Messaging

The Spam Conundrum

Numerous simplistic suggestions are being touted as solutions to the difficult problem of spam. Unfortunately, one of the easiest effective spam-fighting strategies is impossible in the litigious environment of the U.S.

by Alex Goldman ISP-Planet Associate Editor [August 29, 2003]

Pundits who predict that the volume of spam will increase this year are certainly not going out on a limb. As the volume of spam increases, solutions seem increasingly elusive. Yet another article (this one in the Wall Street Journal: Could Spam One Day End Up Crushed Under Its Own Weight? (subscription only)) recently suggested that if we only didn't click on spam, it would go away. It even suggested government intervention. The author wrote, "We desperately need a campaign of education and downright social coercion to stop people from cooperating with purveyors of new septic tanks and body "enhancement" products." That suggestion is as foolish as suggesting that we turn off the world's e-mail to stop spam. Neither will work.

When the notorious Buffalo spammer was caught, we learned that he could earn $380 per day with 38 positive responses from 8 million e-mails. I've always said that if you're one in a million there are eight of you in New York. Now it seems that if you're one in a million, you also buy stuff in response to spam. No amount of education will break the economics of spam, which remain profitable as long as one (or four) in a million respond positively to spam.

Commentators who think otherwise don't understand the implications of the word "million." They simply don't understand the volume of spam that traverses the Internet every day, and they don't understand how profitable spam can be making money from those few in a million who fall for it.

For further analysis of this, read Spam Economics: Who's the Real Sucker?. That editorial was written in reply to an article in USA Today: Idiots who buy stuff off spam ruin e-mail for the rest of us.

Congress has been working on a solution to spam since at least 1999 (see Congress Takes On Spam) and we have always suspected that their "solution" would be politically palatable but, in practice, useless. It might be worse than that—it could penalize legitimate ISPs or marketers while failing to touch the spammers (see Spam: We're Losing).

Technological and legal solutions, such as they are today, will not completely eliminate spam. And make no mistake, many solutions are being built—there are over 100 anti-spam companies today. We are working to describe them all in our Anti-Spam Directory. However, in spite of the large number of companies, there are, in general, only a few effective solutions:

Challenge-response systems send out an e-mail to any unknown entity that sends you an e-mail, asking that they prove they are human and not a spammer. A detailed discussion of the problems with this approach can be read here. Basically, however, there are three problems: 1) you have to accept all mail from domains you like (so spammers can simply spoof "amazon.com" or "aol.com" and assume you'll let them through). 2) challenges can be challenged in return, creating an infinite loop of e-mail that is never read. 3) it may not be too expensive to pay people to respond to challenges. The Nigerians already do so for their own scam spams, and marketing companies could in theory do so too (see Silverpop Prepared to Beat Challenge-Response).

Filtering solutions block known spam sent to e-mail addresses maintained by ISPs but not assigned to humans. All mail these "honeypot" mailboxes receive is spam. Unfortunately, they still let through about 20 percent of spam (see PC Magazine's Corporate Anti-Spam Tools test results). Nevertheless, this is a useful, if not perfect, solution. Filtering solutions are particularly good for ISPs because they tend not to block even the most outrageous legitimate e-mail, and because most filtering solutions allow end users to subscribe to spam they like. (For example, desperate people may want to get medical spam because they have problems that modern medicine cannot solve. The jobless may want to try job-related or MLM scams if they feel they cannot find a legitimate job in the current economy. ISPs also find that many end users want to receive porn-related spam.)

Heuristic solutions, from SpamAssassin (free) to MessageLabs (expensive), analyze each e-mail and assign a percentage chance as to whether it is spam. These are very effective at blocking spam, but inevitably also block some legitimate e-mail, which takes time to find. In addition, some spammers are "pre-scanning" their spam against popular solutions like SpamAssassin. Heuristic solutions are better suited to enterprises than to ISPs because enterprises can, in theory, better deal with the consequences when their filters block legitimate e-mail. (For example, when an associate recently sent an e-mail about breaking news with the Subject "hot stuff" to my work address, and I did not receive it, I blamed him rather than my company's IT staff). Employees with commission-based jobs, however, understandably get very angry when legitimate e-mail is blocked.

Blacklists are the original anti-spam solution. But if anti-spam is a war, the arms race has already made this spear obsolete. Blacklists identify spammers and block all mail from them. Unfortunately, these days, they tend to harm only legitimate e-mailers. Spammers expect to be blocked and therefore constantly move on, leaving ISPs and their customers to contact the blacklist people and get delisted, a time consuming and fractious process. See Spam Shuts Down Legitimate Websites.

Unusual new ideas have come from Habeas, The Titan Key, ePrivacyGroup, and others, but these ideas complement anti-spam solutions. They do not completely solve the problem. The best an ISP could do, in theory, would be to deploy a filtering solution plus one or more of the solutions in this group.

Given these problems, ISPs remain frustrated. But there is one thing ISPs could try, although.every ISP I have suggested this to has been reluctant to do so. ISPs could limit spam originating on their network by allowing users to send only one e-mail per second, blocking or slowing mail coming out of overactive mailboxes.

But it appears that ISPs in the United States are unlikely to give this strategy a try. In a litigious environment, ISPs cannot be certain that if they block or slow down the delivery of even a single legitimate e-mail, they won't be sued for huge sums. An end user might say, "I was about to secure a $10 million contract, so you owe me $10 million" or "I was sending a resume that might have made my career, so you owe me the amount of money I might have made during my career." Within ISPs, some salespeople are already saying similar things to some mail filter managers.

ISPs in other nations, however, should not face this risk and should be able to scan their own servers for outgoing spam. Doing so would, like e-mail filtering, block some spam, but not all of it. An ISP's contribution to fighting spam in this way will be proportionate to its volume of outgoing mail. The largest ISPs, and especially the free e-mail providers, are notorious sources of spam. They need to do better, and they can—if the U.S. legal system will support their efforts.

— End