• United States

Spam deluge leads to search for silver bullet

Feb 03, 200311 mins
Enterprise ApplicationsMalwareMessaging Apps

Overwhelmed and annoyed, e-mail users worldwide are uniting to stamp out the increased flow of spam targeting inboxes and inundating computer networks with dubious business offers, miracle drug claims and increasingly naughty and offensive propositions.

“E-mail users are deluged, upset and angry about spam,” said Alex Eckelberry, president of Sunbelt Software, which makes the iHateSpam filtering software.

But spam fighters appear to have a tough fight ahead of them. According to a recent report by e-mail security firm MessageLabs, spam is set to outnumber legitimate e-mail this year. In a review of its e-mail threats, MessageLabs said that spam currently accounts for 30% of all e-mail and it is expected to constitute 50% of e-mail by July 2003.

What’s more, Jupiter Research, a division of Jupiter Media, reported that since 2001 the amount of spam the average e-mail user receives a day has increased from 3.7 to 6.2 messages. That number is due to increase, Jupiter said, and by 2007 e-mail users will receive more than 3,900 spam messages a year.

While these reports are enough to make even hard-bitten e-mail lovers consider switching back to snail mail, other experts say that spam inundation fears are overblown and that highly effective spam fighting weapons are at hand.

So far there has been no consensus, however, on the best methods for fighting spam. While some look to a multitiered approach, such as filtering at the Internet service provider and client, with antispam legislation as another safeguard, others believe that one finely honed tool could break the spam business model and restore user inboxes to their previously uncluttered states.

After all, expecting users to opt-in or opt-out of mail lists, or actually track down and sue spammers is too complicated, they say.

A group of programmers and researchers who gathered at a spam conference at the Massachusetts Institute of Technology (MIT) in Cambridge last month were looking for the silver bullet, setting their sights on creating a highly effective spam filter.

“Traditionally, people have thought that spam filtering doesn’t really work. That changed in the last year,” said Paul Graham, organizer of the MIT Spam Conference and an emerging authority on antispam tools. Graham, who lives in Cambridge, wrote “A Plan for Spam” last August.

He and other spam experts are pinning their hopes on Bayesian filters, which scan the entire content of an e-mail, including header and font information, and classify whether a piece of mail is spam.

The goal is to make these filters so effective that the response rate on spam becomes abysmally low, and spamming becomes a financially prohibitive venture.

“Make no mistake about it – spam is a business,” research scientist William Yerazunis told attendees at the MIT conference.

Yerazunis, who works at the Mitsubishi Electric Research Laboratories in Cambridge, is hoping to bankrupt that business by proliferating a Bayesian filter based on a programming language he wrote called CRM114. He claims the filter he created using CRM114 can block 99.9% of spam with a similar rate for avoiding false positives.

False positives, or wanted e-mail incorrectly identified as spam, is the key metric when it comes to evaluating antispam tools because the personal cost of missing correspondence from friends, family or business associates is high.

And as spam conference speaker Jason Rennie pointed out, dealing with spam is not simple, in good part because the definition of spam is personal.

Rennie, an MIT graduate student in computer science working on spam filters, underscored the importance of being able to personalize spam filters to some degree, by allowing the end-user to dictate what they consider to be spam. A lot of filter makers, and ISPs that offer spam-fighting tools, are taking pains to ensure their clients have as much say as possible about what winds up in their inboxes.

Although stopping the onslaught of spam is crucial to ISPs’ business, given the bandwidth costs of delivering all that unwanted mail over their networks, it is also essential to ISPs not to inadvertently block legitimate e-mail through over-aggressive filtering.

Jim Anderson, vice president of product development for EarthLink said that the spam problem is a major issue at his company.

According to Anderson, EarthLink blocked and deleted 250 million pieces of spam last November alone, and the company is still hearing from customers that they want more controls.

“But the public policy aspect of the spam challenge is that you don’t have unintended consequences,” he said.

High on the list of unintended consequences for ISPs is losing customers who feel that not all their legitimate mail is getting through.

For Atlanta-based EarthLink, the solution was offering customers a filter, dubbed Spaminator, that blocks 70% to 80% of spam from user inboxes, and sends them to a “gray folder” that users can peruse to make sure none of their wanted mail has been trapped.

Other e-mail service providers offer the same kind of service. Yahoo, for example, employs its proprietary SpamGuard filter which sends spam to a “bulk mail” folder in user inboxes so customers can still dictate what they think is spam.

In addition to offering SpamGuard to its free e-mail customers, Yahoo offers premium mail customers even more stringent filtering tools. Additionally, the company recently added a “this is spam link” within e-mail messages, allowing them to report an offending missive to Yahoo for future blocking purposes.

“Yahoo has taken a holistic approach to combating spam,” said Lisa Pollock, director of Yahoo’s Messaging Products.

The multifaceted approach seems to be working. Yahoo caught five times more spam in November 2002 than it did in January of that year, according to Pollock.

Although the growing onslaught of spam has led some to advocate dire measures such as using white lists, where users only accept mail for senders stored in their address books, this measure seems extreme. Critics of white lists point out that a long-lost friend who digs up someone’s e-mail address would never get their well-wishing message through, nor would associates who recently changed jobs, or Grandma, who just managed to get online.

Even black lists, which some ISPs use to block mail being sent from known spammers, are starting to lose their following because they need to be constantly updated and changed.

While Yahoo’s Pollock concedes that the growth of spam is a problem, she doesn’t believe extreme measures are in order yet.

In fact, Pollock said that part of the apparent spam epidemic could be chalked up to the growth in e-mail users, and additionally, she would like to believe that her company is trapping more spam because its filters are more effective.

But it appears that no matter how much fine-tuning ISPs do to their spam-fighting tools, the danger of blocking wanted mail forces them to keep the gates open just wide enough that a certain amount of spam still gets in.

That’s where other methods for fighting spam come into place, such as client-side filters.

IHateSpam’s Eckelberry said that since the company launched its consumer filter last July, it has experienced dramatic growth.

“Our product has gotten good word-of-mouth” he said. “The amount of rage and anger out there over spam is amazing. People are really fed up.”

Spam is becoming increasingly risque and offensive, which is leading more people to take action against it, Eckelberry said. But although users have been driven to fight a client-side battle against spam, he said he thinks that the war will be on the server side, before users have to deal with it.

Filters, no matter where they are located, aren’t the only means being used to eliminate spam.

Many ISPs, like EarthLink, have a group dedicated to tracking down spammers. In fact, EarthLink won a $25 million settlement against a spammer last year, Anderson said.

But such big wins against spammers are rare, and furthermore, some say that current legislation designed to protect consumers from marketing fraud is not sufficient to deal with the problem.

Such is the view of Jason Catlett, president of privacy advocacy group Junkbusters in Green Brook, New Jersey.

“What I’ve been advocating is legislation that gives people who have been spammed the right to sue the spammer for a small amount of money — $50 to $500,” Catlett said.

“User filtering is too late; it’s a Band-Aid that doesn’t address the problem,” he added.

Catlett believes that without legislation hanging above spammers’ heads like a sword of Damocles, e-mail could come to a tipping point where there is so much spam it outnumbers legitimate e-mail, just as Jupiter predicts.

Fighting spammers on a technical scale is not enough, he said, because they are quite sophisticated and evasive in their methods.

Catlett isn’t the only one proposing new legislation targeting spam. A number of antispam proposals have been introduced in Congress, and at least two pieces of legislation have been approved at the committee level in both the House and the Senate, but neither have received full congressional approval.

Both the Controlling the Assault of Non-Solicited Pornography and Marketing Act, otherwise known as “CAN SPAM” (S.630), and the Unsolicited Commercial Electronic E-mail Act (H.R. 718) have languished since receiving committee approval.

The legislative bottleneck has persisted despite the fact that the Direct Marketers Association (DMA) stated in October 2001 that it would support federal antispam legislation. The DMA’s support is not so surprising, however, given that its 4,700 members are also being threatened by the cascade of spam.

“Spam is a huge concern for us because consumers are just erasing everything. They don’t know the difference between spam and legitimate marketing,” said Christina Duffney, a spokeswoman for the DMA. Spam’s impediment to legitimate marketing is especially concerning in a down economy, she added, when many of DMA members are turning to e-mail because it is less expensive.

Given the lack of federal legislation, the DMA set out its own online marketing guidelines, which include listing marketers’ information practices on their Web sites, giving consumers the option of opting-out of receiving solicitations, and including a physical address where consumers can direct their concerns.

While the group fully supports opt-out rules, the opt-in approach, which would only allow marketers to contact consumers if they have given their permission to be contacted, has been avoided.

“The problem with opt-in is that a lot of times consumers don’t know what the offer is, and how do you know you’re interested in something if you don’t know what it is?” Duffney said.

There is, however, one thing e-mail users do know that they want, and that’s no more spam. Given their frustration, the lobbying for antispam legislation has continued.

But while a number of other proposals, such as implementing a labeling requirement for unsolicited commercial e-mail, are being kicked around, many experts believe that legislation is not the silver bullet. The problem is not only that spam is different for everyone, but also that the nature of spam is constantly changing as spammers work to stay one step ahead of their pursuers.

In fact, a group of Internet experts attending a spam workshop hosted by The Global Internet Project earlier this month in Honolulu outlined their case for taking a multifaceted approach to tackling spam. The group, which included senior executives from major technology and Internet firms, endorsed the adoption of new spam-fighting technologies, end-user education, and rigid enforcement of fraud laws currently on the books.

They warned against looking to new legislation to fight the problem, however, saying that current laws against fraudulent representations already exist, and citizens need to be better educated on how to protect themselves.

As sensible as this multitiered approach seems, dreams of a silver bullet have not died. That’s why programmers such as Graham and Yerazunis are working to pull the spam weed out by its roots by destroying its business model.

Yerazunis figures that spam filters have to be able to rout out at least 99.5% to make the cost of sending unsolicited commercial e-mail the same as that of sending regular bulk mail.

And while the mail filter Yerazunis created is not fit for the mass market, he hopes one based on his programming language will come to the rescue soon.

Even if e-mail users are armed with powerful filters, the main ISPs must jump on board to significantly reduce the response to spam. This will most likely happen if consumers keep up the pressure to find a solution to the spam problem. After all, it behooves the ISPs to invest in spam-fighting technologies not just to serve their customers, but also to keep their own costs in check.

Because, as Graham pointed out, spam is a business and the hassle e-mail users and ISPs experience is just collateral damage.

“This is a war we have to win,” he said.