A Conversation with Doug Muth: An Administrator Just Like You
WHOA interviewed Doug Muth, a UNIX Administrator who has been very active in the movement to fight spam. He had lots of advice for administrators as well as laypersons about dealing with security issues online.
WHOA: What are some things that individuals can do to protect themselves from Internet harassment and other security-related problems?
DM: Well, there's not much that one can do to stop from receiving email. There are a few schemes in use that block ALL email except from a "trusted base" of a few friends, but the disadvantages are obvious; you cannot talk to anyone outside of this base. In terms of other security related issues on the net, I'd say the next biggest would be account stealing by guessing your password.
The only advise here is that you should create a good password that is several characters long, with one or more digits in it, make it something that is NOT personal to you, and keep it private. More often that not, I hear of accounts being cracked because the owner was foolish enough to give out their password.
WHOA: What are some things that site administrators can do that would enable >them to protect the interests of all their users?
DM: Without getting too technical here, I would suggest installing procmail as a start to defend against email harassment to their users. Procmail is a powerful UNIX utility that can be used to scan all incoming email for keywords in the header or body and then act on that message accordingly. This can go a long way in filtering out messages from harassers. Another thing administrators can do is to visit the Computer Emergency Response Team (CERT) site for information on making their systems secure.
WHOA: From your experiences with spam-related issues, what do you think are some of the things that the future will hold in regard to monitoring Internet message content--whether that is via legislation on a federal and/or state level or a more internal policing of information on the Internet?
DM: First, I would like to clear up a MAJOR misconception about spamming. When determining whether something is a spam or not, and when fighting spam, spam is NOT based on the content of the message. Rather, it is based on how the message is distributed.
Spam, both of the email and Usenet flavors, is generally untargeted, thus hitting thousands (if not millions) of people who are not interested in the message and THAT is what upsets so many of us. That being said, us spamfighters aren't trying to stop what is being said, but rather how it is being said. There is talk about creating an amendment to the junk fax law to prohibit spamming. Specifically, the junk fax law prevents people from sending out advertising via fax machines, as the recipient has to pay for the paper. Those of us in the anti-spam community are trying to argue that computers are similar to fax machines and in that the user has to pay for the resources that email (and Usenet) spamming takes up.
However, like in the case of the CDA, a law can easily become overbroad, with the fearsome possibility of being abused by the government. Therefore what we are doing now is in fact a type of internal policing. What is done is to complain to the spammer, sometimes this will get them to stop, if not, the next step is to complain to their Internet Service Provider (ISP), and if the ISP refuses to do anything, to complain to their upstream provider. A similar tactic could be applied to harassers/stalkers.
WHOA: What policies have you seen fail to work for administrators trying to deal with those issues?
DM: Probably the worst thing to do is to ignore the problem. In terms of spamming, I have seen administrators flat out refuse to do ANYTHING about their users, insisting that they cannot control them. They usually use the argument that since they do not control what their users do and say, that they are merely "common carrier" systems. The flaw in this argument is that common carrier status only occurs if the ISP were to be the only one in its area. This is not the case with most ISPs however, as a search at http://www.thelist.com will indicate. Therefore, those ISPs that refuse to do anything are quite irresponsible if not downright greedy.
WHOA: What policies have you seen work for administrators that eliminated many user complaints regarding security, privacy and/or harassment?
DM: The best thing for an ISP to do is to take action regarding any complaints they get regarding their users. As I stated above, most ISPs are not common carriers and can terminate the accounts of abusive users without fear of legal action resulting. This is also effective for dealing with downstream sites that condone abuse.
Like I said previously, if a particular ISP refuses to do anything about an abusive user, take the problem to their upstream provider. At that point, the upstream can terminate the entire ISP if they ISP refuses to do anything. Not only would that problem user be cut off, so would hundreds of paying users, which would cause very big legal problems for the ISP in question. Given those options, the ISP would probably cut off the user rather than risk having their access cut off.
WHOA: Could you tell us a little more about yourself for our readers information?
DM: Well, I am what some would call a "geek". I like to fool around with computers and see how they work for the sheer fun of it! Most of my activity on the Internet is of a technical nature, in addition to spam fighting, I also like to study computer viruses and assist those with virus problems; visit my anti-virus web site at http://www.claws-and-paws.com/virus/ if you would like. I would also like to take this opportunity to mention that the practice of spamming is rather unprofitable, and angers many people in the process. I would recommend visiting http://spam.abuse.net/ sometime to learn more about spam, why it is bad, and what can be done about it.