Cruzio's Focus On Spam Cruzio/The Internet Store Newsletter - Number 64, May 20, 2003 A few announcements below, followed by a newsletter devoted to junk email, or spam, the topic Cruzio members ask us about most. *********Announcements: 1. Free: "Getting the Most Out of Your Basic Cruzio Account" 2. One more week for Dialup Sale 3. DSL Sale in July *********News and Views on Spam: 4. Numbers 5. Cost 6. Why Can't Cruzio Block 100% of Spam? 7. Why do People Think It's Effective to Send Me the Same Offer 10 Times in One Day? 8. Some Possible Technical Solutions 9. The Legal Scene 10. What Motivates Spammers 11. But I *Want* People to Find Me, Just Not Spam Me 12. Are There Good Offers in Spam? 13. How to Avoid and Block Spam 14. How Do Cruzio Filters Work? 15. An Interview With Cruzio's Engineers 16. Activating the Spam Filter: One Woman's Story 17. Interesting Links 18. About This Newsletter 19. How to Reach Cruzio (dial-in or tech support) *********Announcements 1. Free: "Getting the Most Out of Your Basic Cruzio Account" Thursday, May 22, 2003 -- from noon to 1:30 pm at Cruzio's downtown Santa Cruz store This is one of Cruzio's most popular Brown Bags. Come in and learn about: - Cruzio's email options - Your FREE spam filter - Online support services - Local online resources - The Cruzio Customer Page and be sure to bring your questions! The workshop will be led by Cruzio Marketing and Tech Support Staffers, the dynamic Ezra, Krissie and Bhag. Register at http://www.cruzio.com or call the events hotline: 831 459 6301 extension 247. 2. One more week for Dialup Sale Until May 31st, Cruzio Dialup Internet Access is on sale. New signups get the 3rd month free. Time to get that extra account if you need one, and remember that you get a $10 credit on your account if you recommend Cruzio to a friend! (The friend must give us your email address, account number, or full name when they sign up.) 3. DSL Sale in July Looks like another DSL sale is coming in July. More details to follow in next month's newsletter. *********News and Views on Spam: 4. Numbers The Radicati Group predicts that this year, 45% of all email will be spam, and that the percentage of spam will increase to 70% by 2007. The Eprivacy group estimates that spam volume increases by 18% per month. In February 2003, AOL disclosed that it blocks 780 million spams per day. (Cruzio, with a much smaller user base, blocks hundreds of thousands.) Harris polls showed that the number of people who find spam "very annoying" grew from 49% to 80% from 2000 to 2002. 0.00036% (36 sales from 10,000,000 emails) is the percentage of sales in response to spam in a recent Wall Street Journal case study. The spam house still made a profit. Ferris Research released a study in January 2003, which found spam costs U.S. businesses $8.9 billion each year. 5. Cost How much time do you waste each day sorting spam out of your mailbox? Multiply that by hundreds of millions of people trying to read their email and you have an idea of the user cost. Not to mention how you might have spent your time more enjoyably or profitably if you hadn't spent it on spam (economists call this opportunity cost.) How much does Cruzio spend per month on spam? We buy equipment and software that receives -- and sometimes rejects -- email messages; pay for the bandwidth to transfer these messages from the Greater Internet into our servers; and pay staff to try to keep the servers afloat when spam threatens to sink them. Cruzio spends hundreds of thousands of dollars a year on spam. Multiply that by all the other ISPs out there: the big ones, like AOL, spend many millions of dollars per year. Spam costs users and ISP's a ton of money. Spam costs spammers almost nothing. 6. Why Can't Cruzio Block 100% of Spam? Customers often ask us to block all their spam, and we would like to prevent people from getting unwanted email. But it is difficult to block unwanted mail without blocking some legitimate mail as well, and Cruzio has tried to avoid this. Spammers write as if they are friends or family, and disguise their messages so that sometimes no one but you can tell the difference. We block the obvious spam that floods our servers from addresses we know to be fake or from known sources of spam ("spam houses.") For the rest, we provide you the best tools we can for you to block the spam at the level you prefer. 7. Why do People Think It's Effective to Send Me the Same Offer 10 Times in One Day? We don't understand that either. Even assuming that we would be interested in a Get-Rich-Quick scheme, wouldn't one offer suffice? It is so cheap to send spam that it means nothing to send the same email to the same person over and over and over. 8. Some Possible Technical Solutions According to Cruzio Chief Technical Officer Chris Neklason, technical solutions offer the most hope against spam. Here are some possibilities: o Change the protocols The email industry could change the way that email is sent and delivered, so that the sender becomes more easily identifiable. o Charge some tiny amount for sending email If everyone had to pay even a fraction of a cent to send a message, it would barely affect normal emailers but would make spamming far less economical. o New and better filters There are some promising ideas for smarter filtering systems, such as Bayesian filters which combine information from many sources to separate out spam. (A human can tell spam easily, but automated processes have a much harder time.) o Challenge-response Recipients using this system only receive email from known senders. Any mail from someone not in the "accept" list is bounced back to the sender with a request for action. For example the sender might need to repeat back a code word or perform some other simple task. The theory is that human beings would simply perform the task and re-send the mail, but an automated program couldn't do it. Each of the above solutions has disadvantages along with its advantages: some are more trouble for users or administrators, some make email more costly. But as spam worsens, the comparative costs look more manageable. 9. The Legal Scene A major problem with legal remedies to spam is that the Internet is international. What's outlawed in the U.S. can simply move overseas: much of it is there already. Also, political pressures from lobbyists can cloud and delay legislation. For example, business interests often succeed in pushing "opt out" schemes -- that is, someone can send you ads until you tell them not to. Current California law and the Burns-Wyden Act now pending in Congress suffer from this failing. There are some major flaws in "opt-out": It is difficult to find spammers to tell them to stop. They move often and falsify addresses. And imagine having to opt out of hundreds of lists per day -- why should the recipient bear this burden? Cruzio generally favors "opt-in" for mailing lists. Another difficulty: many politicians, judges, and even news reporters are not long-time users of email. Non-geeky folks tend to compare spam to junk mail delivered via post; they do not realize that it's as if you had hundreds of (often) blatantly offensive junk mail letters per day, and had to search for bills and correspondence in the huge pile. To make matters worse, you would have paid the postage for the senders. Not everyone currently suffers so much from spam, but those whose addresses have somehow fallen into spammers' hands do experience something much more serious than paper junk mail. Cruzio supports well-crafted anti-spam legislation but we believe the solution will more likely come from the technical side. 10. What Motivates Spammers? On the surface, this seems like an easy question: money. The costs to spam are low, so even a small return can be profitable. And surely, the large spam houses are making a lot of money. But if we examine some spam, we can't help but notice that many messages don't seem to expect or want a return. For example, some spams are set up to get around filters that block words like "Porn". The spammer will write "P_o_r_n" to get by the filter. But why would someone who had taken the trouble to block "Porn" want to get a message about "P_o_r_n"? Surely the rate of positive response would be very low. Indeed, as Cruzio Engineer Mark Hanford says, "legitimate companies don't spam. They know it would cause a negative response." What's left are small-potato, fly-by-night companies and people who have other motives for sending the junk mail (spite? creative license?) Cruzio CEO Chris Neklason says, "It's like graffiti." 11. But I *Want* People to Find Me, Just Not Spam Me Some email addresses are easy for spammers to guess or find by doing random letter combinations. You can also expose your email address by putting it on a Web site, or filling it in when browsing the Internet, joining some organization or buying something. But these are also positive things. It's nice to have a simple address so friends and family can remember it. It's good business to put a working email address on your Web site to get orders and comments. You don't want to make your family, friends and customers jump through hoops to reach you! When openness is important to you or your business, we recommend using a filter rather than obscurity as protection against spam. Check "How to Block and Avoid Spam" below for more tips about avoiding spam while still using email addresses well. 12. Are There Good Offers in Spam? There are rarely good offers in Spam, because spammers will be chased off their ISP's as soon as they are identified, and that takes only a matter of days. So a spammer will have to "leave town" quickly. A business that's interested in providing good customer service, or indeed any customer service at all, cannot therefore engage in spam. The offers in spam are shady and misleading at best, and often downright fraudulent. 13. How to Block and Avoid Spam Blocking Spam: -------------- -- Use your Cruzio Mail Filter. It's easy and free. To activate the filter, go to your Cruzio Control Panel and press the "Enable Junk Email Filter" button. Relief is immediate and impressive. (See "One Woman's Story", topic #16, for a real-life example.) If you're not sure how to get started using your filter, please drop by our Brown Bag Workshop on May 22nd (see item #1 above) or contact Cruzio Technical Support. We are happy to help. (Cruzio is confident that our free filter will make a marked difference. We've had the filter for two years now and are constantly making improvements on it. If you wish to go even further, there are other steps you can take, listed below. But please try the filter first; it can save you a lot of time, money and trouble!) -- The email program on your computer -- most people use Outlook Express, Netscape, or Eudora -- often has filtering features. Activate the filter according to instructions from the program's maker (check their help or Web sites for their guidelines.) -- You can install a dedicated spam-killing program on your computer. One program tested by vigilant Cruzio Tech Support staffer Bhag is called ChoiceMail. It's found at http://www.digiportal.com/choicemail.html Avoiding Spam ------------- -- Consider using separate email addresses, each for a different purpose. Cruzio email accounts come with 6 addresses, so this is easy and free of charge. Set up one of your mailboxes to receive purchase confirmations and sweepstakes; another for chat rooms and newsgroups, etc. That way, your private mailbox stays relatively private. -- Don't create an email address that's easy to guess. Spammers often do "dictionary" lists or combinations of letters, just trying every combination until they hit an active mailbox. If your address is email@example.com, more spammers will happen upon it than if the address is firstname.lastname@example.org. Of course there is a trade-off -- the second address is harder for friends to remember, too! -- Never engage spam. If you click on a link in the spam, it's counted as a successful "hit" from that email. Those numbers are used to attract customers to spam houses. -- Guard against address sharing by reading fine print when joining or ordering online. Sometimes the company reserves the right to sell your information. You would want to avoid that. Of course, the fine print is sometimes long and difficult to read, so it can be hard to find these clauses. -- Once your address is on spammer's lists, it will, unfortunately, stay on those lists and as the lists are sold from spammer to spammer you will continue to receive junk email. If you cannot stand the level of spam you get, even with your filter on, you may eventually opt for the ultimate (and inconvenient) step of abandoning the mailbox and starting all over with a new one. If you need to do this, let Cruzio know that you want to switch your address and we will help you do so. We often receive email from our customers about spam, and we welcome your questions, comments, and suggestions. If you have found effective ways to avoid spam, please send them in to email@example.com, and we will publish the most practical ones in the next newsletter. 14. How Do Cruzio Filters Work? Cruzio customer email is not filtered until a customer goes to the Cruzio Control Panel, selects "Junk Mail Filtering" and presses the "Enable Filtering" button. Once activated, the filter combines many techniques to block spam: Is the Sender a spoofed address? Does it match identified spam from lists? Some organizations hire people who mark specific emails as spam. Messages matching these are then blocked by the filter. Or, spam may be identified automatically from words on the subject line or within the body of the message. Also, spam can be identified by the number of emails coming rapidly from one server. (Cruzio sometimes receives thousands of messages from a single source in a matter of minutes.) Or by the method of sending: spammers often use the "blind cc:" feature so that they can send to hundreds of people in one shot without having an enormous header on the message. Once suspect mail has been identified, Cruzio's filter puts it into a "filtered" mailbox. You may examine this mailbox to see if anything in it is a wanted piece of email, and by clicking on it you ensure that anything coming from that address in the future will be accepted. 15. An Interview With Cruzio's Senior Engineers We met in the small, non-luxurious office of Cruzio's co-CEO and Chief Technical Officer, Chris Neklason. Senior Engineer Mark Hanford joined us. Both men spend a large percentage of their time researching and enacting Spam solutions. Q: Chris, can you describe the current situation? Chris: Our users should understand that Spam is an arms race of constantly shifting measure vs. countermeasure. We just keep upgrading our filters and our servers to deal with increasing volumes of spam. In 2002-2003 four or five jumps in the estimated amount of spam occurred, each jump close to doubling the junk email on the Internet. It's been very significant for our servers. We are spending a lot of money and staff time, more R&D dollars, against spam. In any given week in Engineering, 40 hours is spent on Spam. Two years ago, we spent very little time on it. Mark: There are 20 or 30 big spam houses who process most of the junk email on the Internet. Those 20 or 30 change domain names every few days and move. We sometimes can find out spam's coming from them and intercept it. But it would be a more than a full time job to try to determine what's spam and block it. That's not the best way to solve the problem. Q: How does spam affect an ISP? Mark: [When spammers send large amounts of mail to us] it hurts our ability to operate. Even "legitimate" ones connect so much it requires a lot of computer power to handle it. Our mail servers are rack-mounted multi-processor servers running the latest greatest software, but spam can still overwhelm them if we don't watch out. We've had a very open policy, and it's a shame we've had to change that somewhat. For example we can't allow servers with open relays to send email to Cruzio any more [open relays are often commandeered by spammers unbeknownst to their owners] We have to reject open relays, or our servers are overwhelmed. The server can send us email again once they fix the problem. Chris: Customers think we're somehow responsible for spam. We spend lots of money on it, lose customers who think they can find another provider who doesn't have spam, and we lose opportunities. It's the single most impactful thing in our environment. Q: Are the same people advertising repeatedly, sending multiple messages? Mark: If someone signs up with a spam house the same messages are sent out again and again. Even a small, fly-by-night company can send millions of messages for almost nothing. We get hundreds of thousands of messages per day that can be generated by a single person. Q: How many companies actually sell Viagra over the Internet? Chris: Far fewer than it would seem to appear. It's the tragedy of the commons. 99.9999% of companies don't contribute. Q: What can be done? Chris: We need to move to "sender pays" or get away from the IPv4 (a protocol assigning address space) and SMTP (Simple Mail Transfer Protocol) model. People who put together IPv4 and SMTP did not anticipate that email would be abused. Till the Internet switches to protocols that better authenticate the route a message has taken, which enforces the inability to send things anonymously, spam will continue. The effort being made by AOL, Microsoft, Yahoo et al is the greatest hope because we can switch the protocol. They have almost 2/3 of the whole user base, they need to back the change to more robust standards or else we'll see the situation get worse. Once they change, everyone else will have to follow. Mark: We are always working on technology. Q: Is spam like a virus? It seems to do damage, like a virus does. Chris: Spam is a distributed denial of service attack [a method hackers use maliciously to bring down a server on the Internet by overwhelming it with requests.] It has the same impact; we have to take the same measures. Spam threatens to make email ineffective by lowering the signal to noise level precipitously. It's an asymmetric use of force. A bunch of guys with some addresses and spam software are able to do a disproportionate amount of harm. Q: What are Cruzio's plans? Chris: Improving filtering technology. We just keep upgrading our filters and servers to deal with increasing volumes of spam. We'll coordinate with other ISPs, follow standards, educate users. We also police our own users so they are unwilling and unable to send spam. 16. Activating the Spam Filter: One Woman's Story This true story was submitted by a Cruzio employee: I get a lot of spam, because I've had my simple email address since 1989 and I've posted it in many public places. I get hundreds of spams per day, way more than most people. So at last, I decided to see what Cruzio's filtering would do. My filter had to be switched on differently from most Cruzio members', because my work account has no control panel, and Cruzio's in-house filters are slightly different from the ones our customers use. But all in all, my story should be fairly typical. On Friday at 1 pm, my filter was turned on. In the next several hours I obsessively checked my email every 15 minutes (I always read email often, but now I was even more eager to see what would happen.) Messages dribbled in. A few spams, but mostly real messages. Every so often I'd check my filtered mailbox to see what the filter had separated out. My filtered mailbox filled up with 5 or more junk messages every hour and I deleted them happily. I did find one message in my filtered mail that I wanted: my Web page has a form on it which sends me inquiries. I fixed my filter to allow messages from that sender to come through. The weekend is the real test. Those spammers operate most often in the dead of night, on weekends particularly so there are fewer system administrators on hand to stop them. I came in on Monday morning and had 43 spam messages. The filtered mailbox had over 10 times that many. I found two more messages that I wanted that the filter had blocked, and adjusted my filters again. Cruzio advises me to keep looking carefully for a few weeks. After that, it's up to me to decide how much time to spend looking for that occasional unexpected message in the haystack. I'm very happy with my filtered mail. It's saving me time: I can quickly scan my mailbox to see if I've got important mail, I don't get alerted "You have new mail" all the time only to see that it's just more junk. Well worth the minimal effort! 17. Interesting Links http://www.cruzio.com/support/email/junk_mail.html (Cruzio's own informative page) http://www.digiportal.com/choicemail.html (Anti-spam software) http://democrats.sen.ca.gov/senator/bowen/ http://www.cobb.com/spam/numbers.html (Costs and figures were taken from the above 2 sites) http://www.spamlaws.com (Great source for info about legislative and court progress) http://www.itworld.com/Net/3241/030203spam/page_1.html http://www.cauce.org http://www.junkbusters.com (The above 3 sites are full of information, resources and tips) 18. About This Newsletter Cruzio doesn't like to waste bandwidth with extra email, but we sometimes have events and announcements that users need to know about. This seems like the most efficient way to let people know what's happening. Hope it's helpful. Please email firstname.lastname@example.org with any comments or questions. By the way, we would love to have a regular, predictable schedule for this newsletter...but we simply do not send it unless there is real news enclosed. Thus the haphazard datelines. 19. How to Reach Cruzio (dial-in or tech support) To reach the Cruzio Information Center, for online technical and sales information: http://www.cruzio.com/support To dial in to Cruzio, set your software to dial one of the numbers below (note: we've expanded and joined modem pools, so you may be using another number. If so, don't worry, it still works just fine). 56k: 459-9408 33.6 kbps and under: 459-6230 To call Cruzio: 459-6301............Use this number to check Cruzio's system status, pay your Cruzio bill, find out more about our hours and location, or to reach someone in customer service and technical support. To send email to Cruzio, use one of these addresses: email@example.com ......for technical support firstname.lastname@example.org .......for billing and ordering information Cruzio's location: 903 Pacific Avenue, Suite 101, Santa Cruz, CA 95060 Cruzio's hours: Sales hours: 10am-6pm, Monday through Friday; 10 am - 2 pm Saturday Technical support: 10-6 pm, Monday through Friday, 10am - 2pm Saturday System monitoring, including customer-alerted emergencies, 24 hours per day, 365 days per year (leap years, 366 days) Thanks very much from Cruzio: Chris, Peggy, Julianne, Kathy, Mark, Martin, Georgette, Tapati, Pedro, Brittany, Alec, Stephen, Paul, Gershom, Jessi, Ben, Edgar, Michael, another Kathy, Bhag, another Chris, Maria, Ezra, James, Juana, Krissie, Nikkie, and Mike, and our groovy intern, Janet (the grownups); Jake, Annika, and Carly (the kids); This month, a spam story. This is my favorite spam. I have received this several times: "message: If you are a time traveler or alien disguised as human and or have the technology to travel physically through time I need your help! "... I have a time machine now, but it has limited abilitys and is useless without a vortex. If you can provide information on how to create vortex generator or where I can get some of the blue glowing moon crystals this would also be helpful. "I am aware of two types of time travel one in physical form and the other in energy form where a snapshot of your brain is taken using either the dimensional warp or an electronic device and then sends your consciousness back through time to part with your younger self. Please explain how safe and what your method involves. "Also if you are one of the very, very, few beings with the ability to edit the universe PLEASE REPLY!!! ... "Please do not reply if your an evil alien! Thanks"