Iowa State University IT

Spam FAQ

Today, spam pervades the Internet, affecting millions of email users every day. At Iowa State University, email system administrators, information security professionals, and help desk support personnel receive many questions each day concerning spam, with most inquiries focused on how spam can be prevented.

This FAQ is designed to provide you with more information about spam, what Iowa State University is doing to reduce the amount of spam that reaches your mailbox, and additional tactics you can use to help reduce the amount of spam you receive. (Adapted from Ball State University spam website.)

What is Spam?

Spam can be defined in many ways, but a common definition describes spam as a slang term for unsolicited commercial email that is sent in bulk to many addresses. Many people think of spam as the online equivalent of junk mail that you receive in your postal mailbox every day. Spam is sometimes more broadly defined to include such items as email scams and chain letters.

How Much Spam Does Iowa State Receive?

It is difficult to quantify the amount of spam Iowa State receives daily, partly due to the different number of ways in which people define spam. It is estimated that about 40 to 60 percent of the total volume of email that Iowa State receives each day qualifies as spam, using the broader definition of the term.

Why Do I Get Spam?

If you have included your email address in a webpage that is visible from the Internet, more than likely some spammer's robot web surfer has scanned that page, discovered your address there, and added it to a mailing list. Spambots also scan through Usenet newsgroups and online forums looking for addresses; if you've posted under your real address, they'll probably find it there also.

Commercial websites often offer special discounts and prizes if you'll fill out some information. If you have filled out a form on a commercial webpage asking for your name and email address, it could well have gotten sold to a spammer. Those are the most common ways of getting your email address on a spammer's mailing list. But that's not all the ways, unfortunately. There are many other ways for your email address to be stuck on a mailing list.

Many Windows viruses look for email addresses by scanning the hard disks (and sometimes network shares) of the machines they infect. While all mass-mailing viruses use those addresses to spread themselves around, some (particularly the Lovgate series) are believed to send the addresses they find to a spammer.

If you work for the State of Iowa (like most of us on staff at Iowa State), some of your personal information is a matter of public record by law. That includes email addresses. Student addresses are different because of Federal laws concerning privacy. Your email address appears by default in the directory (and on the Iowa State website, where extremely clever bots or not-so-clever humans with lots of time on their hands can harvest it). Students can have their email address suppressed from the directory by contacting the Office of the Registrar.

Where Does All This Spam Come From?

This is a difficult question to answer since it is difficult to define which email constitutes spam and which does not. For example, many of the good-luck chain letters you have received probably came directly from family, friends, fellow students, and co-workers. Many email scams are often sent from free, web-created email accounts that can be set up on any one of a dozen or more websites that provide such services.

In the case of commercial spam, many of the less scrupulous spammers have resorted to a wide variety of "guerilla tactics" to get their advertisements past spam filters and viewed by as many people as possible. The push to restrict and curtail spam by blocking it has likely fueled the efforts of these subversive tactics. As the "noise" level of spam is decreased by efforts to block spam, it becomes more likely that users will actually read the smaller number of advertising messages that do make it through to their inboxes. Other than the use of freely created web-based email accounts, the five most common methods of delivering spam are described in the following sections.

Professional Spammers

Professional spammers are essentially marketing companies that sell "spam services" to other companies, much like any marketing company would sell other forms of advertising services. Unfortunately, in the online world much of the cost of this type of direct marketing is shifted to the receiver of the advertisement rather than to the sender of the message.

Because of widespread efforts to block spam, professional spammers must use creative techniques either to get users to "opt-in" or "request" the advertisements, or they must find creative ways to harvest email addresses to deliver spam so that the spammers cannot easily be blocked from sending spam again in the future. One technique professional spammers use is "hopping" from one Internet Service Provider (ISP) to another ISP to make it very difficult to determine where the next round of spam they send will come from. Many ISPs only charge in the hundreds or perhaps thousands of dollars for the setup of a commercial site. A professional spammer can then use this to send potentially millions of email messages before having their service cut off.

Companies That Send Their Own Spam

Well-known businesses sometimes engage in the practice of sending spam directly from their own servers. Although most businesses now refrain from this practice, the issue remains a troubling one since all established businesses should be well aware of the unacceptable nature of this activity.

Use of a Third-Party Server To Relay Spam

Currently, the most common method of sending spam involves "hijacking" the mail server of a computer located somewhere across the Internet, and then using that server to send spam. Often, hundreds of thousands or even millions of messages are sent before what has occurred is discovered. Once the true system owner discovers what allowed his/her system to be "hijacked" for distributing spam, they often act to correct the situation as soon as possible. However, by then the spammer has accomplished his/her goal and all of the messages have already been sent through the "hijacked" server. To send more spam, the spammer must search the Internet for the next available victim whose server can be exploited to do the work of delivering millions of spam email messages.

"Hijacking" of Personal Computer Systems

High-speed Internet access is now available to most people throughout the world, many of whom have DSL, cable modem hookups, and other methods of high-speed Internet access to their own home personal computers. Unfortunately, most of these personal computers are connected directly to the Internet and are not well-secured--leaving them open to attack and exploitation.

Many spammers have discovered that a single personal computer, probably much like the one you are using to read this message, can (in the hands of a spammer) be transformed into a powerful email spam-delivery server capable of delivering hundreds of thousands of email messages per hour. Because of the great number of personal computer systems that are connected to the Internet, and because more are being connected every day, spammers are often able to "hop" from one personal computer to the next. In some cases, spammers exploit dozens of systems at the same time to continue delivering spam across the Internet.

The problem of unprotected personal computer systems continues to grow each day. Protecting against spam and other malicious use from these systems also continues to grow more challenging.

"Opt-Out" Mailing Lists

Some companies and organizations have adopted the practice of "signing up" individual users for email lists without their permission, perhaps only with the briefest previous contact with the responsible company. Other companies have obtained the user's consent to add them to the list surreptitiously, often by offering "free software" or promising other "prizes" and then only in the very fine print explaining that by providing the email address, the user agrees to receive any and all emails from the company in question.

These companies sometimes provide an "opt out" link or contact information so that the user can be removed from future mailings, but these links are just as often used to gather information about who is actually reading the mail messages and then used to send even more spam.

Is It Possible To Stop Spam?

There are many ways in which spammers can reach your inbox. In addition, the problem of classifying what spam is becomes even more difficult on a campus-wide system with thousands of users. It is impossible for anyone besides the individual account user to determine which email messages are "solicited" and which are sent without the recipient either requesting it or agreeing to receive it. Often one person's spam will be another's requested email.

There are certain cases, however, in which it is possible to determine with a very high degree of confidence that a message is spam and can therefore be discarded. For example, professional spammers can be identified and all email being sent from their servers can be blocked. Companies that engage in practices of sending unsolicited email can be blocked until their policies are revised to address such abuse. Email servers that are unprotected and open to third-party hijacking can be identified, and in the cases where the systems administrator either fails to respond or refuses to protect the system from attack, spammers can be blocked until the problem is resolved.

Mail sent from personal computers can be blocked if the address ranges of ISPs that are assigned to personal computers can be identified. In these cases, the home computer users should be using the ISP's mail server rather than their local computer system as the actual delivery agent of the message.

Although it is technically possible to enable blocking based on the criteria described above, there are two important challenges that Iowa State faces in attempting to identify and block spammers using these criteria.

First, the Internet contains many hundreds of thousands of computer systems that are changing every day. Keeping track of which systems are being used by spammers and which are legitimate systems would be a Herculean task that would be impossible to keep up with on a daily basis.

Second, even when it was possible for Iowa State to identify spammers and block them, such an action by Iowa State alone would likely be insufficient to cause the spammers to change their practices and refrain from sending future spam, and the problem would persist.

Although the challenges described above are formidable, IT Services has implemented a system for dealing with spam that addresses these complex issues. This system is already in place to help reduce the amount of spam that reaches Iowa State and is described in the next section.

What is Iowa State Doing About Inbound Spam?

While stopping spam is nearly impossible, IT Services has implemented a spam detection system at Iowa State to help you manage the problem. Similar to caller-ID service on your phone, the spam detection system can help you screen out unwanted email. By comparing an email with a set of criteria, the PerlMX tagging system determines the probability that the mail is spam and denotes it accordingly with a specific tag. Then you can decide how you want to handle the mail. Many users choose to set up filters and transfer the flagged mail to its own mail folder for reviewing later.

Several videos in the "Do IT" series provide step-by-step instructions for setting up filters in various email programs. These can be found at http://www.it.iastate.edu/doit/.

The following documents provide details on setting up header-based filters for spam tagging.

Iowa State also uses greylisting to cut down on spam. Greylisting is a method of blocking potential spam based on how a server sends email. When an ISP attempts to send email to an address and receives an error message, legitimate ISPs will generally re-try within a short time while spammers are not likely to re-try the connection. In Iowa State's implementation, a host will receive a "temporarily unable to connect" message the first time they try to send email to an "@iastate.edu" address. A second attempt to connect will be successful; the sender and host are then added to a database where they are "white-listed" for a set time.

Legitimate email servers follow Internet protocols that includes queuing mail and retrying the connection over a period of time. Thus, legitimate email is not likely to be affected by the greylisting implementation. Some mail servers, however, do not properly follow the Internet mail protocols, and will have problems sending mail to Iowa State addresses. If you are experiencing problems, contact the Solution Center at solution@iastate.edu or 515-294-4000. Iowa State users who wish to opt out of greylisting can do so through the utility at https://asw.iastate.edu/.

What About Spam Being Sent From Campus?

IT Services has taken a step toward blocking outbound spam by adding a new PureMessage (PerlMx) tag to email processed by mailhub.iastate.edu. This effort will assist in keeping Iowa State from being blacklisted by outside entities. Blacklisting occurs when an outside entity blocks all email coming to them from the "iastate.edu" domain, meaning the email being sent out is prevented from reaching its intended destination.

Beginning March 3, 2008, IT Services will bounce or reject email sent to the mailhub server that PureMessage (PerlMx) rates with a very high probability of being spam. The probabilities are gathered from statistics found in the header of an email. The initial percentage will be set high and emails that are rated at a percentage of 98 percent or more will be bounced. The goal is to gradually lower the percentage to a point where obvious spam is blocked.

It is possible, although highly unlikely, that an occasional legitimate outbound email will be blocked. If your outbound email was blocked due to a high spam probability, you will receive a bounced email with an error message similar to the following:

----- The following addresses had permanent fatal errors -----
<joeuser@.iastate.edu>
(reason: 550 5.0.0 Email rejected because spam probability too high. Please see:
<http://www.it.iastate.edu/spam>)

If you have created a legitimate email and are getting a bounced email due to its high spam probability, contact your local IT specialist or the IT Services Solution Center at 515-294-4000, solution@iastate.edu, or by visiting 195 Durham Center.

If These Actions Have Been Taken, Why Am I Still Receiving So Much Spam?

Because many institutions and organizations have implemented spam blocking procedures similar to those Iowa State is using, spammers are constantly trying to find new ways to deliver spam that can get past the filters that have been put in place.

One of the most common methods is the use of free web-based email accounts. This kind of spam is difficult to block since so many people use these services for their legitimate personal email. For example, free email accounts on Hotmail and Netscape are frequently used by spammers, yet these systems are also used by thousands of individuals to send legitimate personal email. Therefore, blocking web-based email systems from sending email to Iowa State would have the effect of blocking a great deal of valid email.

Is Some Of My Email Being Blocked?

IT Services does not block incoming email at Iowa State. If you seem to be missing some email, it is possible that the email filters set up within your email program have directed legitimate email into your spam or junk folder. Scan your spam or junk email folder within your email program prior to deleting the mail in it. As noted above, some outgoing email may be blocked if it has a very high probability of being spam.

Can Iowa State Use Stronger Methods of Spam Blocking?

A stronger defense against spam is content-based filtering. In a content-based filtering system, the actual content of the email messages is examined to determine whether or not it appears to be spam, rather than checked to determine whether the source of the email message has originated from a known spammer. However, content-based systems result in a much higher "false positive" rate; therefore, much more legitimate email is blocked in this type of system. Additionally, it is quite difficult to manage a list of words or phrases that can be used to distinguish spam from legitimate email.

Individual users are free to create custom rules for content-filtering inside the email client. These rules can be configured to filter or sort incoming email based on content of the individual user's own choice.

Is There Anything Else I Can Do To Cut Down On the Amount of Spam I Receive?

In addition to spam filtering techniques, there are several things that you can do to cut down on the amount of spam you are receiving.

Unsubscribe from Mailing Lists

Some of the spam you get isn't really spam. If you signed up for a mailing list on a commercial website, the messages from that company aren't spam since you did ask to be on the mailing list. Read the fine print before signing up for something on a commercial website. Some companies are good about spam; they won't sell your address to anyone else. Others are not so good, and will sell your address to anyone with money. Read the privacy policy before you sign so you'll know which is which.

Do Not Reply To or Follow Web Links Inside Spam Messages

Although many email messages offer you a link to click in order to "remove yourself from the mailing list", these links are almost always invalid and, in fact, are used to verify the existence of a valid email address or to confirm that the message was actually read. This information is used to send you more spam, not less. The only exception exists when you have affirmatively taken steps to sign up for a mailing list, and messages from that list include instructions for unsubscribing.

Maintain a Separate Temporary Email Address

Consider keeping your primary email address private, and then use a secondary free email account for temporary use for web forms where an email address is required. You can delete the free account if it becomes overrun with spam and create a new one, leaving your primary email account intact and clutter-free. It is widely recognized that using your primary email address on any web-based forms will likely result in spam and that spammers frequently scour the Internet searching for more email addresses.

Be Careful In Sharing Your Email Address

This is related to the above, but you should be cautious about sharing your primary email address in all situations. Only give it to people or companies that you know will not distribute it to third parties.

Use Custom Email Rules to Eliminate Frequently Recurring Spam

You may decide to use custom email rules to filter spam from your inbox. For example, you might create a rule that will move all email with the words "MAKE MONEY FAST" to a particular folder in your email account, and then make a quick review of that folder later to determine if any of the messages are legitimate. If not, you can select them and delete them all at the same time.

Links to instructions and videos on how to set up filters and use custom email rules can be found on the Spam page.

How Can Spam Be Reported?

Unfortunately, most email addresses receive a large volume of spam. In general, the best defense against spam is to take advantage of the spam detection system and automatically filter the email into a spam folder. However, it may be appropriate to report some spam by taking the following steps:

  1. Don't assume that the From: address is correct. In most spam email this is a bogus or forged address. Sending email to that address will only cause it to be bounced or get to someone who was also a victim of the spam. This is particularly true of spam generated by a virus.
  2. To determine an appropriate address to forward the spam to, you must first get the full email headers. Go to IT FAQs page and search for "header" and your email program name (e.g., Eudora) for more information about expanding headers.
  3. The address of the originating site will normally be in the bottom "Received" line. It may look something like this:

    Received: from onepc.fastconnect.com(onepc.fastconnect.com [10.10.140.32]) by despam-1.iastate.edu (8.12.4/8.12.4) with ESMTP id i37GQsw8008919 for <student@iastate.edu>; Wed, 7 Apr 2004 11:26:55 -0500

    In this example, the originating system is onepc.fastconnect.com with the originating Internet Service Provider (ISP) being fastconnect.com.
  4. If the spam appears to have originated at Iowa State (iastate.edu), forward the email with the full headers to abuse@iastate.edu. Using university facilities to send spam is a violation of the ISU Code of Computer Ethics and Acceptable Use. We will look closely at the email and take appropriate action.
  5. We can only take action on spam that originates at Iowa State. If you want to report spam that originated from another ISP, you may send the spam with the full headers to that ISP. For the above example, the address would be abuse@fastconnect.com.
  6. The Federal Trade Commission maintains a spam database for law enforcement actions. A complaint including the full headers may also be sent to uce@ftc.gov.
  7. Please note that the administrators who will receive your complaints are just as frustrated dealing with the large volume of spam as you are. Be polite in your message asking for assistance in stopping the spam.

More Questions About Spam?

If you have more questions about spam, contact the Solution Center at solution@iastate.edu or 515-294-4000.