Spam flooding PSU servers

The Oregon House unanimously approved a bill Tuesday that would allow recipients of unwanted commercial e-mail, or spam, to sue the senders.

Currently, Oregon has no law on spam and the vote followed increased public outcry against unwanted junk e-mail.

Marketing representatives and anti-spam activists nearly came to blows during a three day conference on spam sponsored by the Federal Trade Commission May 1. More than two dozen states have passed anti-spam laws, and two bills, one sponsored by Oregon Democratic Senator Ron Wyden, are making their way through the U.S. Congress.

“Spam is getting to the point where it is at a denial of service level,” said Gilbert, who noted Portland State University’s more than 100 servers handle roughly 180,000 pieces of e-mail daily.

During a denial of service attack, hackers try to flood a network with traffic so as to disrupt legitimate network users. If the attack is successful, the results are like trying to run much more water through a pipe than it is rated for – the pipe bursts.

In November of 2002, over 60 percent of all e-mail received daily at PSU accounts was spam, said Dennis Gilbert, PSU’s chief architect of computing.

Gilbert noted this figure fluctuates, and most recently was nearer to 40 percent.

Still, said Gilbert, PSU’s filtering software, SpamAssassin, does a good job of filtering unwanted mail. Gilbert estimates only 1-5 percent of spam gets through the software.

SpamAssassin doesn’t erase spam, said Gilbert, but sends it directly to a junk folder. It can be set up through PSU’s Web mail interface.

The software, a publicly developed project, takes several steps to filter out spam. First, it considers the return address. If it isn’t valid, or if it comes from a domain listed on one of several Internet databases as a spamming domain, the e-mail is marked as spam.

If the e-mail passes that test, the main body of the e-mail is scanned for key phrases used by marketers. The phrases are things like “Get rich quick” or many consecutive dollar signs, said Gilbert. Each e-mail is assigned negative points for each marketing phrase found, as well as a set of positive criteria. If the score is too negative, the e-mail goes to the junk folder.

Despite the software, spam is a problem that is not going away, Gilbert said. Marketing agencies are aware of the rules used by filtering software, so defeating them is often just a matter of changing their e-mails.

State laws would be helpful, said Manoj Garg, director of computing and network services, but the very nature of the internet would make it hard to enforce. “We need to have a federal statute on this,” Garg said.

Bills like the one approved by the Oregon House would require unsolicited commercial e-mail to start with the letters “ADV.” This is a step in the right direction, said Garg, but even federal laws would be easy to evade.

The Oregon bill would also force unsolicited e-mail to include a valid return address and a truthful subject line.

Wyden’s bill, known as the Can Spam Act, would go further than that, and require unsolicited commercial e-mail to include a way for users to unsubscribe from the marketing list.

At present, many spam messages provide fraudulent ways for users to unsubscribe. Recipients trying to unsubscribe often unwittingly do just the opposite, Gilbert said.

“All that does is tell the sender, I’m here, I’m getting your e-mail.” Instead of removing the name, said Gilbert, the spammers sell it as a valid address.