Internet Users Vulnerable to Unsolicited Bulk E-mail
1st January 2001 (Computimes)

ORGANISATIONS that provide electronic mail facilities to users are faced with atough time to protect their operations against cases of e-mail spamming. According to the Malaysian Computer Emergency Response Team (MyCERT), email spamming is almost impossible to prevent as users with valid e-mail address can spam others with any valid e-mail address.

A case was recently reported when customers of an online grocery store PasarBorong Online Sdn Bhd were with e-mail which appeared to have originated from the company's address.

When a large number of e-mail is directed to or through a single site, the site will experience time lag, and faked e-mail address will cause bounced e-mails.

This will eventually cause denial of service in which the server may lose network connectivity, system crashes or failure of service, says MyCert, a service established by Mimos Berhad to address the computer security concerns of local Internet users.

Spam, or unsolicited commercial or bulk e-mail is the junk mail of the Internet. Enail spamming is one in which one e-mail is sent to mailing lists, in which the e-mail is forwarded to hundreds of other users. The email can be in the form of chain letters or get-rich schemes.

According to MyCert, spamming may be combined with email spoofing in which the header is altered and makes it more difficult to trace the sender.

However, MyCert recommends a number of steps that organisations can take to prevent against spamming.

For instance, organistaions should develop in-house tools to help them recognise or alert them to respond to spamming. "Once you have identified the e-mails, you can use other tools to discard the emails".

An organisation with a small network can configure a firewall or router to route all simple mail transfer protocol (SMTP) packets to the central e-mail hub.

Although this will not prevent attacks, it will reduce the amount of available SMTP port for SMTP-based intruder attack. This also means that an organisation that wishes to filter e-mails can do so by wrappind the sendmail server.

Organisations should also educate their users to inform of spamming activities and incoporate relevant policy and procedures in managing e-mail usage, but should not propagate the problem by forwarding or replying to spam e-mails.

When contacted, PasarBorong Online admitted that ots recent spamming incident was due to misconfiguration of its mail system, sendmail, which runs on the Linux operating system.

The company's system administrator Hisham Ismail told Computimes that the company has taken immediate action to rectify the situation since the incident was detected last Thursday.

He said PasarBorong Online terminated the auto responder featureĀ - which automatically sends e-mails to all on the mailing lists - to prevent further spamming.

"We have received many complaintsfrom customers who received between 50 and 60 e-mails while some received more than 100. We are calling them personally to apoloise and explain the situation," Hisham said.

Hisham said PasarBorong Online engaged 10 staff to make the calls to its customers, a task scheduled to have been completed by last Saturday.

He also said PasarBorong Online has requested all e-mail administrators such as TMnet and Jaing as well as free e-mail service providers such as Hotmail and Yahoo! to delete e-mails from PasarBorong.

"We will now look to upgrade and tighten our security system as well as upgrade our software. We will be consulting for itds feedback and see what can be done. Alternatively, we may consider changing our e-mail program to Qmail," said Hisham.

Meanwhile, Meta Group has reported that spamming is likely to drive prospects to the competition rather than attracting them and generating sales.

For companies, spam can affect e-mail systems performances and cut into worker productivity. As such, organisations need to block spam from entering their corporate e-mail systems to protect themselves and their employees from this material and the legal exposure it creates