[unisog] brain dead spam complaints

Sylvain Robitaille syl at alcor.concordia.ca
Fri Dec 12 19:18:56 GMT 2003


Folks, Jim Dillon wrote to me off-list, and raised some very good
points, to which I'm sure others will agree, and some will likely find
worthy of discussion.

With Jim's permission, I append the full text of his message below
my signature.


On Thu, 11 Dec 2003, Jim Dillon wrote:

> Wouldn't it be better to simply catalogue the amount of autoreply spam
> you receive from McAfee, send an authoritative letter or email once,
> and simply drop the rest?

I suppose it depends on who the recipients of your auto-replies are.  I
think I would agree with you, in the case of sending complaints to the
software authors themselves, that a single (or one every regular period,
for instance if the software authors are particularly unresponsive)
message summarizing the misdirected complaints would be more useful.  My
auto-responses are sent to the software users on purpose, (well,
actually, the ironic thing is that my auto-responses are sent to the
address in an incoming message's "From:" header, making them arguably
"broken" in the exact same way as the software whose misdirected reports
they're intended to inform the user about;  The good news is that no one
who has ever received one of my auto-responses has likely understood
that!)

In my opinion, the bulk of the people using this software are using
it because they don't know any better.  They're under the impression
that tracing the provenance of a spam (or virus-propagation) message is
difficult at best, and they've been led to believe that this software
will, at the click of a button, do it for them.  They were lied to.

I feel there's much more value in letting the users of the software know
that it isn't performing the function they were led to believe it would
perform, thereby enabling them to seek out better ways to get the
intended result (and perhaps a refund for the broken software), than it
is to silently accept (and ignore?  I certainly don't want anyone
complaining to my abuse@ address to ever get the impression that
messages sent to that address are ignored) the misdirected complaints.

That last bit brings up an important point, in my case:  I'm going to
respond to the complainant anyway.  I might as well let them know that
the software they're using is broken and how, while I'm telling them
there isn't anything I can do about their complaint.

The software vendor, after refunding a certain number of copies of their
software will be more likely to actually fix it, than if someone who's
never paid them (and isn't likely to ever use their software anyway)
sends the odd complaint.

> By auto-responding you just increase the useless traffic that already
> clogs and increases our bandwidths far beyond their true, justifiable
> "institutional/business" need levels.

Compared to the amount of commercial spam we receive, I'm afraid that
these auto-responses are far below the noise floor of our traffic.
There really aren't that many of them going out.

Given that I'm providing autoresponses that are intended to inform the
users of this broken software, with an expected result that fewer
misdirected auto-reports will arrive, I would argue that the
auto-responses sent directly to the users of the software actually has
a side-effect of decreasing our "not-mission-based" (for lack of a
better term) bandwith usage.

> Just a thought.  I hate to create any automated stream that may be
> unnecessary and thus may falsely inflate bandwidth requirements.

What needs to be avoided, is a consistent "loop" of auto responses to
auto-responses.  I haven't yet seen this happen when I send
auto-responses to an actual software user, but it certainly would be
worth taking measures to avoid.

-- 
----------------------------------------------------------------------
Sylvain Robitaille                              syl at alcor.concordia.ca

Systems analyst / Postmaster                      Concordia University
Instructional & Information Technology        Montreal, Quebec, Canada
----------------------------------------------------------------------

---------- Forwarded message ----------
Date: Thu, 11 Dec 2003 14:58:12 -0700
From: Jim Dillon <Jim.Dillon at cusys.edu>
To: Sylvain Robitaille <syl at alcor.concordia.ca>
Subject: RE: [unisog] brain dead spam complaints

Wouldn't it be better to simply catalogue the amount of autoreply spam
you receive from McAfee, send an authoritative letter or email once,
and simply drop the rest?  By auto-responding you just increase the
useless traffic that already clogs and increases our bandwidths far
beyond their true, justifiable "institutional/business" need levels.

Having spent 10-20 hours trying to McAfee to work at home myself,
with numerous calls to technical and customer support, I can say
somewhat authoritatively that it will probably be too difficult for
your average McAfee user to control anything about the software,
as I (a reasonably experienced IT type) and their sterling help staff
couldn't accomplish anything after many hours of work and on-hold time.
(I have since returned the lousy software and will try Norton or somebody
else next.) This falls into the category of "throwing pearls to swine",
that is its useless, so why provide more traffic?  Ultimately it seems to
just further clogs the channels with little hope of long-term benefit...

Just a thought.  I hate to create any automated stream that may be
unnecessary and thus may falsely inflate bandwidth requirements.

Best regards,

Jim

======================================
Jim Dillon, CISA
IT Audit Manager
University of Colorado
jim.dillon at cusys.edu
Phone: 303-492-9734
Dept. Phone: 303-492-9730
Fax: 303-492-9737
======================================

-----Original Message-----
From: Sylvain Robitaille [mailto:syl at alcor.concordia.ca]
Sent: Thursday, December 11, 2003 1:21 PM
To: unisog at sans.org
Subject: Re: [unisog] brain dead spam complaints


On Thu, 11 Dec 2003, Chris Edwards wrote:

> Luckly, its false-spam-allegation messages all seem to have this header:
>
>   X-SpamKiller-AutoReply:

Ooooh!  I hadn't noticed that.  This means it should be trivial to
create a procmail script to send back the canned response automatically.
How about something like this (syl quickly copies his "Declude auto-
responder" and adapts it):

:0 HB
* ^TO(abuse|postmaster)@((smtp1|smtp2|smtp3)\.)?domain\.edu
* ^X-SpamKiller-AutoReply:
* ^I have received the attached unsolicited e-mail from
* ^I do not wish to receive such messages in the future
{
   # -- gather info about message
   :0 ch
   subject=| formail -x "Subject:"
   :0 ch
   from=|    formail -x "From:"

   # -- Store a copy of the original.
   :0 c
   | $FILE +$FOLDERS/postmaster

   # auto responder:
   :0
    | ( \
        echo "From: University Postmaster <postmaster at domain.edu>"; \
        echo "To: $from"; \
        echo "Subject: faulty spam report (was $subject)"; \
        echo "Precedence: junk"; \
        echo "Date: `date '+%d %h %Y %T %Z'`"; \
        echo "X-Old-Subject: $subject"; \
        echo "X-Was-From: $from"; \
        echo "X-Loop: auto-reply"; \
        echo ""; \
        echo "[ this is an automatic reply to your software's automatic report ... ]"; \
        echo ""; \
        echo "Please note that your spam reporting software (\"McAfee"; \
        echo "Spamkiller\") is broken software, as it relies on easily"; \
        echo "forged information to attempt to determine the provenance of"; \
        echo "a message."; \
        echo ""; \
        echo "Please replace your software with a package that does not"; \
        echo "rely on false information to send its reports, or at least"; \
        echo "turn off the reporting function of the software you're using."; \
        echo ""; \
        echo "Thank you."; \
        echo ""; \
        echo "If you have reason to believe that my conclusion is"; \
        echo "incorrect, and that this message really did originate"; \
        echo "from a computer system at This University, please"; \
        echo "do let me know, and please do not hesitate to contact me"; \
        echo "about inappropriate activity from any computer system at"; \
        echo "This University."; \
        echo ""; \
        echo "-- "; \
        [ -f ${SIGNATURE} ] && cat ${SIGNATURE}; \
        echo; \
        cat; \
      ) | sendmail -t -oi -om
}

I'm going to review more of those messages before actually implementing
this, but the Declude version of that was rather effective at reducing
the number of automatic Declude reports I was receiving.  :-)

-- 
----------------------------------------------------------------------
Sylvain Robitaille                              syl at alcor.concordia.ca

Systems analyst / Postmaster                      Concordia University
Instructional & Information Technology        Montreal, Quebec, Canada
----------------------------------------------------------------------




More information about the unisog mailing list