By Alex Salkever Now everyone knows the war on spam is really getting serious: Bill Gates himself has declared war on junk e-mail. On June 24, the Microsoft (MSFT) magnate posted his own call to arms on the company's Web site, joining Earthlink (ELNK) and America Online (AOL), two Internet service providers that have stepped up their legal battles against unsolicited e-mail. Disgusted with the rising tide of puerile and often sexually oriented solicitations flooding their inboxes, lawmakers in the federal government and state legislatures have also enlisted in the anti-spam brigade.
You can almost hear Corporate America cheering along the parade route: Daily torrents of spam cost employees hours every week sifting through and discarding hundreds of pesky and/or lewd come-ons. Ferris Research, an electronic-research firm, estimates that spam costs U.S. businesses $10 billion annually. And sometime this summer, spam will grow to greater than 50% of all e-mails sent, according to spam-filtering outfit BrightMail.
FUTILE EFFORTS? Spam haters are fighting back (see BW Online, 4/22/03, "Anti-Spammers Get Serious".) The weapons of choice so far: Spam-filtering technology from companies such as BrightMail and ClearSwift. Increasingly, ISPs are suing U.S.-based spammers to cease and desist. In Washington, Congress is considering nine different bills designed to reduce spam, including a proposed "do not spam" registry system similar to the "do not call" registry that telemarketers must now follow. Thirty-four states have anti-spam legislation that authorizes civil or criminal penalties against senders of unsolicited e-mail.
So victory should soon be at hand, right? Not so fast. Unfortunately, these efforts are probably destined to fail. Worse, they could well have the perverse effect of making spam even harder to stop. Just as poorly used antibiotics help to create stronger bugs, the current scattershot efforts will likely create smarter spammers with more effective delivery methods. Here's why.
Attacking junk e-mail in the courts and Congress makes for nice headlines and good sound bites. But spammers are already two steps ahead of the ISPs and lawmakers, who can outlaw practices only of U.S.-based culprits. Most have already moved offshore -- to places where foreign governments either don't care or don't have the resources to prosecute spammers. Does anyone really think that in Pakistan, tracking down a geek carpet-bombing AOL with spam will take precedence over tracking down Osama bin Laden? How about Colombia, with its drug cartels and insurgent rebels creating mayhem? Yet, these two countries are popular homes for spammers.
BYPASSING FILTERS. Outfits such as BrightMail claim that they have a technological solution that will sense incoming spam and stop it cold. Apple (AAPL) and Netscape offer nifty filtering mechanisms that allow a user to "teach" their mail program what's spam. The program then automatically filters out offending missives.
These approaches, however, quickly become less effective as spammers figure out ways around them. Under the current system, a spammer's cost of sending 1 million e-mail messages is only marginally higher than sending 100. That's thanks to the flat-rate system for mail running on the Internet. To counter more pervasive filtering and maintain their click-through rates, spammers have begun to send out significantly more spam. It's a brute-force play on the mathematical odds, and it's already putting a strain on company mail servers.
The second problem with filtering is that the better it works, the harder it becomes to tell real mail from spam. Here's the logic: Filtering will eliminate all the most obvious spam from your mail queue. But spammers aren't stupid. They have sophisticated mechanisms for tracking what gets through. Then, they tweak their messages to evade filters. Hence the rise of messages bearing perfectly believable subject lines such as "re: meeting next week" or "lost your e-mail address, please resend."
MASKING CONTENTS. To keep the filters from scanning a solicitation's contents, spammers have increasingly resorted to a graphical e-mail format, which is encoded in HTML. Filters can't read such messages for the same reason that scanners can't pick out simple messages hidden in fuzzy backgrounds. It's a tricky mathematical problem of pattern recognition.
Some anti-spam protection rely on "challenge-response" systems, which require you to click through a URL and or simply to hit reply before letting the contents of the e-mail come through. Sounds great -- until your bank sends you a notification of an account overdraft, and you miss it because you overlooked the prompt amid all the spam (see BW, 7/7/03, "A Spam-Fighter More Noxious Than Spam").
Some anti-spam crusaders see promise in a sort of spam directorate that helps ISP operators easily spot unwanted e-mail. Something like this is already enforced: Huge bombardments of messages now trip alarms at the major ISPs. Unfortunately, spammers are again ahead of the game here, too. They've started chopping up their attacks into smaller blocks, sent at random intervals and often using randomly sequenced connections with multiple ISPs. And they're getting their pesky solicitations through.
THE REAL PROBLEM. Another popular proposal would set up a sliding fee scale for e-mail. The first 400 messages per month from an account might go free of charge. The next 10,000 might cost the sender 1/8 of a cent apiece. The next 10,000 might cost 1/4 of a cent a piece. And so on.
The problem with this approach is that a considerable percentage of spam comes from mail servers of unsuspecting organizations. Spammers sometimes hijack mail servers and spew out unsolicited messages with the return address of the legitimate and unaware organization or person. So charging for e-mail messages might push more spammers to hack into and exploit legitimate mail servers.
Look hard enough at all this, and you soon realize it's a result of the Net's anonymous structure. The real solution lies in the system's masters -- the backbone connectivity providers, the router makers, the big telecoms, and the big ISPs -- getting together and requiring anyone wishing to send e-mail over their networks to identify themselves.
ENCRYPTED BUT AUTHORIZED. This is the only approach that will ever strike at the root of the spam problem. Every message entering the e-mail system would need to have a unique digital postage stamp that's difficult to forge. It's not a novel concept: Web sites have a system like this already with digital certificates designed to give assurances that they are who they say they are.
Granted, this solution is controversial. Cyber-libertarians cry foul whenever someone suggests a way to strip the anonymity out of e-mail. Fair enough, I say. But such fears can be addressed. ISPs could allow e-mail users to encrypt their message but still carry an authentication stamp. Or individuals concerned about maintaining their privacy could use third-party proxy organizations to strip out their identity but still validate a message as legitimate. A company called Anonymizer already does just that for Web surfers. Such validating would allow, say, people inside repressive countries to use encryption to communicate privately.
The Internet Engineering Task Force is already looking at ways of designing such a system. Top Net designers, such as Paul Vixie and Paul Mockapetris, think an e-mail-authentication system could be rolled into the next version of Internet backbone software.
HOW MUCH GUTS? Yes, some disruption would occur. Everyone who uses e-mail would need to upgrade their software to handle these signatures and encryption. But the technology is comparatively simple. It's really a matter of will -- as in will the organizations that run the Internet have the guts to make a decision that could be disruptive in the short-term but immensely helpful in the long-term?
I can only hope for the best -- and look forward to a day when I no longer have to spend mornings cleaning out my company e-mail of all manner of unwanted come-ons. Salkever is Technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column