Trapping spam
TheStar.com - Trapping spam
Internet service providers are casting their nets to catch the rising tide of unwanted e-mail messages
RACHEL ROSS
Cast a big net and you'll catch a lot of fish.
Cast a better net and you'll save the dolphins.
For years, Internet service providers have struggled to keep unsolicited e-mail, or spam, out of our inboxes. Incoming spam frustrates their customers and outgoing spam can use up a lot of bandwidth. All that adds up to money lost.
So they've cast their nets far and wide, in an attempt to catch the spam while the legitimate e-mail flows through. Many of the spam filters used today rely on a rules-based review of the e-mail's content. Not all legitimate e-mail follows the rules, however. Sometimes important messages get caught in the process, never to be seen by the intended recipient.
But that's all about to change. Some of the biggest names on the Internet are already building better nets. America Online Inc. (AOL), Microsoft Corp., Yahoo Inc. and IronPort Systems Inc. are all developing new ways to secure e-mail so messages can be traced back to their roots. Some systems simply seek to eliminate unwanted messages, others are designed to make the spammers pay by putting a dollar value on bad behaviour.
"The spam problem is worse than ever, in terms of the number of messages sent," said Sean Sundwall, corporate public relations manager for Microsoft Corp.
He said that, as of May, 64 per cent of mail sent to people who use Microsoft's Hotmail service was considered spam.
At the same time, Sundwall said Hotmail users are likely seeing less spam in their inboxes lately because Microsoft's filtering system keeps a lot of the junk out. Such filtering systems generally work by scanning incoming e-mail messages for words and phrases commonly used in unsolicited e-mail advertisements.
Unfortunately, filtering systems sometimes accidentally stop legitimate e-mail from reaching their intended recipients.
ThinData Inc. of Toronto helps companies reach their customers via e-mail by carefully crafting their messages so they aren't caught in the net intended to trap spam. Unlike spammers who e-mail ads indiscriminately to any e-mail address they can find, ThinData's clients only send e-mail to people who have actually asked to receive more information about their company.
However, some filters aren't very good at discriminating between spam and ads that people sign up to receive.
One filter called SpamAssassin looks for words such as "Free" or "Click Here" and large, bold, coloured fonts. A subject line that starts with the word "Buy" or "Buying" would also increase the likelihood that the e-mail will be blocked. The more spam-like qualities an e-mail has, the more likely it will be blocked.
"Certain filters are very aggressive," said ThinData's vice-president of client strategy, Wayne Carrigan.
He suggests his clients run their marketing messages through SpamAssassin, to see how "spammy" they appear and then change the wording or formatting as necessary.
But it's not a foolproof solution. Despite their best efforts, many legitimate marketers still have a hard time reaching everyone on their mailing list because of overzealous filters.
"Companies wouldn't necessarily know if their e-mail got through," Carrigan said.
Moreover, once spammers get wise to the rules behind Spam-Assassin they will likely adjust their content so it appears less spammy too. Then it becomes a game of cat and mouse, where the spammers try to stay one step ahead of the filters.
Microsoft, AOL and Yahoo believe content filters are valuable. But they believe new kinds of filters are also needed to stop the rising tide of spam. All are essentially designed to do the same thing: check whether the e-mail really came from its stated origin.
Given our reliance on e-mail, it's a surprisingly insecure form of communication. The current e-mail system never questions the validity of a sender's address.
"Right now in the Internet world you can't know for certain whether an e-mail that claims to be sent from Microsoft, for example, is really from Microsoft," said Sundwall.
This has led to a relatively new phenomenon called phishing, where an evildoer sends out e-mail posing as a company representative and requests personal data. Last week, the Royal Bank of Canada was caught up in such a scam. Someone was sending out e-mail that appeared to be from the bank and asking people for their banking passwords. Bank spokesperson Judi Levita said the sender's address was listed as support@royalbank .com but the mail wasn't sent by the bank. It was sent by a scammer looking to steal some cash.
If e-mail addresses could be verified, scams like this wouldn't be a problem. Sundwall said spammers would also take a hit.
Most of the spam we receive is also from parts unknown. That's why it's so easy for spammers to escape the law: Their real identity is usually hidden behind a phony e-mail address.
Microsoft's spam solution is called Caller ID for E-mail. This system takes advantage of the one thing on an e-mail that cannot be forged: the Internet Protocol (IP) address. All over the Internet are special machines dedicated to sending and receiving e-mail. Each of those machines gets an IP address. It's sort of like a street address for computers.
There is already a global listing of IP address for the machines that accept e-mail. Under the Caller ID plan, a new list would be created for all of the machines that send mail so that, before an e-mail is transmitted, it would be stamped with the IP address of the machine that sends the e-mail on its way. Each IP address would be listed in the directory along with all the domain names that are authorized to send mail from that machine.
The IP address 203.170.241.26 might be responsible for mail from the domain names banana.com and rutabaga.com. (One IP address is often responsible for many domains.) An e-mail that was purportedly from peel@banana.com, for example, would only be accepted if the IP address on the e-mail was 203.170.241.26. Even then, the e-mail might be rejected. It all depends on the sender's reputation. If a verifiable sender has gotten a lot of complaints for spamming, the message might get turned away.
AOL is backing a very similar strategy known as the Sender Policy Framework (SPF). It also involves checking domain names against public directory of IP addresses for outbound e-mail servers. SPF just goes about it in a different way.
Alex Lesley, AOL Canada's vice-president of technology, said AOL implemented SPF in December and today some 14,000 Web domains are on board.
The technical differences between SPF and Caller ID will soon be moot, however. AOL and Microsoft recently announced that they will work together to develop one solid protocol for double-checking domain names against IP addresses.
Sundwall said he'd like to call the new merged strategy Sender ID, but nothing has been decided yet. It will likely be months, in fact, before a new merged strategy is ready to be put to use.
Yahoo's strategy, known as Domain Keys, is decidedly different. Its plan involves authenticating the entire e-mail, not just the address. Miles Libbey, anti-spam product manager for Yahoo Mail, said the Domain Key strategy offers a lot more than either SPF or Caller ID because it ensures the integrity of the whole message.
"With the Domain Keys solution it allows us to say the entire message was in fact created by the author," Libbey said.
The keys in such a system aren't the little metal pieces you shove into your door at home. They are actually composed of a series of text characters that can be processed much like numbers. There's a lot of math involved in this approach, but basically the keys are used to identify whether an e-mail really came from the purported sender and whether the contents of the message have been altered.
If the e-mail is validated and the sender isn't a known spammer, then the message goes through.
AOL's Lesley said he believes the Domain Key strategy would be harder to implement, but said it isn't necessarily incompatible with Caller ID or SPF. Ultimately, a multi-pronged approach could evolve.
IronPort Systems, Inc. of San Bruno, Calif., would like to add its own prong to that fork: the Bonded Sender system. With Bonded Sender, companies pay for bad behaviour. Participating companies would reveal their IP addresses and also put up money in the form of a bond. If enough people tell IronPort the company is sending spam, their bond is debited.
"It's an incentive for the company to never send spam," said IronPort's senior director of product management, Peter Schlampp.
He said the bond ranges from hundreds to thousands of dollars depending upon the amount of e-mail the company typically sends. Debited funds will go to various charities.
Microsoft backs the Bonded Sender strategy. Sundwall said he thinks it's a good addition to the Caller ID and SPR ideas.
"What (traditional) filtering does is trying to catch the bad guy," Sundwall said. "We want to shift the model to trying to identify the good guy."
Bonded Sender, he said, would achieve that goal so that mail from the "good guys" would have a better chance of making it to the intended recipient.
Bonded Sender is somewhat controversial, however. Some in the industry worry the system could shut out small business, for example.
Sundwall said companies that can't afford to put up a bond could still participate in the Bonded Sender program. Instead of money, these businesses would pay in speed. Special software on the sender's machine would force the machine to solve "computational puzzles" in the background, ultimately slowing the rate at which mail could be sent.
All the mail sent using this slower method would be specially flagged as legitimate mail, instead of spam.
"It basically limits the amount of mail a computer can send before it crashes," Sundwall said.
(Individual users wouldn't have to pay to send e-mail under such a scheme. As with the other proposals mentioned, those who choose not to participate would have their e-mail screened using more traditional filters, such as the content filters that are so common today, which search for words and phrases commonly used by spammers.)
All of the new proposals still need work, however. A recent study by the E-mail Service Provider's Coalition (ESPC) found significant problems with the Bonded Sender plan.
According to Direct Marketing News, the ESPC felt that the system was far too stringent. It would only take one complaint in a million to warrant a debit.
Schlampp said he wasn't aware of the complaint threshold issue, but he admitted that sometimes people complain about mail that isn't really spam at all.
"There are lots of false reports," he said.
Sometimes people just get confused or forget they have actually subscribed to a mailing list.
As with all these ideas, marketers say it's important that there's a proper feedback loop so that they can complain if they are improperly blacklisted.
These new filters will need to be more widely implemented before end users see a real reduction in the amount of spam they receive.
But Sundwall said we could see a big difference by the end of the year if enough companies adopt the free protocols that Microsoft is backing.
Sundwall said he hopes that these protocols, along with existing filtering systems, can all be used together to provide an accurate way to identify and isolate spam.
Content filtering alone is not enough. It's just too prone to error and easy for spammers to thwart. But if we can assess e-mail on the basis of its content and the sender's reputation we might be able to haul in the perfect catch.
June 14, 2004 at 07:57 AM in Spam | Permalink
| TrackBack (17)
| Top of page
| Blog Home
