Finally got a webcam. Info on phone bill. What are your employees really doing? We found your money. Request for urgent assistance. A challenging book. My friends. Got debt? Sale on toner cartridges. Over 250 million e-mail addresses. Wow, Beth!
E-mail messages like these have bombarded the Cornell community over the past four months. Because e-mail content is not monitored here, there are no official statistics, but anecdotal evidence suggests that e-mail spam now accounts for 5 to 10 percent of messages delivered to Cornell addresses. That's up to 100,000 messages a day, or three per address.
|
|
| Tracy Mitrano, left, policy adviser for information technologies, and Patsy Brannon, dean of the College of Human Ecology, meet to discuss what can be done about e-mail spam at Cornell. Charles Harrington/University Photography |
"We've seen a dramatic increase in the amount of spam and some shift in its character in the last six months," said Patsy Brannon, the Rebecca Q. and James C. Morgan Dean of the College of Human Ecology. "Just before winter break, a number of people, including myself, began receiving visually graphic pornographic messages. What's especially troubling is that the subject lines are deceiving. You don't know what it is until you open it."
Defined as any unsolicited commercial e-mail, spam is legal and has the same First Amendment protection afforded to other forms of commercial speech. Unlike most other advertising, though, it is extraordinarily cheap for the advertiser. Hitting 10,000 addresses costs a few pennies. It's far cheaper to send messages indiscriminately than to do targeted marketing like conventional advertisers.
"People who receive spam should know they're not alone. Although it seems very personal because it comes to your e-mail address, spam is usually not directed at individuals. Most spammers don't even know if they're sending to real addresses," said Tracy Mitrano, Cornell policy adviser for information technologies.
Hiding an e-mail address from spammers is tough. Automated programs harvest addresses from the web, mailing lists, newsgroups, directories and every other corner of the Internet. Services touted as "free" may be paying the bills by selling addresses. The newest twist? Simply guessing at addresses, which may explain the sudden influx of spam at Cornell.
"It's like telemarketers taking the 607 area code plus our local exchanges and calling every possible combination. They don't know who a phone number belongs to or if it even works. That's what we suspect spammers are doing with our network," said Mitrano.
Cornell's e-mail system does block some spam, but to support the university's commitment to free inquiry and uphold the highest standards of privacy, it happens only when identical mail from the same place floods the system in a matter of minutes. Cornell Information Technologies can also filter out messages with specific subject lines, but this restriction is taken only when the volume reaches the thousands. So most spam passes through.
"These methods are more about protecting our e-mail system from mail-bombing attacks than about blocking spam," said Don Mac Leod, CIT assistant director of client systems. "We're currently discussing options for filtering out viruses. Spam filtering would be a similar effort, but in keeping with Cornell's philosophy, it would need to be an opt-in/opt-out system and give users the ability to retrieve e-mail flagged as spam."
"It's not something we either would want to or could put in place tomorrow," added Mitrano. "Before any filtering tool is implemented, we'd need to do an extensive review to ensure the solution would not come at the expense of Cornell's policies and mission. Fair information practices and free speech, both of which are implicated in the policy concerns that surround the spam issue, are core university values."
And although filtering by Cornell's mail system would reduce how much spam individuals receive, it would not eliminate it. No sooner does a defense go up than a spammer breaches it. So the most effective tactic remains the low-tech "delete" key.
"At first I was doing the unsubscribe thing. That didn't work, as I started getting more e-mail. Then I tried filters. That didn't work either, as they just change the 'from' address," said Tina Nelson, administrative assistant in the College of Architecture, Art and Planning. "Now if it looks like an ad, I just hit 'delete.' But I'm afraid one day I might delete something that wasn't junk."
Following a spammer's directions for unsubscribing seldom works. At best, it fails because the spammer deliberately provided a bad address. At worst, people reveal that their own addresses are real and actively used. Their addresses then become valuable commodities, and the result, as Nelson discovered, is even more spam.
Using Eudora or Microsoft Outlook to filter spam can help. But like dandelions and crabgrass, spammers are always devising new ways to go undetected. So filters need regular tweaking. Tips on what to include in filters, plus specific instructions for Eudora, can be found at http://www.cit.cornell.edu/computer/email/eudora/spam.html .
"CIT will be as technologically savvy as it can about this issue, but the best thing everyone can do is delete, ignore and become inured to spam," said Mitrano. "In the long run, because the technology is limited and the law is not yet settled, that approach will be far more successful than any technological solution."
| Cornell Chronicle Front Page | | Table of Contents | | Cornell News Service Home Page |