Email is the Internet’s killer app. Yet the future of email is in serious jeopardy by the ever-increasing torrent of unwanted email that fills our inboxes and clogs our mail servers.
The statistics are frightening. According to Brightmail, an antispam company, 40 per cent of all email is now spam, and nearly 15 per cent of all spam is pornographic, up from 5 per cent last year. Pornographic spam is an affront to many Internet users, creating a hostile workplace and opening employers to the threat of litigation.
Brightmail operates a “probe network” built from old email addresses at some of the world’s largest (and smallest) ISPs. Whenever lots of mailboxes receive messages that are similar, the messages are sent to Brightmail’s operations center, where human beings look at the messages and determine if they are spam. In November 2002, Brightmail’s experts uncovered 5.5 million spam “attacks,” each consisting of between several thousand and several million messages.
Many ISPs have strict policies against spamming. If spam is sent out from your computer, your Internet connection can be terminated without notice or other warnings. Imagine my astonishment in late November when I discovered that more than 100,000 spam messages had been sent to Hotmail from the network connection in my own basement. Here is what happened.
When a friend of mine lost his Web-hosting facility, I agreed to let him put a Windows 2000 e-commerce site in my basement, using one of my unused IP addresses. One day, he removed his computer’s host-based firewall because it was making the SQL Server crash. That night, a piece of software on his computer opened up a connection to Hotmail, created a new account, and started using it to spam Yahoo and AOL subscribers with advertisements for penis enlargement. The attack continued for precisely one hour, then shut off. It repeated with a new Hotmail account five hours later.
My friend has anti-virus software running on his Windows system, but neither he nor it found the hostile code. In the end, his only recourse was to reinstall the host-based firewall and deal with the occasional crashes.
ISPs feel compelled to take such drastic actions with spammers because legal approaches have largely failed, and spammers are hurting ISPs where it counts — in the checkbook. Spammers are forcing ISPs to buy more computers to handle the email load, to develop and deploy technology to shield customers from spam, and to hire more employees to deal with the complaints. And if ISPs don’t immediately kill the accounts of suspected spammers, they risk being put on anti-spam blacklists.
Yet for all the costs of spam, I am equally concerned about the rising cost of anti-spam measures. Like anti-virus software, antispam can be run on either an organisation’s email server or on the desktop. But unlike anti-virus systems, which use signatures to identify viruses and almost never have false-positives, identifying spam is invariably an error-prone process. Good anti-spam systems need a way to handle their mistakes.
Some anti-spam systems tag mail that’s likely to be spam with a special header. Users can then set up filters in programs such as Eudora or Outlook Express to automatically put tagged mail into a special mailbox, where they can review it at their leisure. Other anti-spam systems simply bounce mail that’s identified as “spam” back to the sender. Real spam invariably has a fake return address, causing it to be dropped. But mail that is accidentally misidentified ends up back at the sender.
Last November, the US Federal Trade Commission started subscribing to several anti-spam blacklists and using them to block incoming email. The blacklists aren’t perfect because spammers invariably use the same ISPs as people who don’t send spam. The result: some public comments that were sent to the FTC were blocked and not delivered.
“It was surprising to see that a government agency was bouncing my mail,” Sonia Arrison, a technology policy analyst at the Pacific Research Institute, told CNET News.com. “Shouldn’t they all be open to the public?”
I have had similar problems. I send out a lot of email through MIT’s main email server — a server that is incorrectly listed in one of the widely used blacklists. Last year, I replied to an email that I had received from a computer security company: My reply bounced because of the blacklist.
Companies subscribe to those blacklists because they work. But blacklists pose yet another problem: By definition, when you subscribe to a blacklist, you are allowing an outside organisation to decide whose mail you can receive, and whose you can’t. This is very different than using an anti-virus system to scan your email and remove offending copies of the Klez virus. Some ISPs have been blacklisted because they host websites belonging to spammers. Depending on your point of view, blacklists are either grassroots Internet activism at its best or unaccountable vigilante justice at its worse.
If you are a legitimate business that sends out email to your customers, step lightly. Three years ago, I received an email coupon from the Gap I could not remember giving the Gap my email address so I called the company, accusing it of spamming. The spokesperson at the Gap told me that I had given the company my email address at a mall in Morristown, New Jersey. I have never even been to Morristown, so I thought somebody at that store must have bought a CD-ROM of email addresses and entered mine into their system.
But the good folks at the Gap were prepared. Every card that had been collected for its email campaign had been recorded on microfilm. The Gap faxed me a card that had my email address written in my very own handwriting. In fact, I had given it my email address two years earlier. The cards from the Morristown store had gotten confused with the cards from the store where I live.
Instead of using blacklists, some antipam systems bounce mail that has improperly formatted mail headers or suspicious sender addresses. As a result, I’ve had email from my pager tagged as spam and either bounced or discarded. That’s because my pager’s email address looks like the sort of address that a spammer would use. (It’s a 10-digit firstname.lastname@example.org.)
You have probably experienced another antispam system if you send email to any large mailing list. If you’re not on somebody’s list of approved senders, their antispam program might send you an email asking you to prove that you’re not some program sending out spam. Sometimes all you have to do is reply. Recently I had to go to a webpage, download a Java applet and have my computer compute an “electronic postage stamp,” which required 30 seconds of CPU time.
I call this approach the “mandatory whitelist with adaptive challenge response.” It works, but it’s tremendously annoying. Imagine joining a new mailing list and then being forced to prove to 600 people that you really are human. That approach actually increases the amount of junk mail in the world — for every spam message, a query reply is generated as well. And woe to you if a spammer uses your email address as its sender address: You’ll be bombarded with messages.
A still bigger problem with the mandatory whitelist is that spammers can defeat it by using a sender address that’s likely to be in your whitelist — like your own email address or the email address of somebody else at your company.
Jeff Schiller, MIT’s network manager and head of the Internet Engineering Task Force’s steering group’s section on security, said all technical solutions to spam shared a common problem: Spam software may not be human, but spammers were.
Every time an engineer figures out a way to stop spam, the spammers think up some new side step.
As for me, I’ve been able to cut my load of spam from more than 100 messages a day to just two or three, thanks to SpamAssassin, an effective Perl-based spam detector that runs on Unix and Windows. Instead of throwing the spam away, I drop it in a mailbox, which I scan every day to see if a legitimate message was trapped by accident. When that happens, I move the message back into my inbox and whitelist the address.
But SpamAssassin is just another technical measure and, ultimately, it will be evaded too. I don’t see any long-term antispam solutions that don’t include another kind of vigilante justice — the kind that involves dark alleyways, broken fingers and big men making scary threats.