May 18, 1999

War on spam claims legit e-mail

by Paul McNamara

(IDG) -- In the interest of fighting spam, Tivoli has trained its in-house e-mail system to reject up to 5% of all incoming messages, even though the company knows that some of those messages are legitimate business correspondence. Senders of the bounced e-mail get a link to a Web page ( that explains the policy.

Any resulting inconvenience for customers or employees is a reasonable price to pay for spam protection, contends Steve Jones, manager of enterprise network services at Tivoli in Austin, Texas. While Jones is not alone in that assessment, the unusually aggressive tactic has sparked debate within the company and among antispam experts.

"It doesn't make sense for you to throw away mail that you want unless the cost of getting and processing the spam is so high that it is worth the lost business," says Paul Hoffman, director of the Internet Mail Consortium (IMC). "I don't believe that is the case here."

At the heart of the matter is "open relay" spamming, the practice by which spammers exploit an element of Simple Mail Transfer Protocol (SMTP) to send junk e-mail through the servers of unwitting companies and service providers. Such spam can sap server processing capacity and, perhaps more important, leave the false impression that the victimized server owner actually sent the offensive e-mail, thus creating the potential for a public relations disaster.

In general, experts agree on the wisdom of closing those open relays and providing alternate means of e-mail access for off-site employees. The disagreement surrounds the question of how to treat e-mail from ISP and corporate servers that remain open to relaying because their owners cannot or will not close them. About one-third of all SMTP hosts remain open to relaying, according to a 1998 IMC survey.

A relatively small number of antispam hardliners, including Tivoli, are choosing to treat e-mail from these open relays as inherently suspect. They are using a "blacklist" database called ORBS - Open Relay Behavior-modification System - to either bounce or filter out for further inspection any e-mail that arrives from open relays. Another antispam service called MAPS (Mail Abuse Prevention System) Realtime Blackhole List is more widely used but much less controversial. MAPS targets known spammers and their ISP "accomplices," as opposed to any open relay server and, therefore, blacklists far fewer sites than does ORBS.

Alan Brown, who administers ORBS from his small ISP in New Zealand, says three dozen ISPs and companies worldwide receive periodic updates of the ORBS database. In addition, "10,000 to 20,000 hosts are doing regular Domain Name System lookups against the ORBS list, but there is no way of translating that back to a number of actual mail servers," he says.

The ORBS database relies on public submissions to identify open relays and currently lists about 100,000 SMTP hosts, a number that has more than doubled in the past six weeks, "thanks to a couple huge, overlapping spam-trap submissions," Brown adds. He has no qualms about trading bounced e-mail for better spam control.

"I'm happy to put up with some legitimate mail being tossed out with spam, simply because it's the legitimate mail being lost and the users beating up on their network administrators that cause those servers to get fixed," says Brown, who defines "fixed" as closed. "The more legitimate mail that does get blocked [by such policies], the faster those open relays get fixed."

Bringing such pressure to bear on companies, whether they are spammers or not, strikes some as unfair, if not bad business.

"It's overkill," says one Tivoli employee who reports having had significant problems with legitimate business e-mail getting bounced. "We look like we don't know what we're doing."

Another Tivoli employee, who also requested anonymity, says the company's policy has supporters and detractors among the rank and file.

"It was evenly split," he says of a recent internal e-mail thread on the subject. "There were a lot of people who felt that we should not be telling other companies how to run their businesses [by demanding they close their relays]." He, too, has doubts, but adds, "The fact is, I really like not getting spam."

The most recent IMC survey of relay status last July showed that about one-third of SMTP e-mail servers remained open, down from about one-half in February 1998. While director Hoffman agrees with most experts that companies should close their own relays to ward off opportunistic spammers, he does not believe the practice will be effective in stemming the overall volume of spam.

"Because there are so many open relays, if we closed 99% of them, that would cause [only] an imperceptible drop in the amount of spam . . . and we're never going to get to 99%," Hoffman says. "This is a cheap way of doing spam filtering that is known to be not effective."



[ ]