School technology leaders, beware: The Federal Trade Commission (FTC) has issued a warning to businesses, school systems, and other organizations cautioning them not to fall victim to increasingly insidious spammers who now hijack computer servers owned by legitimate entities to spew a torrent of unsolicited commercial eMail.

The May 15 initiative—launched in conjunction with 17 different law enforcement and consumer protection agencies—calls on businesses and other institutions, including schools, to fortify their networks against such infiltrations by closing off “open relays”—technological loopholes that let third-party internet scam artists route spam across their servers, thereby disguising the messages’ true origin.

Industry experts say schools are among the most likely targets for such attacks, because their reputations are such that people tend not to question the validity of the messages they send out.

“Schools are beautiful targets because they are inherently trusted,” said Charles Stiles, the technological director of America Online’s postmaster group, a division dedicated to protecting customers against the proliferation of illegal spam.

“Open relays” are eMail or proxy servers that maintain an open door to the internet. According to the FTC, spammers exploit open relays to avoid getting zapped by filtering systems put in place by internet service providers to protect customers from unwanted solicitations. Open relays also allow spammers to hide their true identity, making it harder for federal authorities to trace them.

The practice could have serious consequences for school systems that become victims of this tactic. Not only does the additional eMail traffic threaten to slow a school system’s network to a crawl, but a hijacked mail system also could lead to a denial of service by eMail providers.

Whether or not a school system intentionally sends the messages, many internet service providers—including AOL—have established strict blocking policies designed to cut down on the spread of spam. According to Stiles, if a school is suspected of unknowingly hawking spam to AOL customers, the company will institute a block on all eMail messages coming from the offending server until the problem is resolved or the open relay used for the attack is closed.

“There is a period of time where [eMail from an unwitting accomplice] might get blocked,” Stiles acknowledged. In the event that a block does occur, however, AOL immediately sends out an electronic notification of the problem to the offender and provides access to a 24-hour hotline dedicated to restoring service.

Still, even after service is restored, the ill will generated by the use of a school system’s servers to send spam might linger, the FTC warns. Also, recipients of the unwanted eMail messages might flood the offending school system’s servers with complaints.

According to the New York Times, at least one school already has been victimized by the ploy. Last year, AOL contacted the Flint Hills School in Oakton, Va., after customers complained they were receiving unsolicited spam, which the company eventually traced back to the school’s server.

The Times said more than 200,000 computers worldwide have been unknowingly infiltrated and are currently being used to peddle spam. “It was pretty amazing how fast our vulnerability was picked up by the spammers,” Robert Hampton, Flint Hills’ technology director, told a Times reporter.

Hampton could not be reached for further comment before press time.

As internet service providers such as AOL have begun cracking down on spam, its purveyors have been forced to search for new techniques to avoid detection. That’s why schools—with their high-bandwidth systems, large data pipelines, and expansive regional networks—”make the best kind of targets,” Stiles said.

Fifty law enforcers from 17 agencies—including the FTC, Securities and Exchange Commission, U.S. Postal Inspection Service, and U.S. Attorney General’s Office—identified 1,000 potential open relays worldwide and drafted a letter this spring urging the operators to close these internet gateways to help reduce spam.

Fortunately, fixing the problem isn’t very difficult. Checking for an open relay and securing your eMail system against unauthorized use generally can be done with just a few commands, the agency said. A page on its web site (see links) directs readers to instructions.

As long as spammers continue to find holes in vulnerable networks, Stiles said, the problem will continue to grow.

“Spamming is a money-making business,” he said. “Spammers have made a fortune out of sending this unsolicited commercial eMail. They’ll do anything to make sure the mail gets through.”

Anti-spam program could backfire

The Associated Press

See these related links:

FTC’s Open Relays web site
http:///www.ftc.gov/openrelay

America Online
http://www.aol.com