Is there a white knight solution to spam?

BY SIMSON GARFINKEL


E-MAIL IS THE Internet's killer app. Yet the future of e-mail is in serious jeopardy by the ever-increasing torrent of unwanted e-mail that fills our inboxes and clogs our mail servers.

The statistics are frightening. According to Brightmail, an antispam company, 40 percent of all e-mail is now spam, and nearly 15 percent of all spam is pornographic, up from 5 percent last year. Pornographic spam is an affront to many Internet users, creating a hostile workplace and opening employers to the threat of litigation.

Brightmail operates a "probe network" built from old e-mail addresses at some of the world's largest (and smallest) ISPs. Whenever lots of mailboxes receive messages that are similar, the messages are sent to Brightmail's operations center, where human beings look at the messages and determine if they are spam. In November 2002, Brightmail's experts uncovered 5.5 million spam "attacks," each consisting of between several thousand and several million messages.

Many ISPs have strict policies against spamming. If spam is sent out from your computer, your Internet connection can be terminated without notice or other warnings. Imagine my astonishment in late November when I discovered that more than 100,000 spam messages had been sent to Hotmail from the network connection in my own basement. Here's what happened.

When a friend of mine lost his Web-hosting facility, I agreed to let him put a Windows 2000 e-commerce site in my basement, using one of my unused IP addresses. One day, he removed his computer's host-based firewall because it was making the SQL Server crash. That night, a piece of software on his computer opened up a connection to Hotmail, created a new account, and started using it to spam Yahoo and AOL subscribers with advertisements for penis enlargement. The attack continued for precisely one hour, then shut off. It repeated with a new Hotmail account five hours later.

My friend has antivirus software running on his Windows system, but neither he nor it found the hostile code. In the end, his only recourse was to reinstall the host-based firewall and deal with the occasional crashes.

ISPs feel compelled to take such drastic actions with spammers because legal approaches have largely failed, and spammers are hurting ISPs where it counts—in the checkbook. Spammers are forcing ISPs to buy more computers to handle the e-mail load, to develop and deploy technology to shield customers from spam, and to hire more employees to deal with the complaints. And if ISPs don't immediately kill the accounts of suspected spammers, they risk being put on antispam blacklists.

Yet for all the costs of spam, I am equally concerned about the rising cost of antispam measures. Like antivirus software, antispam can be run on either an organization's e-mail server or on the desktop. But unlike antivirus systems, which use signatures to identify viruses and almost never have false-positives, identifying spam is invariably an error-prone process. Good antispam systems need a way to handle their mistakes.

Some antispam systems tag mail that's likely to be spam with a special header. Users can then set up filters in programs such as Eudora or Outlook Express to automatically put tagged mail into a special mailbox, where they can review it at their leisure. Other antispam systems simply bounce mail that's identified as "spam" back to the sender. Real spam invariably has a fake return address, causing it to be dropped. But mail that is accidentally misidentified ends up back at the sender.

Last November, the Federal Trade Commission started subscribing to several antispam blacklists and using them to block incoming e-mail. The blacklists aren't perfect because spammers invariably use the same ISPs as people who don't send spam. The result: Some public comments that were sent to the FTC were blocked and not delivered. "It was surprising to see that a government agency was bouncing my mail," Sonia Arrison, a technology policy analyst at the Pacific Research Institute, told CNET News.com. "Shouldn't they all be open to the public?"

I have had similar problems. I send out a lot of e-mail through MIT's main e-mail server—a server that is incorrectly listed in one of the widely used blacklists. Last fall, I replied to an e-mail that I had received from a computer security company: My reply bounced because of the blacklist.

Companies subscribe to those blacklists because they work. But blacklists pose yet another problem: By definition, when you subscribe to a blacklist, you are allowing an outside organization to decide whose mail you can receive, and whose you can't. This is very different than using an antivirus system to scan your e-mail and remove offending copies of the Klez virus. Some ISPs have been blacklisted because they host websites belonging to spammers. Depending on your point of view, blacklists are either grassroots Internet activism at its best or unaccountable vigilante justice at its worse.

If you are a legitimate business that sends out e-mail to your customers, step lightly. Three years ago, I received an e-mail coupon from the Gap. I couldn't remember giving the Gap my e-mail address so I called the company, accusing it of spamming. The spokesperson at the Gap told me that I had given the company my e-mail address at a mall in Morristown, N.J. I have never even been to Morristown, so I thought somebody at that store must have bought a CD-ROM of e-mail addresses and entered mine into their system.

But the good folks at the Gap were prepared. Every card that had been collected for its e-mail campaign had been recorded on microfilm. The Gap faxed me a card that had my e-mail address written in my very own handwriting. In fact, I had given it my e-mail address two years earlier. The cards from the Morristown store had gotten confused with the cards from the store where I live.

Instead of using blacklists, some antispam systems bounce mail that has improperly formatted mail headers or suspicious sender addresses. As a result, I've had e-mail from my pager tagged as spam and either bounced or discarded. That's because my pager's e-mail address looks like the sort of address that a spammer would use. (It's a 10-digit number@skytel.com.)

You've probably experienced another antispam system if you send e-mail to any large mailing list. If you're not on somebody's list of approved senders, their antispam program might send you an e-mail asking you to prove that you're not some program sending out spam. Sometimes all you have to do is reply. Recently I had to go to a webpage, download a Java applet and have my computer compute an "electronic postage stamp," which required 30 seconds of CPU time.

I call this approach the "mandatory whitelist with adaptive challenge response." It works, but it's tremendously annoying. Imagine joining a new mailing list and then being forced to prove to 600 people that you really are human. That approach actually increases the amount of junk mail in the world—for every spam message, a query reply is generated as well. And woe to you if a spammer uses your e-mail address as its sender address: You'll be bombarded with messages.

A still bigger problem with the mandatory whitelist is that spammers can defeat it by using a sender address that's likely to be in your whitelist—like your own e-mail address or the e-mail address of somebody else at your company.

Jeff Schiller, MIT's network manager and head of the Internet Engineering Task Force's steering group's section on security, says all technical solutions to spam share a common problem: Spam software may not be human, but spammers are. Every time an engineer figures out a way to stop spam, the spammers think up some new side step.

As for me, I've been able to cut my load of spam from more than 100 messages a day to just two or three, thanks to SpamAssassin, an effective Perl-based spam detector that runs on Unix and Windows. Instead of throwing the spam away, I drop it in a mailbox, which I scan every day to see if a legitimate message was trapped by accident. When that happens, I move the message back into my inbox and whitelist the address.

But SpamAssassin is just another technical measure, and ultimately, it will be evaded too. I don't see any long-term antispam solutions that don't include another kind of vigilante justice—the kind that involves dark alleyways, broken fingers and big men making scary threats.


Simson Garfinkel, CISSP, is a technology writer based in the Boston area. He is also CTO of Sandstorm Enterprises, an information warfare software company. He can be reached at machineshop@cxo.com.

ILLUSTRATION BY ANASTASIA VASILAKIS