Defense in depth: A strategy to stop spam that actually works

Spam is killing off email and threatening the very future of the internet. Surveys are showing that current net users are switching off to get away from unsolicited commercial email. Millions more are reluctant to get online for fear of being deluged with offers of pornography, viagra, money scams and so on. As trade unionists and social change activists, this is a worrying development. Email is an enormously powerful and cheap tool for us, particularly for online campaigning, but spammers are making it increasingly difficult for us to get our message through. We need to educate our members and ourselves in order to win the battle against spam. If we don’t win that battle, we lose all the gains of the last decade and return to a world where those with the money can get their messages heard — and where we are effectively silenced.
The only problem is that there is no solution to spam. Let me re-phrase that: there is no solution, but there are solutions, to the problem of spam. For some time now, I have adopted a strategy of defense-in-depth.


When I try to visualize this, I think about a huge table in the Imperial War Museum here in London which is used to illustrate what trench warfare was like on the Western Front during the First World War. It’s a diorama with model trucks, and miniature barbed wire, and little shriveled trees, and it’s huge. What I noticed the first time I saw it was how you didn’t have one trench on the Allied side, and one on the German side, which is how we sometimes imagine it. You had trenches behind trenches, so that if the enemy crossed through your minefield and climbed over your barbed wire, they only got into your first trench. You’d stop them before the second. And if that didn’t work, you had a several lines of defenses after that.
Defense in depth. It kept the enemy at bay along the Western Front and it largely works for me today in the battle against the spammers. It could work for you as well.
Basically, there are two and only two approaches to fighting spam. One is at server level and one at client level.
As with trench warfare, where it was always desirable to stop the enemy before they even reached the first trench, so in this form of warfare it’s best to stop the spam at server level. The fight at client level is comparable to the last ditch efforts, where the cooks and lorry drivers are battling for their very lives against an enemy that has broken through every other line of defense. Server level is the forward trench; client level is where the field hospitals are.
The best way to stop spam at server level is to have an ISP that uses sophisticated filtering software and blocks the overwhelming bulk of spam from ever getting to your inbox. This is fairly standard practice now and one should not use an ISP which doesn’t offer this feature. One of the most popular and effective anti-spam blockers is SpamAssassin, an open source and free produce. But there are others. Where possible, get your ISP to delete the spam before it reaches your inbox, and not merely to tag messages with the label of spam.
In addition to relying on your ISP to block spam, you might choose to pay for the services of another filter at server level. For some time I was using emailfiltering.co.uk. I would pay them a very small monthly fee, and they would retrieve all my messages from my ISP and filter these according to criteria updated daily.
So long as the two filters were not identical — i.e., so long as the ISP and emailfiltering.co.uk used different software and different criteria for battling spam — it created a kind of double-filter at server level. Very effective indeed.
Nevertheless, some spam continued to come through — through the minefield and the barbed wire, right up to the first trench.
There are many different approaches to dealing with spam at client level — that is, in your email software — but these basically boil down to two: blacklists and whitelists. The traditional approach, one which I used on my Linux desktop when my email client was Evolution, is blacklists. You tell your email client that you don’t want to see any email that has the phrase ‘viagra’ in the subject line, and it can then delete those emails automatically. Or you tell it that you don’t want to see emails from particular addresses. Because I was getting a massive amount of spam from Korea, in Korean, I was able to tell my email client’s filter to delete all mail which was encoded in Korean.
The problem is, spammers are constantly coming up with new phrases in subject lines, new ruses to make you want to open their emails, and it takes a constant struggle to keep your filters up to date. The blacklist battle is essentially an unwinnable one.
I was delighted to discover that Eudora, a popular free email client, now allows the use of an alternative approach: whitelists. Here you can tell your email program to only let mail through which comes from someone who is already in your address book. There are a couple of problems with this approach.
First, it means that people who are not yet in your address book will have their emails put into a special Junk mail folder and you may not look at that folder very frequently.
Second, it means you have to keep your address book up to date — which is probably not a bad thing.
I now use Mozilla Thunderbird as my email client and it combines the main features I want to see in order to combat spam: I have configured it to automatically add email addresses from all my outgoing messages to the address book, which is now the most up-to-date and most comprehensive I’ve ever had (with some 600 records). I have also set up a whitelist filter to put all incoming messages from people I don’t know (who are not in my address book) into the Junk folder, to be looked at later.
My Inbox is now essentially spam-free, all the time.
If I look at all the emails that come my way and reach my ISP’s server (my first line of defense), I’d guess that over 95% of them are now spam. We’re talking hundreds of email messages a day, every day. But I only get a handful of spam messages on my machine thanks to the strategy of defense in depth that I’ve adopted, and those are dealt with by the whitelist filter in my email client.
That’s how you stop spam and make email a useful tool again. That’s the defense in depth strategy we need to promote to everyone who wants to the Internet to survive and remain an effective means of communication.
To sum up, the key elements of that strategy are:
1. Spam prevention at server level using tools like Spam Assassin
2. Duplication of filtering at server level using a second and different anti-spam program – emailfiltering.co.uk is a good choice
3. Use of whitelists in the email client to block emails from unrecognized addresses – Mozilla Thunderbird and Eudora can both do this
4. Maintaining an up-to-date email address book to ensure that the whitelist works – Mozilla Thunderbird will do this automatically
5. As a last line of defense, use a blacklist to filter any remaining messages by subject, sender, etc.
Maybe at some point in the future a combination of new laws and new technologies at server level will solve the problem of spam — sort of like what America’s entry into the First World War did to the stalemate on the Western Front — but until that time, the only hope we have of using email without spam is by adopting a strategy like the one I outlined above.

12 Comments on "Defense in depth: A strategy to stop spam that actually works"

  1. Allan Bell | 29/10/2003 at 19:32 |

    yes spam is an illness and its killing the nett.
    but the USA needs to take much more of the blame than an\y other.
    Eric how about some surport from your movement for Australian unions in our atempt to get legislastion re deaths at work?.
    the recent death of a 16 year old highlights our country is killing for dollars by neglect.
    i am proudly and strongly an Australian Workers Union member.
    and surport all pleas for help on your great site.
    solidarity is indeed forever can you run an international request for us?
    the royal commision in our land was a sham .
    the deaths are ongoing and no one is held acountable .
    thanks
    Belly

  2. Austin Paulnack | 29/10/2003 at 22:13 |

    Thanks very much for you reminders on how to
    minimize spam. Yes, the Internet is a great
    tool for labor and public policy groups in
    Syracuse, NY, but the flood of spam
    clutters the email and crowds out our message

  3. Steve Gibbons | 29/10/2003 at 22:39 |

    Sound advice based on personal experience – always the best kind. Clearly explained with good analogies. It is not Eric’s fault, but 99% of e-mail users will be unable to get beyond MS Outlook as a mail client, so the advice to use Eudora or Monzilla mail clients will be something they cannot use. We won’t go into who should really do what for their $ billions….. 🙂

  4. Hi Eric. Just to keep on topic I wanted to point out another defensive strategy to avoid finding your inbox bomarded with junk mail. That is, for those of you who already have, or are considering having your own web page NEVER put your email address on a web page. The reason being that robots (automated software programs) scan millions of web pages daily with the sole purpose of extracting email addresses which then find their way into those databases used to send spam.YUK… You may have noticed I used a fake email address when posting this response (move mouse over my name below to see what I mean)as even attaching your email to a reply such as this places your address at danger of ending up in one of those databases.

  5. Very good suggestions Eric, and definitely applaud your ongoing efforts at raising IT awareness in the labour movement. In the crucial task of getting more people to communicate online for the first time, it’s infuriating that nuisances such as spam and viruses hit the hardest on those who don’t yet have all the IT knowledge to implement these simple defences. In some cases this may put them off using the net for good, before they start to see the real benefits.
    On Brian’s point, false email addresses which redirect to your real one can be useful for posting on websites. If you ever find you’re getting too much spam from one of them, you can cut it off, without having to change your real email address. I believe Yahoo! Mail are now offering this as a paid service, though I use it through my domain name management firm. Best wishes, John

  6. Spam is becoming one of the things we have to put up with in this modern age. It’s a lot like urban sprawl. It’s ugly. It’s everywhere. And it won’t stop on its own volition.
    A couple of added words of caution. First, never, ever, click on a link that says you will be removed from a mailing list. A lot of spam is intended to search out live e-mail addresses, and asking to be removed is as good as telling them to send you more.
    On a related, but more sinister note, I have received a couple of spam messages lately that generate a request for a “read receipt.” If you click “send” you’re captured. Some people have their e-mail software configured to automatically send a read receipt when requested. If you have, reconfigure it now. The other two options are to never send one, or to ask before sending. I have mine set to ask.
    In solidarity,
    Alan

  7. Keith Heron | 30/10/2003 at 21:45 |

    There are other client options than simply using white or black lists to screen senders (should we be using this terminology?). For instance SpamNet, available from http://www.cloudmark.com uses a community approach whereby users mark items as spam and other users client software block the message when enough users have marked it as spam. There is a charge for using this service but I have found it very effective.
    BTW, is one person’s spam another person’s email campaign? Can we complain about spam in our in-box at the same time as we urge supporters to send unsolicited emails in support of the latest good cause?

  8. Don Doumakes | 02/11/2003 at 20:15 |

    I agree with Eric Lee when he says that activists and trade unionists
    should be concerned about the spam problem. If email becomes unusable,
    we will be much less able to get our own message out, but the rich will
    still have ways of getting their own propaganda in front of the public.
    Spamming, the sending of unsolicited bulk email, is quintessentially
    capitalistic: a public resource (the Internet) is used to produce
    private profit. Socialize the costs, privatize the profits—that’s
    what capitalism is all about. And for a small number of big spammers,
    it’s big business.
    I don’t think that Lee’s suggeste tactics are all that likely to
    “actually work,” though, if we define a working tactic as one that
    reduces the total load of spam on the network. Filtering of spam after
    it arrives, whether at the server or the email client, does nothing to
    inconvenience the spammer. We, however, suffer even if we don’t have to
    read the spam: the network slows down, the mail server gets busier and
    slower, and eventually the monthly bill goes up to pay for increased
    capacity.
    The concept of a multi-layered defense is a good one, though. The
    following defenses can all be used at once for real effectiveness:
    1. Boycott spammers. Never, ever buy anything that has been advertised
    via spam. Make sure your friends understand why they should do the
    same. Spam is no longer the sole province of sleazy
    pornographers—it’s used by sleazy mainstream businesses more and more.
    If they don’t get sales, they’ll quit spamming.
    2. Boycott the Internet service providers (ISPs) who harbor spammers.
    Reputable ISPs all have a policy that strictly prohibits spamming. So
    spammers have to find a spam-friendly provider to stay in business.
    These spam havens are only interested in making money, and the community
    be damned. If the legitimate customers flock to the competition, the
    spam hosts will see that spam is bad business. If you stay with a
    provider that has a pro-spam reputation, you’re prolonging the problem.
    Unfortunately some large ISPs, e.g. Pacific Bell, are spam-friendly.
    3. Insist that your ISP block email from spam-friendly networks. Wait
    a minute, didn’t he just say that filtering was no good? Yes, but
    blocking is different. It’s possible to set up the server to refuse to
    accept email from any particular area of the Internet. If the spammer
    is in that blocked-out area, he doesn’t get a chance to transmit his
    spam to our server. Thus the network isn’t slowed down, and our server
    doesn’t waste time processing junk email. There are several public
    lists of spam-friendly networks, and using several of them in layers
    provides a good degree of protection. (This email is being sent from a
    server that consults nine different public blocking lists.)
    The most successful of these lists is SPEWS, which has a simple but very
    effective policy about listing networks: first, they list only the
    spammer’s own network address. If the ISP doesn’t do the right thing
    and kick the spammer off the network, SPEWS increases the listing to
    include adjacent network addresses. And the listed space just keeps
    getting bigger and bigger until the spammers are gone. What starts out
    as the spammer’s problem very quickly becomes the ISP’s problem, as the
    other customer start to scream that their legitimate email is getting
    blocked by recipients who use SPEWS. Customers pay to get connected,
    not DISconnected, and the ISP knows this. There is a long history of
    spammers losing their Internet access because of blocking lists.
    4. Report the spam you get. Reputable ISPs don’t host spammers, but
    they don’t always know there’s a spammer on their network unless they
    get complaints from the public. It’s hard to know whom to complain to,
    because the spammers forge the email in an effort to divert complaints.
    The From line is always bogus, the various other headers are almost
    all bogus as well, even the web site advertised in the email may be
    several jumps away from the spammer’s real web site. Fortunately, there
    is SpamCop, a service that analyzes your spam and can tell you where to
    send that complaint—it even composes a polite complaint letter for
    you, and mails it. I’ve reported half a dozen spams while I’ve been
    typing this email.
    All these measures are effective: they increase the spammer’s cost of
    doing business and put many spammers out of business permanently. For
    more information, see:
    Email Abuse FAQ: http://members.aol.com/emailfaq/emailfaq.html
    SpamCop: http://spamcop.net
    My own anti-spam page: http://www.loganet.net/~doumakes/abuse

    Don Doumakes

  9. John Potter | 02/11/2003 at 20:21 |

    I use two email addresses, one gets barrowloads of spam, the other
    none. Why? About a year ago I participated in a discussion like
    this, and my email address was posted on the web as a result.
    Spam merchants crawl the web and usenet newsgroups using robot
    programs, that’s where they get the addresses and they got that one
    of mine.
    As an individual, I no longer participate in discussions which will
    result in my email address appearing on a web site. The creator of
    the site can use a form as a means of reply to avoid this problem.
    The responder to the discussion item clicks a link to a form which
    emables them to send an email to the original poster, but the email
    address is not visible to either the sender or any spam address
    gathering robot. The usual method is to use a cgi script.
    This solution does rely on secrecy and may be more difficult for an
    organisation than an individual, but it works for me.
    As a second line of defence I use a free email address from Yahoo
    sometimes for initial contact.
    I have tried the spam blocking system of my ISP, and while it does
    block some spam there is also a risk it will block wanted email by
    mistake. Recently a newspaper columnist here gave several
    examples of this happening to her.

  10. Peri Young | 06/11/2003 at 00:15 |

    From a purely market point of view – spam wouldn’t exist if it didn’t work. Someone’s buying! I suggest that all readers DO NOT under any circumstances, no matter how good the deal looks, buy anything or answer any surveys conveyed to them through spam – I extend this to unsolicited telephone calls.

  11. Today’s “Guardian” has an article about the role of challenge response and colloborative filtering in combatting spam:
    http://www.guardian.co.uk/online/story/0,3605,1078092,00.html

  12. Marcus David | 15/03/2004 at 23:27 |

    Anyone can learn from pain.

Comments are closed.