From the issue dated September 27, 2002
|
|
|
Fed Up With SpamIrate students and professors want colleges to crack down, but doing so is difficultBy FLORENCE OLSEN A rising chorus of complaints about unsolicited commercial e-mail has convinced
Spammers have taken over "a very nice function of the Internet and made it pretty much a frightful experience," says Thomas A. Gaylord, chief information officer at the University of Akron's main campus. He knows students and faculty members who are apprehensive about opening their campus e-mail because of the offensive spam they may find there. "It's just not what we want," Mr. Gaylord says, emphatically. Many computing officials say that spam is a bigger problem for colleges than for corporations because college networks are more open to the public than are most corporate networks. "It's the mission of colleges to share information," says Hossein Shahrokhi, director of information technology at the University of Houston's downtown campus. Colleges openly publish e-mail addresses on departmental Web pages and in Web-based campus directories. "It's not that we are open because we just can't be disciplined," adds Mr. Shahrokhi. That openness, however, has compounded a situation that is increasingly annoying for computing officials and e-mail users alike. Colleges also are less inclined than are many businesses to block incoming e-mail suspected of being spam. Some college officials say that concerns about violating the principles of academic freedom, privacy, and the First Amendment make them reluctant to block e-mail messages based on their content or to "blacklist" the Web sites of known spammers. Spam is difficult to limit for both colleges and corporations, because spammers are constantly changing their techniques. A few students blame officials on their own campuses for allowing spam on the campus-mail network, but many students and faculty members have become resigned to spam as a fact of life. Some colleges, however, are teaching people how they can reduce spam. Others are experimenting with a variety of technical means to block spam, some of which may make it less convenient for faculty members and students to communicate with each other through e-mail. Wasted Time and Money For many colleges, spam is a bigger problem now than it was just a year ago, and the increase in pornographic spam has been alarming, campus officials say. About one in every five e-mail messages that arrives at the University of Akron's mail gateway is spam, which is three times last year's amount. Mr. Gaylord says the spam problem at Akron is beginning to reduce everyone's efficiency. People are spending more time deleting spam or adding filters to their e-mail for blocking spam, he says. Colleges also are spending money to counteract spam that they otherwise would not spend -- money for more disk space, for additional network bandwidth, and for more technical-staff time. At Akron last year, about $15,000 -- 25 percent of a full-time mail administrator's salary -- was spent on dealing with spam, Mr. Gaylord says. Less than a year ago, the size of a typical spam file was 3 kilobytes, but now it is 20 kilobytes. According to Mr. Gaylord, coping with spam last year cost the university roughly $75,000 -- and that's not counting the hours that faculty members and students spent deleting unwanted messages and configuring their mail accounts to filter out spam automatically. Private liberal-arts institutions are having similar problems. Spam "eats up a tremendous amount of our support staff's time, and it's hugely frustrating to users," says David D. Gregory, chief information-technology officer at Colgate University. "It's even more frustrating to us. Instead of focusing on integrating technology into teaching and learning, we're busy dealing with those kinds of things." Spam Strategies Companies that send unsolicited e-mail use software programs to collect e-mail addresses from Web pages. Some also use so-called "dictionary attacks" that send spam to millions of randomly generated e-mail addresses. By chance, some of those addresses are valid. Spammers have also devised many techniques to elude the blocking technologies that some colleges are using. One such technique involves using software robots that set up free e-mail accounts with names like "samantha8251879," and that add a unique number to each message so that filters fail to recognize it as spam. The companies are also working hard to get students and faculty members to read the messages. Deceptive subject lines have become common. Colleges may have to wait 5 or 10 years for more organized rules and policies governing spam, says Mr. Shahrokhi, the information-technology director at Houston. "The laws," he says, "are trying to catch up." Despite users' outrage, anti-spam laws in 26 states have so far proved difficult and expensive to enforce. In some states, the laws are being challenged in the courts on constitutional grounds as violations of free speech. Douglas Wood, general counsel for the Association of National Advertisers, which represents the interests of 300 large businesses, is opposed to such laws. "We're never going to have the tax dollars and public money to staff a prosecutor's office to go after all the people doing this," Mr. Wood says. Rather, the technology of filtering and the Internet economy should be allowed time to mature, he says. Problems With Blocking Many campus-computing officials say they are uncomfortable using some of the techniques that corporations use for stopping spammers, such as blocking e-mail from known spam sites. Darrow Neves, chief technology officer at Middlesex Community College, in Massachusetts, says he would never consider such a measure without first seeking faculty approval. Computing officials at the Pima County Community College District, in Arizona, say they have done nothing about spam so far, other than to discuss the problem among themselves and prepare a report for the chancellor that describes some of the options for dealing with it. But Ann Strine, associate vice chancellor for information technology, says it may be time to discuss the topic with faculty members, and then to act. After being struck with sharp increases in spam, some colleges have taken steps to make sure they aren't contributing to the problem. For example, many colleges now prohibit the use of servers that function as e-mail open relays, which accept mail from sources outside the college and relay that mail to other outside destinations. Such servers, officials say, are easy to hijack and use for distributing spam. "There used to be a good reason for open relays, but there isn't anymore," says Daniel V. Klein, a Pittsburgh-based consultant and software developer who is a former senior member of the technical staff of the Software Engineering Institute at Carnegie Mellon University. The relays were helpful in the early days of the Internet, when many Internet connections depended on telephone circuits. Because almost all Internet servers are now hard-wired to the Internet 24 hours a day, Mr. Klein says that about the only people who need open relays are those who are trying to avoid persecution or prosecution. In China and elsewhere, dissidents use e-mail open relays to communicate without revealing where their messages originated. And spammers use those same open relays to hide their true locations. Before Colgate University decided to clamp down on the use of e-mail open relays, someone outside the college discovered a Unix server in one of the departments and used it to distribute spam, says Mr. Gregory, the chief technology officer. The spammers try to find holes in a college's network security, he says, "where they can go in and use a server on our campus to relay this vast amount of e-mail, and it looks to somebody [else] as though it came from Colgate." Sometimes researchers in a department may not even be aware that a server's open-relay function is turned on. Most college officials say they are trying to do a better job of educating users about spam and what they can do to minimize it. "I tell people, "Just delete,'" says Deborah M. Keene, associate dean of the library and technology at George Mason University's School of Law. "We tell people to be careful" -- and to use a bogus e-mail address, if asked for one, when they download anything from a Web site, says Greg Cornell, a Unix-system administrator at Walla Walla College. At a user's request, the college will also set up a second e-mail address for anyone who wants one address to use for professional mail and one for commercial mail. Officials of the Indiana University System have created a set of Web-based documents that users are directed to when they send a complaint to the "help" desk about unsolicited commercial e-mail. The documents define spam and give hints on how to minimize it, says Merri Beth Lavagnino, the university's deputy information-technology policy officer. For example, students may not realize that posting to Usenet newsgroups and subscribing to unmoderated discussion lists make them vulnerable to spammers who look in those places for e-mail addresses. Or that responding to spam by asking to be taken off the list of a disreputable advertiser will most likely have the opposite effect: The student's name will end up on more spam lists rather than fewer. This fall, Indiana officials are beginning an aggressive educational campaign on all the university's campuses to teach students how to cope with spam. "If they have been replying religiously to every spam they've ever gotten, to ask to be taken off, they've really built up more of a problem," than if they had just deleted the spam, Ms. Lavagnino says. Anti-Spam Technology Other institutions have tried technology designed to control spam. Many colleges use e-mail programs like Eudora, Microsoft Outlook, Netscape Messenger, or Pegasus Mail that let users set their own software filters to block spam. Some of those institutions have begun offering seminars several times each semester to explain how to use the filters, because when such filters aren't used properly, they may also block e-mail that users want to receive. Some colleges have gone a step further by using a limited number of filters on their mail servers to block sexually explicit spam, such as ads for pornographic Web sites, from reaching users' inboxes. In June, after receiving a complaint from a staff member who handles the president's e-mail, Virginia Commonwealth set up a spam filter to block e-mail containing "the F word," says Mark D. Willis, executive director of administrative information technology at Virginia Commonwealth University. "The danger with filters is that they overfilter," Mr. Willis says. "You may think you're blocking only certain types of e-mail, but you may be blocking legitimate mail." A number of computing officials say they have set up spam filters in Microsoft Exchange Server, a server-based e-mail program, with good results. Others say they have had success with Unix-server-based content filters like SpamAssassin, free software that flags certain messages as spam based on known practices of spammers. SpamAssassin "is usually correct," says Mr. Cornell, at Walla Walla. If users wish to, he says, they can delete the spam quickly without even looking at it. Protecting E-Mail Addresses Some colleges are also trying to make it harder for spammers to collect the e-mail addresses of students and faculty and staff members. Often, the spammers use automated scripts to search static Web pages for character patterns that resemble e-mail addresses and capture thousands of addresses. But whatever steps colleges take will almost surely make it more difficult for students and professors to communicate easily with one another and with the public. At the Pentagon's insistence, the U.S. Air Force Academy and other military academies removed all personal e-mail addresses and other personnel information from the Web after September 11, 2001. Air Force academy officials say they have not had a serious problem with spam during the past year. "We did get an exception [at the academy] for at least listing the biographical information for the faculty, but we don't include their e-mail addresses," says Larry W. Bryant, director of academic computing at the academy. At Indiana, e-mail administrators are experimenting with a variety of ways of displaying e-mail addresses on the Web so that automatic programs created for collecting e-mail addresses do not recognize them. Most of the options would eliminate the convenience of clicking on an e-mail address that appears on a Web page and sending a message, says Ms. Lavagnino, the technology-policy officer. "Some [departments] may decide that they would rather have spam than to have the user type the e-mail address," she says. Indiana officials say they sort spam complaints into two categories. One kind -- the complaints about weight-loss ads and the like -- officials ignore because of the overwhelming volume of such messages. The other kind -- calls about spam that a student feels is threatening or appears to involve a scam -- they investigate. But Indiana is planning to make a big effort to control the flow of spam this year. "We process one billion e-mail messages a year, so it is likely to be a complex and expensive project," says Ms. Lavagnino. Details have yet not been worked out, she says. The purpose is to offer faculty and staff members and students a choice of having filtered or nonfiltered e-mail service. Such a service would have to be flexible enough, Ms. Lavagnino says, so that individual users could opt in or opt out on their own. Some college officials worry that spam, if not controlled, could begin to turn staff members away from using e-mail. "I hope we don't reach the day where people don't want to use their e-mail because they're getting so much spam," says Ms. Keene, the associate dean at George Mason University's School of Law. But most officials agree that abandoning e-mail is unlikely. "We've seen what we can do with e-mail, and it's hard to give it up," Ms. Lavagnino says. On the other hand, Akron's Mr. Gaylord observes that instant-messaging programs have taken hold on many campuses, and one of their appealing characteristics is that they are spam-free. Many campus officials and technology consultants are resigned to predicting that the spam problem will get worse, because it costs spammers almost nothing to market their products or services using Internet e-mail programs. In the meantime, colleges are handling the spam problem as well as can be expected, Ms. Keene says. "People are coping, but they're very annoyed." 7 APPROACHES TO FIGHTING SPAM Following are strategies for minimizing spam that are in place or (where noted) under consideration at colleges, along with some of the institutions using or considering these approaches. 1. Shutting down e-mail open relays on campus servers to prevent spammers from hijacking the machines. Open relays accept mail, including spam, from sources outside the college and relay that mail to other destinations outside the college (Middlesex Community College, University of Maryland at College Park, Virginia Commonwealth University). 2. Directing students with spam complaints to a campus Web site with answers to frequently asked questions and articles about how to avoid spam (University of Akron's main campus, Indiana University System). 3. Offering seminars each semester on how to use the anti-spam filters that are built into some desktop e-mail programs (University of Akron). 4. Setting limited blocking filters on the campus-mail gateway to eliminate the most obnoxious spam (Colgate University, George Mason University, University of Akron, Virginia Commonwealth University, Walla Walla College). 5. Closing down individual campus e-mail accounts, if requested, to put an end to spam attacks (George Mason University). 6. Installing a firewall to block spammers from searching campus servers for e-mail open relays from which to distribute spam (under consideration at Colgate University). 7. Offering an alternative "filtered" mail service, in addition to regular campus e-mail, for faculty and staff members and students who want to avoid spam (under consideration at Indiana University System).
SOURCE: Chronicle reporting
http://chronicle.com Section: Information Technology Volume 49, Issue 5, Page A47
|
Copyright © 2002 by The Chronicle of Higher Education