Spammers hiding behind students

University networks already stressed by file-sharing programs, viruses and hackers now face a new threat: students who sublet their network access to spammers for as little as $20 per month.

Tufts University, a 151-year-old school in Medford, Mass., last month discovered spammers were paying students to offer up their PCs as relay points that helped mask the true source of the spam. While university network executives interviewed were not aware of other cases on U.S. campuses, the phenomenon has cropped up in Israel.

The problem came to light at Tufts after the school received a flood of complaints that its domain was the source of spam, says Lesley Tolman, director of networks and telecommunications at Tufts. The practice isn’t so much a bandwidth hog as it is an image problem for universities, she says.

University IT executives say they hope to minimize their exposure to this spamming technique based on the relative ease of tracking the offenders and through strict policies forbidding students to use PCs as servers, a measure instituted after Napster paralyzed college networks.

“Paying students to spam is a relatively new phenomenon so we don’t know the extent of the problem,” says Steve Worona, director of policy and network programs for EduCause, a group that promotes the use of IT in higher education and includes thousands of schools around the world. “We’ll try to put people together so they can come up with some best practices.”

Those practices might not have to be confined to schools, experts say. It’s possible that the mail relay program could be slipped onto corporate PCs without users noticing via rogue Web sites or spam packed with a virus.

Tufts currently is deciding on the best practice for punishing one student after discovering he agreed to install what amounted to a message-transfer agent on his dorm room computer that served as a spam relay in exchange for $20 a month.

After admitting to the arrangement in which the student relayed thousands of e-mails offering services for burning CDs and DVDs, the student said a handful of others were involved in the same payola that took advantage of the school’s gigabit connection to the Internet.

“We had complaints from people saying our domain was the source of spam,” Tufts’ Tolman says. “We checked the logs, identified the IP address the spam was coming from, matched that with a [media access control] address and went to the kid’s dorm room.”

What they discovered was a small program called Mailsafe.exe on the student’s PC, but no tracks back to the spammer.

A handful of companies that offer messaging and other services use the name Mailsafe, but the moniker is likely one of a laundry list of benign names for the program used to escape detection, experts say.

“The students involved in this found the opportunity themselves – they were not contacted by the company directly,” says Tolman, who adds that the software likely was downloaded via FTP or some other file-sharing protocol. “But right now, we know the relay by the students has stopped.”

Tufts leans toward educating first-time offenders about the downsides of their behavior, saving harsh punishment for repeat delinquents, she says.

“We can’t control the software students load on their machines,” Tolman says. “We can only act once they use it. We can’t catch a kid before he spams.”

That means Tufts continues its due diligence poring over logs looking for suspicious activity, an exercise Tolman says eats up half of a full-time salary per year, or roughly $30,000.

“It all sounds like a poor man’s grid computing,” says Greg Scott, IS manager at Oregon State University College of Business in Corvalis, who had not heard of the spamming-for-pay tactic, but was not surprised. He says Oregon State throttles down bandwidth available to residence halls because of file-sharing and restricts the ports students can use. “Universities are for experimenting, pushing the edge. But some students push harder than others,” Scott says.

Frank Grewe, manager of Internet services for the University of Minnesota in Minneapolis-St. Paul, also wasn’t surprised. He says the university does not let client machines be used as servers, employs static IP addresses and tracks the amount of traffic going to and from those addresses.

David Wood, manager of the network group at the University of Colorado in Boulder, uses tactics similar to Scott’s and Grewe’s. He says spammer’s payola would be easy to track and punishment would be swift.

“We kick our students off the network if we have to,” says Wood, who admits that three to four permanent bans already have been handed out, mostly because of hacking.