Spam heading for higher costs
- 20 March, 1998 21:49
"Reprint rights to riches!" read the subject line of one of the many unsolicited bulk e-mail transmissions I've received recently.
Most such transmissions, known as spam, emanate from opportunists who use forged addresses that you can't reply to. Others come from legitimate advertisers. But this message appeared to come from a sterling source: myself. Its sender was listed as "Daniel Blum."
Worried that other users had also received spam that was supposedly from me, I complained to the ISP. I received the following response: "The spamming software used to send this uses the recipient's address as the sender's address. There is no telling who else this went to, but it will not appear that it came from you."
The sender's program had forged my address in order to avoid being filtered out by ISP spam-blocking services. My ISP offers a free "spaminator" service, which maintains a kill file of spam-sending domains and originators whose messages will be blocked.
Spam is a growing problem that has gradually escalated from merely annoying users to raising enterprise costs to ultimately threatening the openness and integrity of the Internet.
According to an Internet Mail Consortium (IMC) report on unsolicited bulk e-mail, "Spam costs money to every recipient, as if it was sent postage due." Many users spend connect time, long-distance call time, personal time and company time opening, identifying, sorting and deleting spam. Aggregated across 200 million e-mail users, these costs are very high, even before taking into account the bandwidth, help desks and filtering resources expended by enterprises and ISPs.
But perhaps the greatest cost of spam is the degrading effect it has on e-mail. You can no longer really be sure that the messages you receive are what they appear to be.
So what are we going to do about spam? The IMC report I mentioned analyses the effects of solutions that involve filtering, legislation and content labelling. But the report's authors aren't optimistic that any of these solutions -- taken alone -- can solve the problem.
At a minimum, we should make it illegal to forge e-mail sender addresses, but this is hard to do because the Internet does not belong to any one country. Enterprises should buy messaging software that maintains kill files at the firewall, but some spam will come in under the radar and some legitimate messages will inadvertently be deleted. ISPs should singly and as a group enforce acceptable-use policies, but dishonest spammers will find a way to evade them. Content labelling of unsolicited bulk e-mail is great, but it too can be evaded and must work in conjunction with filters.
What is clear is that everyone should use digital signatures, particularly if you are in upper management or deal with the public. In the short term, digital signatures at least make it much more difficult for someone to forge e-mail addresses so messages would appear to come from your company. In the long term, corporate messaging firewalls can validate that incoming messages are signed with a digital ID issued by an acceptable certifier -- one that doesn't do business with spammers.
In addition, you should make it a priority to deploy technologies such as Secure Multi-purpose Internet Mail Extensions secure messaging, Open PGP, Lightweight Directory Access Protocol directories and X.509 public-key certificate authorities across your intranet and among your extranet trading partners. This will provide accountability and reduce the risk of fraud. Go ahead and send me e-mail -- in your name only, please -- if you'd like advice or help on such a project.
(Blum is a principal at Rapport Communication, a US consultancy that provides enterprise messaging, directory and groupware consulting and information services. He can be reached at dblum@mind spring.com or www.rapport.com.)