time machine now, but it has limited abilitys
and is useless without a vortex. If you can provide information
on how to create vortex generator or where I can get some of the
blue glowing moon crystals this would also be helpful.

"I am aware of two types of time travel one in physical form and
the other in energy form where a snapshot of your brain is taken
using either the dimensional warp or an electronic device and
then sends your consciousness back through time to part with
your younger self. Please explain how safe and what your method
involves.

"Also if you are one of the very, very, few beings with the ability
to edit the universe PLEASE REPLY!!! ...

"Please do not reply if your an evil alien!
Thanks"