School technology leaders, beware: The Federal Trade Commission (FTC) has issued a warning to businesses, school systems, and other organizations cautioning them not to fall victim to increasingly insidious spammers who now hijack computer servers owned by legitimate entities to send a flood of unsolicited commercial eMail.

The May 15 initiative—launched in conjunction with 17 different law enforcement and consumer protection agencies—calls on businesses and other institutions, including schools, to fortify their networks against such infiltrations by closing off “open relays”—technological loopholes that let third-party internet scam artists route spam across their servers, thereby disguising the messages’ true origin.

Industry experts say schools are among the most likely targets for such attacks, because their reputations are such that people tend not to question the validity of the messages they send out.

“Schools are beautiful targets because they are inherently trusted,” said Charles Stiles, the technological director of America Online’s postmaster group, a division dedicated to protecting customers against the proliferation of illegal spam.

“Open relays” are eMail or proxy servers that maintain an open door to the internet. According to the FTC, spammers exploit open relays to avoid getting zapped by filtering systems put in place by internet service providers to protect customers from unwanted solicitations. Open relays also allow spammers to hide their true identity, making it harder for federal authorities to trace them.

The practice could have serious consequences for school systems that become victims of this tactic. Not only does the additional eMail traffic threaten to slow a school system’s network to a crawl, but a hijacked mail system also could lead to a denial of service by eMail providers.

Whether or not a school system intentionally sends the messages, many internet service providers—including AOL—have established strict blocking policies designed to cut down on the spread of spam. According to Stiles, if a school is suspected of unknowingly hawking spam to AOL customers, the company will institute a block on all eMail messages coming from the offending server until the problem is resolved or the open relay used for the attack is closed.

“There is a period of time where [eMail from an unwitting accomplice] might get blocked,” Stiles acknowledged. In the event that a block does occur, however, AOL immediately sends out an electronic notification of the problem to the offender and provides access to a 24-hour hotline dedicated to restoring service.

Still, even after service is restored, the ill will generated by the use of a school system’s servers to send spam might linger, the FTC warns. Also, recipients of the unwanted eMail messages might flood the offending school system’s servers with complaints.

According to the New York Times, at least one school already has been victimized by the ploy. Last year, AOL contacted the Flint Hills School in Oakton, Va., after customers complained they were receiving unsolicited spam, which the company eventually traced back to the school’s server.

The Times said more than 200,000 computers worldwide have been unknowingly infiltrated and are currently being used to peddle spam. “It was pretty amazing how fast our vulnerability was picked up by the spammers,” Robert Hampton, Flint Hills’ technology director, told a Times reporter.

Hampton could not be reached for further comment before press time.

As internet service providers such as AOL have begun cracking down on spam, its purveyors have been forced to search for new techniques to avoid detection. That’s why schools—with their high-bandwidth systems, large data pipelines, and expansive regional networks—”make the best kind of targets,” Stiles said.

Fifty law enforcers from 17 agencies—including the FTC, Securities and Exchange Commission, U.S. Postal Inspection Service, and U.S. Attorney General’s Office—identified 1,000 potential open relays worldwide and drafted a letter this spring urging the operators to close these internet gateways to help reduce spam.

Fortunately, fixing the problem isn’t very difficult. Checking for an open relay and securing your eMail system against unauthorized use generally can be done with just a few commands, the agency said. A page on its web site (see links) directs readers to instructions.

As long as spammers continue to find holes in vulnerable networks, Stiles said, the problem will continue to grow.

“Spamming is a money-making business,” he said. “Spammers have made a fortune out of sending this unsolicited commercial eMail. They’ll do anything to make sure the mail gets through.”


Federal Trade Commission

FTC’s Open Relays web site

America Online

Sidebar: Anti-spam program raises backfire fears
From The Associated Press

It’s being promoted as a surefire way to eliminate unsolicited eMail: Force senders to prove they are human rather than one of those automated programs that inundate the internet with spam.

Known as challenge-response, the technology obliges senders to verify their authenticity before their electronic messages can be accepted.

But the technique has consequences far beyond stymieing spam-spitting software robots, and some leading anti-spam activists fear it could backfire and render eMail useless if widely adopted.

EarthLink introduced challenge-response in late May to its 5 million subscribers, which means legitimate senders of eMail now could face many more hoops to get their messages delivered.

While the technique is not entirely new, usage has been limited to the thousands. But EarthLink expects half its customers will turn on the free service by year’s end, and other internet providers are weighing a similar offering.

“It’s sufficiently tempting that people will use it and will not realize all the bad things that will begin happening,” said Steve Atkins, an anti-spam consultant in Redwood City, Calif. “Challenge-response is very, very unfriendly and rude to legitimate senders of eMail.”

It typically works like this: When a recipient gets eMail from an unknown sender, software automatically returns a message—a challenge—requiring the sender to perform a task such as filling out a form. Presumably, spammers won’t bother.

Supporters liken the technique to knocking on a door and asking permission for entry.

Recipients may pre-approve senders—the equivalent of giving them a set of keys so they won’t have to knock every time. But if recipients forget, eMail discussion lists and the people who run them could get bombarded with challenges. Some lists have thousands of subscribers.

Worse, some of those messages could get broadcast to all of a list’s recipients, some of whom might send back additional challenges, creating an endless and annoying “mail loop.” (Early attempts to design automated “out-of-office” messages suffered similar problems.)

In light of EarthLink’s announcement and the prospect of millions more users sending challenges, many list administrators already have vowed to ignore them, effectively barring recipients who employ the technique.

“They can get pretty overwhelming is a nice polite way of putting it,” said David Farber, a former Federal Communications Commission chief technologist who runs a 25,000-member list on technology.

Though Farber is sympathetic to the war on spam—up to half his inbox is junk—he considers challenge-based techniques too simplistic.

EarthLink’s spam filter blocks up to 80 percent of spam. But spam has increased sixfold over the past 18 months.

The company decided to offer its customers the challenge-response option because cranking up spam filtering would only cause more legitimate mailings to get tossed by mistake, said Jim Anderson, vice president of product development.

“It’s as close to a silver bullet as you’re going to get,” Anderson said. “We’re simply providing a tool for customers to retake control of the inbox from spammers.”

Others deem challenge-response a knee-jerk reaction.

“I’m worried people are going to implement systems like that too quickly because they are so desperate,” said Eric Thomas, chief executive of L-Soft International Inc., a Swedish company that makes the popular Listserv mailing list software. “The cure might be worse than the ailment.”

America Online now blocks up to 80 percent of incoming eMail traffic, or more than 2 billion messages a day.

But company spokesman Nicholas Graham says AOL won’t adopt challenge-response, because having to send out 2 billion challenges a day would tax the system. And why create delays for subscribers?

“They don’t want to hear, ‘You’ve got mail—and you just have to wait a few minutes longer,'” Graham said. “They expect to get eMail quickly and responses quickly.”

Anderson said Earthlink has developed the system over several months to minimize the burden on users and list administrators.

The pre-approved sender scheme presents difficulties, however, because it doesn’t work well with Yahoo Groups and other services where multiple list members post.

Online receipts from and other eCommerce sites also create problems; because they are automated, they won’t respond to challenges.

Robert Craddock, chief executive of challenge-response developer, said that although the system requires legitimate senders to do more work, “I don’t think that’s a lot to ask in this day and age when everybody’s eMail box is getting inundated.”

Some spam experts question whether such techniques will even work. They believe spammers will figure out how to automate responses to challenges and also learn to make messages appear to come from preapproved senders, said John Levine, a board member of the Coalition Against Unsolicited Commercial eMail.

“It’s very easy to come up with things that look like a solution,” Levine said. “Lots of people say this will solve everything, spam won’t be a problem anymore. Of course, they said the same things about a variety of previous techniques.”