Spam, phishing and other abuses are threatening to undermine confidence in the Internet. What will it take to solve the crisis before it's too late?
E-mail is arguably the most pervasive application on the Internet, but it's under attack by an onslaught of abuses that are eroding its usefulness. If not reined in soon, these threats could change the nature of the Internet as we know it.
Problems plaguing e-mail and the Internet in general have hit epidemic proportions. Few users have escaped the insidious nature of spam, and more are falling victim to phishing, a growing form of online identity theft. Viruses often carry malicious code able to turn an unsuspecting user's PC into a "zombie" that, when summoned, becomes a spam-blasting mail server.
Sender authentication hits roadblocks
These aren't problems that a new version of Microsoft Exchange or some additional disk space can fix. The Internet community is hard at work developing technology responses to these threats, while U.S. regulators seek to use the few legislative tools they've been given to crack down on e-mail crime. Unwanted e-mail has become such a global headache that international organizations are spearheading efforts toward multinational anti-spam laws and regulatory bodies.
"We see what is at stake is no less than the protection and preservation of the Internet as we know it," says Robert Shaw, Internet strategy and policy adviser with the International Telecommunications Union.
Yet all these interested parties agree that there is no practical cure to e-mail abuse, there's only containment.
Statistics tell the story of a problem that isn't about to go away. The ITU estimates that spam makes up about 80% of all e-mail sent across the Internet and costs the global economy $25 billion annually. In July alone, 1,974 unique phishing attacks were reported, according to the Anti-Phishing Working Group (see graphic for more statistics).
Worse yet, no one knows what's lurking around the corner. Spammers have notoriously been able to stay one step ahead of technology and in their wake have created an entire industry of spam filtering vendors that scramble to keep up with the latest tricks. Phishers create e-mails and Web sites that are practically identical to those they're spoofing, luring even savvy computer users into identity theft traps. The viruses that are turning computers into spam-sending zombies damage an innocent user's reputation and make it impossible to determine the real source of the e-mail.
In the world of e-mail, the abusers are calling the shots, and the technology industry is being led around by the nose.
"If you talk to people who use e-mail, certainly within the consumer ranks, they're saying it's too much trouble now, there's too much junk, and it's just too dangerous," says Greg Olson, founder and chairman of e-mail software maker Sendmail. "The whole thing is in jeopardy."
Yet few would go so far as to say e-mail will cease to be a popular communication mechanism. Not only have businesses invested too much time and money in building their messaging infrastructures and online customer relation strategies, but e-mail has become ingrained in Americans' work and lifestyles.
"We've built such a tremendous dependency on e-mail, I don't think we're in a position where we'll go back and say 'I'm going to start calling people or writing letters again,'" says Howard Schmidt, chief information security officer at eBay and former White House special adviser for cybersecurity. "As we look at the evolution of technology, we've overcome things and moved forward; this is just another thing to overcome."
Still, the days of sending and receiving messages without risk or nuisance appear to be gone.
The only way to rid the world of spam is to make sending it not economically viable. The overhead associated with blasting spam across the Internet is so low that spammers require only the narrowest response rate to make money. If e-mail users ceased responding to myriad offers to refinance their mortgages or buy prescription drugs, spammers would stop sending them.
Short of making sending unsolicited commercial e-mail illegal - which Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) does, but only under specific circumstances - there appears to be no way to stop spam.
Clamping down on phishing, a more serious abuse that is considered a form of fraud and therefore a federal offense, means having to find the offenders and quantify the damages to their victims - something federal agencies have found challenging. Meanwhile, the Federal Trade Commission reports that identity theft continues to grow; the agency received 214,905 complaints in 2003, up from 86,212 in 2001.
With eradication of e-mail abuse an unobtainable goal, technology companies, industry associations, lawmakers and even international bodies such as the U.N. have set their sights on making e-mail's problems less severe.
While opinions differ on the best way to cut down on abuse, everyone seems to agree it will take a combination of new technology, strong legislation with serious consequences, vigorous law enforcement, end-user education and international coordination to fight the problem.
On the technology front, the industry seems to be coalescing around the idea of adding sender authentication to e-mail, letting recipients verify the source of a message (see "Sender authentication hits roadblocks"). By verifying a message's sender (or in the case of the most popular proposals, the domain from which a message was sent), such technology would close the loophole left open by SMTP that allows Internet mail to be anonymous.
The Internet wasn't originally designed with sender authentication in mind because no one predicted the need for such a safeguard. "When I took the [Internet] project over at DARPA in '76, the system didn't have a specific authenticator for every message. . . . We were assuming the [user] community was trustable. Now we know that's not true," says Vint Cerf, senior vice president of technology strategy at MCI, who is widely acknowledged as one of the inventors of the Internet.
Some purists say that adding authentication changes the essence of Internet, which has been lauded for allowing a free flow of communication that transcends economical, geographical and cultural barriers.
But most observers take a more pragmatic view - with so many people using the Internet and so much money to be made exploiting it, some form of accountability was bound to be necessary.
"It's inevitable that when you have this kind of wide deployment [of the Internet] you have to encounter issues like this," says Sanjay Pol, vice president of the anti-spam initiative at Cisco. "It's a shame, but it's also inevitable."
Until spammers can be identified, the only federal law passed to help fight spam remains largely useless. CAN-SPAM, which went into effect Jan. 1, has done little to stop unwanted messages, in part because it requires enforcers to be able to find violators. That is a tricky task on the Internet where senders easily can masquerade as someone they're not and where a large percentage of spam originates from overseas, outside the scope of the law.
“We believe it will take a combination
of advanced technology, industry collaboration, consumer education, effective legislation and targeted enforcement against illegal spammers to significantly reduce and solve the spam and phishing problems.”— GEORGE WEBB, business manager for the anti-spam technology and strategy group at Microsoft
“We've said all along with CAN-SPAM that legislation isn't going to solve the problem all by itself. It's going to take a mix of both [legislation and technology] to adequately solve it.”— MICHAEL GOODMAN, staff attorney, Federal Trade Commission
“We will never completely eliminate [e-mail abuses], but technology can push the economic wall far enough so that it isn't profitable to do this anymore.”— GREG OLSON, founder and chairman, Sendmail
“Technology does have a role [in alleviating abuses], but it's not efficient to solve a problem solely with technology. . . . User education doesn't hurt, but it doesn't always work.”— VINT CERF, senior vice president of technology strategy, MCI
“Legislation is a fundamental part of any country's
anti-spam approach.”— ROBERT SHAW, Internet strategy and policy adviser, ITU
"That's probably been the primary problem [in fighting spam], being able to find the people" sending it, says FTC staff attorney Michael Goodman. "For e-mail without authentication, it's too easy for spammers to violate the law without being detected."
Before creating a "Do Not E-mail" registry, much like the "Do Not Call" list that prevents telemarketers from dialing members' numbers, the FTC will wait for sender authentication to take hold, Goodman says. The agency is hosting a conference next week to examine the different sender authentication proposals and ensure "the whole spectrum of interests are represented, not just the big players," he says.
The goal of CAN-SPAM was not to cut down on the amount of unwanted messages hitting in-boxes, Goodman adds. Instead, its endorsement of the opt-out approach - preventing marketers from sending e-mail to recipients who have asked to cease receiving it - only makes sending spam illegal when marketers violate that agreement. "With opt out, you can say 'I don't want to hear from you,' but the law doesn't have a lot of tools to reduce the volume of spam," Goodman says. "That's where technology has the biggest role to play."
With phishing incidents on the rise, there has been some movement in Congress to address this form of online identity theft. In July, Sen. Patrick Leahy (D-Vt.) introduced the Anti-phishing Act of 2004, designed to make phishing a federal crime that could put offenders away for up to five years. Current law states phishing is a crime only after someone has been defrauded, while Leahy's bill would outlaw attempting to deceive e-mail users.
Of course, federal laws have no effect on spammers and phishers bombarding in-boxes from overseas. In the past few months, international bodies have highlighted the growing problem of international abuse, and a few proposals for action have emerged.
In July the ITU hosted a conference where Internet regulators from 60 countries met to discuss the need for regulation and technology to control e-mail abuse. The result was a call to all governments to pass anti-spam laws - currently only 30 countries have done so - and appoint regulators who specifically deal with unwanted e-mail. With more countries passing anti-spam laws, an international memorandum of understanding could be developed that might lead to cross-border law enforcement. The group realizes that, with a few exceptions, anti-spam laws have not been terribly effective, according to Shaw, and plans to share experiences from different countries to determine what works and what doesn't.
As is to be expected from any international organization, the effects of this initiative won't happen overnight. A report summarizing the working group on spam's recommendations won't be released until November 2005.
In August, the Organization for Economic Cooperation and Development (OECD) established a task force to monitor anti-spam initiatives by its 30 member governments and study related strategies. The study will be conducted over a two-year period before the group suggests best practices and public awareness campaigns.
And last month, the FTC announced its Action Plan on Spam Enforcement, signed with agencies from 15 countries. The plan, which the FTC says builds on similar efforts by the ITU, the OECD and others, calls for the creation of an international working group on spam, as well as increased investigative training and establishing points of contacts for each country to respond quickly to enforcement inquiries.
While e-mail abuses no doubt will get worse before they get better, some people are heartened by the coordination within the industry and among lawmakers and international groups.
"The bottom line is that this is a global problem that affects consumers and business users worldwide, and it is going to take collaboration by everyone - leaders in the technology and other vital industries, governments and even users - to solve this issue," says George Webb, business manager for the anti-spam technology and strategy group at Microsoft. "The solution won't appear overnight, but collectively we are making great strides."