Can Antispammers Win the War?

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The way things are going, it looks like spam will make up 99.9% of all e-mail before too much longer.

The onslaught of spam (and the viruses and spyware that it often carries with it) is turning a significant number of people away from the Internet. In a survey of
U.S. consumers conducted by
Osterman Research from Jan. 18 to 20, more than one-third (34%) said spam, spyware and related problems had reduced their use of e-mail or the Internet “a bit,” with another 10% saying they’d reduced their use “a great deal.”

According to the research firm’s president, Michael Osterman, mail-monitoring companies
say
88% of all e-mail in 2004 was spam. And estimates indicate that the
figure will reach 92% in 2005. Hmm, does that mean we’ll hit 100% by 2007?

But there may be some good news. Antispam experts attending a recent conference expressed some optimism that they may finally have some tools to dramatically reduce spam, if not eliminate it.

A Who’s Who of Spam Fighters

The event was the second annual “Spam and the Law Conference,” held Jan. 28 at a hotel near the San Francisco Airport. The roster of speakers included
representatives of some of the biggest names in the spam wars:

• Lisa Rosenthal, an attorney with the U.S. Federal Trade
Commission, which she said had filed more than 60 lawsuits against spammers since
1997 — three of them since the so-called CAN SPAM Act went into effect Jan. 1,
2004;

• Michael Grow, chair of the technology department of the
Washington, D.C., law firm Arent Fox Kintner Plotkin & Kahn, who is credited
with helping AOL convict notorious “spam king” Sanford Wallace in 1996;

• Aaron Kornblum, an attorney for Microsoft Corp., which he said
has filed more than 120 lawsuits since 2003, reaping $306 million in legal
judgments (although Kornblum acknowledged that an “insignificant amount” of that
has actually been collected from the elusive spammers).

Much of the conference focused on the same legal approaches to fighting spam
that have been employed for years. But two aspects of the spam problem seem to
lend themselves to new defenses, which may be more effective.

Catching Spammers in Four-Tenths of a Second

Matthew Prince, a cofounder of Unspam LLC, an antispam consulting service based
in Chicago, described recent advances that he believes can identify spammers
much more quickly than ever before.

Unspam, which I reported on in this space on

Nov. 30, has massively expanded Project Honeypot, its program that generates
unique, one-time e-mail addresses on Web pages around the globe. Spammers use harvesting
software to collect addresses from pages at random. When an Unspam address is
harvested, the organization makes a record to use against
the spammer.

At the end of November, Unspam had planted only about 4,000 decoy addresses on the
Internet. Since that time, however, the effort has exploded, growing to more than
32,000 addresses, according to a counter on the organization’s
home page.

Prince says his organization’s servers are capable of notifying Internet
services providers (ISPs) and others within 0.4 seconds of a decoy address
receiving a message. Such a transmission could only have come from a spammer,
since the address in question never signed up for any legitimate e-mail lists.

Unspam’s online blocklist, known as HTTP:BL, will become available in spring
2005, Prince says. The list can be used by ISPs to disable accounts as soon as
it’s clear they’re being used for spamming, Prince says.

Although many antispam experts have criticized the U.S. CAN SPAM Act as too
weak, Prince notes that the act includes an absolute prohibition against two
techniques spammers depend upon to acquire addresses in the first place. These
are harvesting attacks, as described above, and dictionary attacks, in which
spammers send messages to random addresses to learn which ones are active.

By linking pieces of spam to their original harvesting attacks, Prince argues,
withering technical and legal measures can be brought to bear against spammers.
CAN SPAM allows ISPs to sue spammers, with damages ranging up to millions of
dollars and jail terms up to five years.

Make Sure Your Address Isn’t in the Dictionary

A major change in the nature of spam, however, is making dictionary attacks more common
than harvesting attacks, according to Andrew Oakley, technical architect for MessageLabs, a
respected mail monitoring service based in London.

He reports that since more homes have broadband access and more home computers
are left on all the time spammers now have access to far greater bandwidth
with which to send spam. About 80% of today’s spam emanates from home computers that’ve been infected with
“zombie” software controlled by spammers.

As a result, Oakley says, many spammers no longer bother to harvest addresses
from Web pages. Instead, they have enough raw horsepower to simply send spam to
every name that might appear on the left-hand side of the “at” sign (@) of a
major company’s domain.

One company that recently asked MessageLabs for help, Oakley said, was receiving
30 million spam messages a day. That number dropped to a more manageable 100,000
a day when the company — which Oakley would identify only as a teen-lifestyle site
— started filtering out mail to nonexistent addresses. The spammers were using a list of
some 6,000 common names, 200 of which happened to match real e-mail addresses at the
company, which used each employee’s first name to form the addresses.

This kind of attack can be deflected, Oakley says, by configuring your mail
servers to drop connections from senders who mail to a lot of addresses that
don’t exist. You should also make sure your e-mail addresses contain punctuation
marks and don’t include names and words that can be found in a dictionary.

The Race Goes To The Swift

Anne Mitchell, president of the Institute for Spam and Internet Public Policy
(ISIPP) and sponsor of the conference, feels the problem of spam is not a
hopeless one.

“I don’t think anyone enters this room with a single plan to end spam,” she
says. “People
know it has to be a multi-pronged approach.” The solution to spam, Mitchell
says, will be a combination of technology, legislation and education.

She points out that, although spam volume is increasing, she’s seen anecdotal
evidence that corporate workers are seeing less and less spam as filters become
more effective and widely used. That doesn’t keep spam from being sent in the first place — the senders are generating more mail
just to penetrate the filters, Mitchell says — but it may be the beginning of the end of spam.

For more information on the ISIPP and the next antispam conference, see
ISIPP.com.