Three different people asked me yesterday about why two buddies known as 'bots' showed up in their AOL Instant Messenger Buddy List. The new buddies were called "Shopping Buddy" and "Moviefone". One of the people had been given a message when they logged in mentining that these new buddies were added, but the other two people did not receive any such message.
In the context of instant messaging, a 'bot' is a computer program designed to respond to messages as if it were a person. It can interpret questions and statements made in natural language and send some sort of (hopefully) appropriate response back. Companies and individuals have developed bots for any number of purposes.
There have been infomation bots, like "SmarterChild", that give you movie showtimes and horoscopes, and play simple games. There are advertising bots that dispense product information, and there are attack-bots that inundate a user with so many messages that it causes their account to shut down.
AOL's new bots are designed to act as a shopping search engine and provide movie times.
Many bloggers are up in arms about the fact that AOL automatically added these new bots to every user's buddy list rather than giving individuals the choice of whether or not to install them in the first place. It's a fairly minor inconvenience to remove them from your list, but critics compare AOL's approach to 'opt-out' spamming.
An 'opt-in' list is one where you have to do something specific and clear, like submit your e-mail address in a form, to start receiving the list's mail. An 'opt-out' list is where the list assumes you want to receive its mail until you do something specific and clear to unsubscribe yourself. Although the CAN-SPAM act considers opt-out lists acceptable (provided the opt-out works within 10 days), many spamwatchers consider this practice highly undesirable for end-users. In my opinion, best practices dictate using opt-in lists only.
The human mind can go to some dark places if left to its own devices.
By most accounts, I'm a perfectly sane and functional person. But for a split second, I’ve wondered what would happen if I ended up in front of an oncoming subway train. I’ve wondered what would happen if my hand got caught in a deli meat slicer. And I’ve wondered what would happen if I tried to follow the links in a Spam e-mail, just as an exercise, to see if I could really buy whatever it is they are advertising. Spammers apparently make a ton of money, and they wouldn’t be able to do that without selling products somehow.
This guy had similar wonderings. He set up a system to track all of the stock tips he received in Spam e-mails, to see how much money you would make or lose if you actually invested in all of them.
I suppose the good news is that spammers have finally figured out that parents, and lots of other people, hate porn spam and are worried about what their kids are doing and seeing online.
So now, according to ZDNet, spammers are sending email offering to protect your children from sexual predators and other crime!
Needless to say, they're more likely to really send you that viagra than to have found the silver bullet for protecting your kids online -- if you do want to control who communicates with your kids or what they see, use a reputable mainstream product like EarthLink's Parental Controls. Whatever you do, don't take what the spammer is offering or you're virtually guaranteed to get more spam, and very likely to wind up with a spyware or virus laden product.
Friday's edition of Dateline included a long story in which John Hockenberry and the hidden camera team successfully tracked down the man responsible for sending some particularly icky porn spam to a Texas housewife.
While the show is extremely funny and educational if you're curious about how the shady underworld of the online porn industry works, one thing about the episode surprised me.
Julie, the Texas housewife, seemed particularly concerned about having her children exposed to this kind of material. But no one on the program even brought up parental controls software!
The closest the program came to recommending parents use parental controls or web filtering software was that Ray Everett Church suggests using spam filtering software.
The show did include several good suggestions for children AND adults hoping to avoid either viewing porn spam or getting infected with computer viruses:
1) Don't open email from people you don't know.
2) Don't open email attachments you weren't expecting or aren't 100% sure are safe to open.
If you're in doubt, contact the sender and ask if they sent you something and what it was. They might have a virus that sent out the nasty content without their knowledge. Or they might just be the 257th person to send you the Neiman-Marcus chocolate chip cookie recipe.
Have you ever received a piece of spam with a URL (web link) that looks like gobbeldy-muck? More often than not, the URLs included in spam messages are merely elaborate third-party redirection services that refer you to a web site trying to sell you something. That something could be prescription drugs, pirated software, or even pornographic content.
Do you know what RSS is? If not, don't feel bad; only one person for every 11 Internet users does. How about Podcasting? If you're familiar with the latest rage in distributing recorded audio over the Internet, you're one of only 13% of Internet users that are. If you aren't familiar with these technologies, it almost certainly doesn't put you at any greater risk for identity theft. But there is one that could: phishing.
How do you know if an email you receive really is from your bank or one of your favorite merchants? For all practical purposes, you can never be absolutely certain. Therefore, the Federal Trade Commission recommends, among other things, that you never divulge any personal information as a result of an unsolicited email message. That includes not clicking on links, replying to the message, and calling or faxing a number provided in the message.
If you are ever concerned that a company you do business with may legitimately need you to provide them with new or updated personal information, the safest thing to do is to pull up the last statement that was mailed to your house and call the customer service number listed on the bill or invoice. Even typing the company's web address by hand into your web browser could divert you to a scammer's web site if there is any chance your computer has been invaded with a virus or spyware program.
In general, you should treat email messages from companies as you would a rumor. Don't believe it unless and until you've heard it straight from the horse's mouth.
Over the past several years, ISPs and other network operators around the globe have been investing heavily in measures to reduce the amount of spam emanating from their networks. It isn't always easy to convince companies to spend money on preventing outbound spam when they are more concerned about addressing the deluge of inbound spam. However, it didn't take long to figure out that the networks that received most of the spam were often also the ones that permitted the most spam to be sent.
Some folks have started to make a big deal about the fact that most email messages that authenticate with SPF, SenderID, or DomainKeys are spam -- and they're right.
What they may not be saying, however, is that the same is true for regular email too! So if the spam rates are the same, what good is authenticated email? To answer that question, it helps to first make sure we understand what sender authentication really means.
That may be the million dollar question this week as Microsoft spearheads the Email Authentication Implementation Summit in New York City. At first glance, quotes from Summit participants appear to be strongly endorsing the adoption of Sender ID. But if you read carefully, you will see that they are really talking about "sender authentication" in a more general sense.
We certainly agree that sender authentication is a useful technology and an important first step in our mission to end messaging abuse in all of its forms. That mission is what led EarthLink to join the Messaging Anti-Abuse Working Group. As co-chair of MAAWG's technical commitee, I have been aggressively pushing the evaluation and testing of various sender authentication proposals. MAAWG members have collaborated to evaluate SPF and Sender ID behavior in real-world environments over the past several months.
These nascent technologies do show promise as useful weapons in our arsenal to combat messaging abuse. However, they are also incomplete and can pose a serious risk to the successful delivery of legitimate messages if implemented as currently specified. The MAAWG members felt that it was important to share our findings and invite public comment. If we look at these technologies objectively and recognize both their strengths and limitations, we can continue to improve them to make them more effective.
While SPF and Sender ID both clearly need more work before they are ready for prime time, they are also far from being the only viable solutions for domain-based sender authentication. There are stronger forms of domain authentication, such as DomainKeys and Identified Internet Mail, which are not susceptible to the forwarding and forgery limitations of SPF and Sender ID. These and other proposals are all still in the development and testing stages, and EarthLink is once again at the forefront of the efforts to develop them into acceptable standards.
We began signing some of our outbound email messages with DomainKeys a few months ago. Today, more than 70% of the mail that originates from EarthLink mail servers has been signed with DomainKeys. That means that those who receive these messages will be able to determine that EarthLink sent them, no matter how many times they have been forwarded. In the future, with this technology, we may sign messages to indicate that we have spam- and virus-scanned the message before sending it. We may also use this technology in our messaging applications (e.g., EarthLink Mailbox, Web Mail, and our new free voice and instant messaging service, called Vling, which is now in beta) to distinguish authentic EarthLink communications from any impostors.
Once we have rock-solid authentication of the sending domain, we still have much more work to do before we can kill spam completely. Now that you can tell that a message came from DomainX, how do you know whether or not DomainX is trustworthy? That's where a whole new breed of technology, called reputation systems, will come into play. Reputation is the next frontier in our efforts to develop technology to kill spam. Now that the good guys have aligned under the MAAWG umbrella, we have more than a fighting chance to identify and deploy solutions that fight spam without impeding the flow of legitimate email.
The bottom line is that Sender ID is not a "silver bullet" kind of solution. No domain authentication scheme can guarantee that your message will go straight to the intended recipient's inbox; nor can they guarantee that a message you receive really does come from who you think it came from. Senders of legitimate email should not view sender authentication as an immediate solution to deliverability problems. Recipients also need to be sure not to equate "authenticated" with "desirable."
Tripp Cox
Chief Technology Officer
EarthLink, Inc.
Spammer Pleads Guilty to Federal CAN-SPAM Act Violations
Today marks one of the first successful federal criminal prosecutions of a spammer under the CAN-SPAM Act. This latest victory is also a great example of EarthLink working with law enforcement to protect the public, even when it extends to cyberspace.
In November 2004, our abuse investigations team received hundreds of complaints about a spammer who was sending messages from our network soliciting leads to sell or rent the email recipient’s timeshare. (By Jan. 2005, those complaints totaled over 50,000, all of which were handled by EarthLink abuse engineers.) Our talented investigators identified the messages’ origins in a remarkably short time, and a John Doe civil lawsuit was filed the following December.
Once the spammer was identified as Peter Moshou, EarthLink worked with the FBI to launch a criminal investigation in January. Within a week, the FBI had searched Moshou’s mother’s home from where he had sent some of the spam. The evidence gathered was enough to lead Moshou to plead guilty to one count of violating the CAN-SPAM Act, which carries a maximum prison time of 3 years.
I’d like to give big kudos to the FBI cybercrimes team here in Atlanta for their responsiveness and quick thinking. Throughout the investigation, they have diligently worked with the U.S. Attorney’s office (Northern District of Georgia) to not only secure the search warrant, but successfully prosecute the case.
This is the first of what I hope will be many criminal prosecutions to put spammers and other online criminals behind bars. It’s very satisfying to know our anti-abuse efforts are working, and that these criminals are getting what they deserve. I look forward to posting another victory again here soon.
Lindsey Wegrzyn, JD
Operations Legal Analyst
EarthLink, Inc.
Prolexic Technologies released their findings in a report yesterday of which Internet Service Providers (ISPs) network's contain the most zombie computers.
Prolexic Technologies praised EarthLink, Inc. as one of the major ISPs that doesn't have a significant number of zombies in its network. "Prolexic chief technology officer Barrett Lyon said the report could indicate that some Internet providers don't protect their customers as much as companies like EarthLink Inc. that doesn’t show up on the list."
In other words that's "A big ‘booyah’ for EarthLink" and its users.
The FTC launches "Operation Spam Zombies." The new FTC project aims at helping Internet Service Providers (ISP) develop best practices for fighting spam.
Examples of these proposed best practices:
* block port 25 except for the outbound SMTP requirements of authenticated users of mail servers designed for client traffic. Explore implementing Authenticated SMTP on port 587 for clients who must operate outgoing mail servers.
* apply rate-limiting controls for email relays.
* identify computers that are sending atypical amounts of email, and take steps to determine if the computer is acting as a spam zombie. When necessary, quarantine the affected computer until the source of the problem is removed.
* give your customers plain-language advice on how to prevent their computers from being infected by worms, trojans, or other malware that turn PCs into spam zombies, and provide the appropriate tools and assistance.
* provide, or point your customers to, easy-to-use tools to remove zombie code if their computers have been infected, and provide the appropriate assistance.
Here's a new twist on the term spam. Start with an inappropriate web page that misleads a search engine, so they can increase their relevancy ranking, and you have Search Engine Spam. Typically these web sites provide little benefit. What is obvious though, is their intent to generate revenue from advertising or the extreme, distribute spyware. Here are a couple of articles about search engine spam.
Bill Hunt from SearchEngineWatch
Yahoo! defines search engine spam
Jefferson Graham, USA Today - scroll down to the part about "computer-generated directories" this is one way search engine spammer generate revenue.
OK, so what can we do about this problem? Rightfully so, the search engines want to know about and remove search engine spam. Thereby making the search engines better for their users. See this expert from Google's report spam (link below).
"Trying to deceive (spam) our web crawler by means of hidden text, deceptive cloaking or doorway pages compromises the quality of our results and degrades the search experience for everyone. We think that's a bad thing.
If your Google search returns a result that you suspect is spam, please let us know..."
Google, Yahoo! and MSN's search all have ways to to report search engine spam.
Have you ever wondered if anyone actually buys anything from spam messages? Obviously, some people must or spam wouldn't exist. In this article by Alan Chapell, he discusses some recent research done by Forester. Some interesting findings include that people open 20% of their spam and that up to 40% of the people actually buy something. He goes on to raise some interesting points about not just fighting spam from the supply side, but also the demand side.
Did you ever wonder what happens when you click on the "This is spam" button in your email client? Different ISPs and different mail client providers handle it differently, but the actions generally fit into two categories:
1) First, the data is collected and aggregated to help improve content filters. When enough of a reported email is submitted, a "profile" of that email can be identified and a content filter can be written to filter it out before it arrives in your inbox. This can both be done "locally" on your computer, where you build up personalized filtering specific to you, as well as "globally," where the data is aggregated across a wide set of users and server-side filters are written for everyone.
2) Some email providers send a stream of these reported spam emails back to the ISP where the email originated. AOL is particularly good about reporting these emails. This stream is very valuable in helping to determine where spammers originate and then helping to shut them down.
So, if you find spam in your inbox, be sure to click on the "This is spam" button. The data you are providing by doing this goes a long way to improving the spam filtering for you and others, and in helping to identify spammers and shutting them down.
One of the most common questions we receive is: How did spammers get my email address? Believe it or not, you probably gave it to them. You just didn't know it. In order to prevent your email from getting filled with spam, it helps to know how spammers operate. Here are two common ways they get a hold of your email address:
1. Spammers crawl the web looking for email addresses. The Center for Democracy & Technology published a report that reveals this key information: "Email addresses posted on Web sites or in newsgroups attract the most spam." If your email address appears visibly on a personal website, message board, or even on commercial sites like eBay and Amazon, chances are pretty good that a spammer harvested it.
2. Spammers buy lists of email addresses. The same research showed that most commercial websites will honor your privacy if you choose not to share your email address with their partners. However, there are a few unscrupulous companies who don't, and there are some websites that don't even give you the choice. It's possible they pawned your email address. For example, if you downloaded free software from a company you've never heard of, you probably had to give them your email address before you could begin the download. They may have then sold your email address to a spammer. That's why they're able to provide the software for free.
How can you combat this? Easy. Just create two email addresses. Use one on the web for things like downloading software and posting comments on message boards or blogs. If you write a review at Amazon for a new book you just read, use that email address. It's not like you'll need to check that email box very often. And when it does become inundated with spam, you can just stop using it and create a new one.
For your ongoing email communication, create another email address that you keep private. Give it out to just your friends and families, and use it for your every day email. Do not give it to companies you don't know anything about. And never, never, never post it anywhere on the web.
EarthLink offers its customers eight email addresses. To manage your email addresses and create a new one, visit your My Account page.
I'm sure everyone has received one of those emails that tell some fantastic story that is almost too incredible to believe. Recently, I've seen a lot of claims of Tsunami photographs, or maybe you've received an email about some new virus that has been circulating. Before you blindly forward these emails to 10 of your friends, it's a good idea to check if it's actually a hoax. One of the best ways to do this is to check Snopes, www.snopes.com. Snopes is a great web site that explains and documents well-known hoaxes on the Internet. It explains which Urban Legends are true vs. which are, well... Urban Legends.
Although forwarding these types of email may not be considered spam by most people, (I'll talk about spam definitions later) it's good netiquette to check the veracity of a story before forwarding it on. Plus, it can be fun to write back, "Nice email, but not true. See Snopes."
Georgia Governor Sonny Perdue visited the EarthLink headquarters yesterday to announce that he is introducing a Georgia spam bill. Having participated in discussions with the Governor’s office over the last month or so, it was particularly satisfying for me to see the Governor and our CEO Garry Betty standing there talking about spam laws and working together to get rid of spam.
I thought I would take some time to jot down a few thoughts on spam and the law.
1. Why do states need spam laws if there is already a federal one?
Short answer: We need all the ammo we can get.
Long Answer: State laws can act as more pieces in the big puzzle of stopping spam. Some, like Georgia’s will, make it a state crime. This brings more law enforcement agencies and prosecutors into the battle and therefore more resources focused on stopping the criminals. The hope is that every time a new law is passed or a person is charged, the spammers start to think a little more about what they are doing and what the chances are that they will get caught. In addition, state laws can expand the number of people that can sue spammers. The federal law limits civil remedies to the ISPs. The Georgia law is likely to give anyone with a domain name and a computer the right to sue someone who sends deceptive email to their address and computer. EarthLink has been suing spammers for several years by using a combination of federal and state law. A new state law that targets deceptive commercial email gives us another arrow in our quiver. Anything can happen in a lawsuit. The more laws that are broken increases the chance that these guys will be stopped.
2. Can laws really reduce spam?
Short Answer: Absolutely.
Long Answer: There have been many media reports lately, one year after CAN-SPAM, that say it has been a failure and done nothing to reduce spam. I don’t think anyone (lawmakers, lawyers, ISPs and others) thought that CAN-SPAM would end spam immediately. I hate to keep using war terminology but it fits. In the long run, every new legal remedy that is available along with technical solutions and consumer education help win the battle. Technical solutions may ultimately be most effective but for now we should use everything available to stop spam. If we have to take them out one at a time so be it.
3. Does complying with CAN-SPAM make it ok to send spam?
Short answer: Not even close.
Long answer: Long before CAN-SPAM, spammers were being sued successfully under existing federal and state law. Sending unsolicited commercial email can still violate a number of laws including the Computer Fraud and Abuse Act, Lanham Act, RICO Act, Computer Theft and Trespass, trespass, unfair competition, deceptive trade practices, misappropriation of computer resources, conversion, unjust enrichment, and others. It is a common misconception that CAN-SPAM made spam legal. It is just not true.
In summary, spam laws are good, helpful tools to combat spam. They won’t end spam alone but along with technical solutions and consumer education, they will eventually help us get rid of spam and spammers forever.
It's not everyday that the governor shows up at our offices. So most of EarthLink's Atlanta-based staff crammed into the lobby of our building this morning when Gov. Sonny Perdue showed up to propose new legislation called the Slam Spam Act. EarthLinkers cheered when he announced the new bill, which would make it a felony to send spam in Georgia, and we got a big kick out of this quote from the governor: "I used to like spam before it got redefined."
I've got a little trepidation. This is my first post to my first blog and I'm not sure where to begin. How about a quick introduction? My name is Stephen Currie and I'm the Director of Product Management for Communication Applications at EarthLink. As a part of that job, I'm part of a team that builds our Email Applications: Mailbox, Web Mail, spamBlocker, VirusBlocker, etc. I've been working in this capacity for several years at EarthLink and I've had the chance to observe and react to a lot of changes in the "Email" and "Communication" space. I'm hoping to use this blog to communicate more widely some of my observations about what is happening and how it relates to all of us that rely so heavily on using the Internet to communicate.
I'm sure there are a few of you reading this, rolling your eyes, thinking, "Oh great, here's just another opportunity for EarthLink to market it's products to us." I can assure that isn't my purpose for writing. Instead, I want to cover a broad range of issues like reporting on industry events (MAAWG, Inbox), new technologies (Domain Keys, Sender ID), trends (new types of Spams, Phishers) and of course Products that help protect you and make your Internet experience better. Naturally, EarthLink products will come up and I'll likely suggest a few to you. We've got a great team of folks here at the company and we've made Internet security and protection a priority for our product development. We're not just building products that we think you will want to use, but that we want to use ourselves. We feel like that guy on the "Hair Club for Men" commercials, "We don't just work at EarthLink, but we're also customers."
So, that's about it for my introduction. I hope you tune back in later, but I'll leave you with this. Has anyone else noticed the trend in Spams from, "Low, low mortgage rates" to, "My husband is out of town and/or working late. Why don't you come over and keep me company? Click here."
Les Seagraves, Executive Editor EarthLink's Chief Privacy Officer, Les Seagraves, serves as Executive Editor of the Protection Blog. Les is a general counsel with EarthLink's legal department, where he leads the legal battle against spam and fraud. He's a frequent speaker for trade groups, conferences, continuing legal education and college classrooms. A true technology lawyer, Les has testified in congress and consulted with federal and state legislators on privacy, spam and other areas of technology law.
Mike Strutton As the Director of Product Management for EarthLink's Software Products, Mike has been engaged with many of EarthLink's protection products, aka The Blockers, as well as TotalAccess for Windows and Mac. Mike has been with EarthLink for over 10 years and has over 12 years of internet experience. Mike is an avid fan of the Apple Macintosh, but don't let that fool you, while he totes his Powerbook everywhere, he surrounds himself with 3 Dells in his office and 3 more at home.
Stephen Currie EarthLink's Director of Product Management for Communication Products is Stephen Currie, who oversees the EarthLink mail client, including the development and implementation of email tools like EarthLink spamBlocker. Stephen has also represented EarthLink at industry coalitions aimed at eradicating spam and other Internet abuse, and his expert opinion on spam has been featured in national media coverage.
Scott Mecredy A Senior Product Manager for Protection Software at EarthLink, Scott Mecredy has been developing consumer software for over 7 years. An industry thought leader (place pointer finger on chin and look longingly into space), he helped create ScamBlocker, the first comprehensive Phisher protection product available in the market. Scott's a Rock Star (in his own mind), and lives for one thing: a successful software launch.
Liza Barry-Kessler EarthLink's Senior Product Manager for Parental Controls. Although new to EarthLink, Liza is ancient in "internet years" having been online since 1987. She began her career in Parental Controls as a First Amendment lawyer at the Center for Democracy & Technology (www.cdt.org), where she was part of the team that launched the industry-wide internet-safety and privacy initiative, GetNetWise, in 1999.
Liza is also a nationally recognized expert on web filtering and internet privacy issues, both in the home and in school and library environments, and is co-author of the book "Privacy in the 21st Century: Issues for Public, School, and Academic Libraries," forthcoming from Libraries Unlimited publishers in June 2005.
