Reader thoughts on spam handling

Another issue that a number of readers raised was whether it wouldn't be easier to come up with a system to charge people for sending e-mail. While that might sound good the whole idea is impractical.

The recent column by brother Backspin about the mechanics of source verification for dealing with spam generated a lot of feedback that called for us in the Gearhead secret lab bunker to tackle. First, reader Jason Short wrote to point out, "You state that the average spam message is 30K bytes in size! As someone who is actively writing a spam filtration system and has collected over 2.2 million spam messages for training and testing our system, that number is way high. The average in our database of 2.2 million messages is 3.1K bytes. The average legitimate e-mail is 25.3K bytes."

Anti-spam buyer's guide and review

We put anti-spam products to the test and provide detailed specs on more than 50 applications and devices. 

Hmm. Good points. Let's see, going to the spreadsheet that Backspin offered in "Running the numbers on source verification," and reworking it for the different message type sizes but keeping everything else the same, the bandwidth overhead of using source verification increases from 9% to 30% (download the revised spreadsheet). A significant cost increase, but as it is only 0.04% of the cost of staff productivity, the cost is still trivial.

Short also points out that a significant number of spammers fake the "from:" address, which could result in source verification challenges going to real but incorrect addresses. OK, but a decent source verification implementation would check the routing in the header of the received message to eliminate forged source addresses.

Short's final point is a scenario: "If it is Friday and I [send] you an e-mail and go on a two-week cruise. Your mail [sends] a reply to me to validate. I [don't validate]. Now the mail has expired, and it was time-sensitive. That is not a good solution."

We disagree. If you are sending mail to someone for the first time and it is time-sensitive you'd be wise to check that it arrived. And if it is not the first time, the recipient using source verification should have added you to the whitelist.

That said, anyone who, given the reality of routers breaking down, traffic congestion, lost packets, failed DNS lookups and servers failing or slowing down because the wind in Pasadena is blowing from the west, trusts SMTP-based mail for time-sensitive delivery needs his head examined.

Another reader who shall remain nameless wrote that spam is managed easily using Outlook filters and that he thought Backspin was just fanning the flames in writing about what he considered to be a non-problem. This was amusing because his company uses spam (what he chose to call unsolicited commercial e-mail) to sell computer disk drives and other computer components!

Ignoring the issue that, as he works for a company that generates spam he is responsible for fueling the fire, the fact is that naïve users would find it hard to configure and maintain Outlook rules (even if we can ignore the potential legal liability involved with the spam content they have to look at so that they can make decisions about what to filter). Besides that, because not everyone uses Outlook!

Another issue that a number of readers raised was whether it wouldn't be easier to come up with a system to charge people for sending e-mail. The theory goes that, for the average user sending 20 or 30 messages at, say, $.01 each, a charge of something less than $2 per week would be trivial. On the other hand, for spammers sending 20,000 messages every day a bill for $1,000 per week would stop most of them.

While that might sound good the whole idea is impractical. First, all ISPs would have to enforce the system and do so for all mail servers on their networks whether they were in charge of them or not. This would be hard to do.

Then there are the billing issues: The cost of billing systems to handle the millions of transactions and send out bills and the office staff to process payments would make the cost per message far greater than $.01. And no ISP wants to incur building costs that don't result in profit. Finally, even if you could overcome all of those problems, we'd like to know how the system would be enforced outside of the U.S. It just ain't workable.

No, the only strategy that will work today is to use sophisticated anti-spam products.

So next week: the beauty of Bayesian filters. Send to

Copyright © 2003 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022