[Note from M. E. Kabay: My good friend and colleague Stephen Cobb sent me this good news about progress in the fight against spam. Introducing delays into network responses is a well-established approach to interfering with automated attacks; for example, automated dictionary attacks on passwords via logon interactions can be stymied by a two- or three-minute delay every few wrong-guesses. I’m glad to see someone implementing this technique to deal with the wretched people who are abusing the ‘Net with their floods of junk.

As a matter of full disclosure, I have no commercial relation whatsoever with the vendor named in the following article. Please communicate directly with Stephen Cobb for all commentary about this article.]

Networks can use time to stop spam - and I mean this quite literally. People may argue about the definition of unsolicited bulk e-mail or spam, but nobody disputes the fact that it continues to grow in volume, month after month, despite lawsuits and legislation (spam is already illegal in 30 states and, since most spam is commercially deceptive, much of it is a violation of the Federal Trade Commission Act).

Nobody disputes the fact that spam places network administrators between a rock and hard place, where the rock is user complaints and the hard place is mail servers that are groaning and, all too often, collapsing, under the weight of expanding spam traffic. Security officers are being challenged as well, by spam’s threat to uptime and availability, and its growing popularity as a distribution mechanism for malicious code and fraudulent scams.

Unfortunately, but perhaps understandably, the most common choice for antispam defense is filtering. This assumes spam is akin to malicious code, something you can readily identify and quarantine. But spam is the Achilles of e-mail threats, at once more powerful and yet more vulnerable. If you doubt the power of spam, talk to your local ISP. When a spammer targets your domain you can be staring down the barrel of a spam cannon firing 6 million messages an hour.

Some spam will always beat filters. This is because spam shares so much digital DNA with legitimate high-volume e-mail - like this newsletter or my Discover card payment reminder - as to be practically indistinguishable. Ratchet up the filters and you lose wanted e-mail. As for blacklisting as a spam defense, that is now fraught with problems too numerous to mention.

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.