The war on spam is hotting up. A flurry of announcements recently from some of the wired world’s biggest names — including Microsoft, Yahoo!, HP and Sun — has raised the prospect that we may now see a fightback against junk mail.
A variety of new schemes aims to reduce the amount of spam being sent — not by arming end users with more tools to filter it out, but by hampering spam’s progress across the networks that make up the Internet.
At the moment, spam travels to-wards your inbox, unchallenged, until it meets your Internet service provider’s computers. Once there, it might be spotted and removed, if your service provider has appropriate and effective, software. Otherwise, you download it and — unless you have a mail package capable of weeding out the rogue e-mails — it appears in your inbox.
Even those of us hiding behind filtering systems see some splashes of the vast amounts of spam washing around the Net. Spamhaus, a leading anti-spam organisation, claims to block about nine billion spams a day around the world. According to Microsoft, Hotmail alone catches 3,5-billion messages, and still some creep through.
Even as filters become better, and more widely used, the sheer volume of spam ensures some break through. Estimates suggest between 50% and 70% of all e-mail — the exact amount depends on which part of the world you live in, with the United States suffering most — is now junk.
The new plan is to make the early part of spam’s journey across the Internet more testing. The rationale is that even a marginal increase in the hassle factor for spammers will make sending junk e-mail much less attractive.
Greg Olson, vice-president of e-mail software company Sendmail, explains: ”As long as it is so cheap to propa- gate to one million people, and even though your message is of low quality, you’re still going to find a few suckers. If it becomes very costly to propagate to one million people … these things will all cost a lot. Getting three or four suckers won’t pay for this any more.”
Sendmail is the company behind software that handles 70% of e-mail sent across the Internet, and it joined with Microsoft last week to announce an attempt to make e-mail more secure. Olson says now is the time to act against spam at a fundamental level. ”Filtering, if you can get [the success rate] up to around 95%, is pretty good today,” he says. ”But spam is doubling in Europe every eight to 12 weeks, and with that kind of curve it won’t be long before 95% just isn’t good enough, because we’ll still be getting 100 spams in our inboxes every day.”
The problem, he says, is that the Internet’s method for sending e-mails to their destination — called simple mail transfer protocol (SMTP) — is too trusting.
”Anyone who connects can send mail, and the system trusts where it comes from,” says Olson. ”That was fine when the Internet was primarily a research community, but it has become a much tougher neighbourhood since then.”
The big names’ answer is to make SMTP less naive. Sendmail, Microsoft, Yahoo! and the others hope to do this by adding software on top of SMTP that forces e-mails to ”prove” where they have come from. If they ”lie” about their origins — using the ”spoofing” method where a false ”from address” is added to e-mails to mask the true identity of the sender — they can be dismissed as spam. And if they ”tell” the truth (and that reveals they originate from a known spammer) a similar fate awaits them.
”Once we know, reliably, where mail is coming from, we can apply other measures to decide which mail we want to look at,” says Olson. ”So [the concept of] reputation is now useful. Spam is, to some degree, an individual definition — if you’re interested in some kind of area, you might want to get commercial messages about that area. But other people might consider that spam. But if you know where it’s coming from, you have the ability now not to accept.”
Although sharing similar technical characteristics, the new methods have a variety of names — ”caller ID for e-mail” in Microsoft’s case, domainkeys in Yahoo!’s, sender permitted from (SPF) in AOL’s. As a common standard gains popularity, e-mail systems will gradually switch to insisting, rather than merely asking, that e-mail identify its origins.
But will they work? Matt Whittingham, head of information services at MSN in the United Kingdom, is cautiously optimistic. ”To use a Churchillian phrase,” he says, ”I think this is the beginning of the end. We will probably see the volume of spam continue to increase for the next six months, and then it may start to plateau as the technology becomes more sophisticated, and consumers become more aware. We should then start to see a decline in spam — a very big reduction — in about two years, but it will take a while for all of these measures to take effect.”
Some observers, however, are less confident. Steve Linford, who helps run Spamhaus, sees the recent flurry of announcements merely as moves by large corporations to protect their brands. ”They’re all based on the same thing, and it isn’t a solution to stop spam, although it is often billed as that,” he says. ”All it stops is large domains being hijacked. When one of these systems is widely accepted … you won’t get so much e-mail claiming it’s coming from MSN or Yahoo!. You’ll get spam purporting to be from much more obscure domains, so nothing will change.
”It’s like telling thieves they can’t come and raid your house in a Tommy Hilfiger T-shirt, because Hilfiger won’t allow it any more, so if they want to raid your house they’ll have to wear ordinary T-shirts.”
In particular, Linford is scathing about Microsoft’s patented ”caller ID for e-mail” system, which he says bears only small technical details from other non-proprietary, anti-spam systems. It will, he says, work with Microsoft Exchange e-mail servers — but those servers have come under fire for being particularly vulnerable to hijacking from spammers. He says the real solution will come when Microsoft makes its software more secure and less vulnerable to the spammers’ ruses.
”All the spam that you get, from virus-infected machines, from open proxies and from exploits, all of it is coming from Windows machines,” he says. ”None of it ever comes at you from an Apple, or a Linux, or a Sun or any type of Unix. There is such a deep security problem in Windows, you can basically tell Windows what you want it to do, and it’ll do it.”
Microsoft is expected to launch a more secure version of Windows in about two years and then, says Linford, ”we will see a significant change in spam, because spam won’t be able to use all these exploits. The whole world will be much more secure.” But he warns that, even then, Windows users in the developing world will be unlikely to upgrade to the new system for some time. Spammers will continue to look for vulnerable machines in those countries, and keep their businesses going for years to come. — Â