• United States
News Editor

A good idea, well executed, but . . .

Oct 14, 20024 mins
Enterprise ApplicationsMalwareMessaging Apps

The idea made a lot of sense in 1998 when Internet Mail Consortium Director Paul Hoffman first explained it to me.

The impetus was that spammers were regularly besmirching the good names of legitimate businesses by funneling their junk through open SMTP relays on corporate e-mail servers, thus creating the impression that the owner of a hijacked server was the sender of the spam. Cleaning up the resultant mess could be time-consuming and costly for the victim, especially in terms of public relations. Moreover, the easy availability of cost-free, risk-free delivery was thought to be fueling what even then was considered an explosive growth in spam.

One defense, as espoused by Hoffman and others in the Internet mail community, was simple enough: Close off SMTP relays to all but a network’s known users, and spam would be reduced because spammers could no longer hide their true identities behind the servers of their unwitting hosts. Forced into the open – or at least to fend for themselves – they would become easier to shut down, and, it was hoped, fewer in numbers.

The good news is that e-mail managers heard the message and bought the reasoning. Hoffman’s first survey of SMTP relay practices in 1998 showed that slightly more than half were flapping wide open, meaning spammers were practically tripping over potential launch pads. The survey was conducted roughly once a year and showed a steady decrease in the number of open relays. The latest survey, in August, revealed that only a tiny fraction of relays – fewer than 1% – remain open.

“The social engineering that we did to tell people to shut down their relays absolutely worked,” Hoffman says.

The bad news, as you have likely figured out, is that none of this has done anything to reduce spam.

“Even with essentially an almost complete closing off of relays, spam continues to get significantly worse,” Hoffman says. “I thought we would sort of flatten it out, or that this could make it harder for them . . . and it actually hasn’t made it harder for them at all.”

Which is discouraging enough, but the news gets worse: Not only did closing those relays do nothing to stem the flow of spam, it also made sending e-mail more difficult for some corporate road warriors.

“This is the Internet – things change, so you’ve got to be flexible,” Hoffman says. “This ‘never have an open relay’ [advice] turned out to be quite inflexible – that is, it prevents people from sending stuff – and it didn’t stop what we wanted it to stop.”

Does that mean e-mail managers should reverse course?

“I’m not saying that people should go ahead and open up their relays, because they will get nailed by spammers,” Hoffman says. “The spammers really don’t care at this point; they are happy to saturate your Internet connection if they can. So it’s not smart to open up your relay, but if you need to – if there’s a business reason to do it, you should. The smarter thing to do is authenticated SMTP, but a lot of people can’t figure that out.”

So if closing the relays didn’t produce the desired results, which of the myriad antispam schemes floating about today might actually do the trick?

Hoffman’s opinion: None show much promise. Oh, he does believe that a well-crafted, vigorously enforced federal antispam law would help. But the chances of that happening are no better than the likelihood of all the spammers simply seeing the error of their ways and quitting.

What? You want a happy ending? . . . Go rent a movie.

The in-box here is always open. The address is