pl.net buspam 27-6-2003

Posted on 27-6-2003

Spambusters
by Jack Schofield, June 26, 2003, The Guardian

It's time to stop spam. The percentage of spam has grown from 7% of all email in 2001 to 45% now, and in another year or two, it could be high enough to make email unusable. Perhaps we can never stop spam completely, but we must stem the flood before it's too late.

There are signs of progress. Microsoft has just followed AOL's lead in launching 15 lawsuits against spammers, including two in the UK. The European Union has already taken the most significant decision: from October 31, users must "opt in" to receive unsolicited email adverts, rather than "opt out" of them.

The US government is considering several anti-spam bills, and some of them will allow spammers to be jailed. The 30 countries in the OECD (Organisation for Economic Co-operation and Development, have just agreed a set of guidelines "for international co-operation to protect consumers against the growing problem of cross-border fraud, particularly on the internet".

The Internet Engineering Task Force (IETF) has set up an Anti-Spam Research Group. More and more internet service providers (ISPs) - including BT Openworld and MSN - and mail users are installing software to block spams. And so on.

In the UK, the All Party Parliamentary Internet Group (APIG ) is hosting a spam summit in Westminster on July 1, and the House of Commons will hold its first public hearing on spam on July 3. The British government has always seemed confused about the opt in/opt out issue, so it is time to make sure it's got the message.

Malcolm Hutty, regulation officer for Linx, the London Internet Exchange, says: "Opt in/opt out matters very much indeed. It should be opt in: we don't like opt out at all. Unless you have opted in to receive something, it's spam."

Does government action matter? Linx connects about 140 British ISPs to one another and to the internet, and its recommended practices are much tougher than any regulations the government will adopt. However, Hutty welcomes them.

"The regulations are going to be important because they will allow someone to bring a prosecution against spammers, including the ones inside the UK who are using machines outside the UK. We'd very much like the information commissioner to go after them with a big stick."

British ISPs act against spammers by cancelling their accounts. However, Hutty says this isn't much help against the "persistent bad guys, because they just set up a succession of accounts". But it can adversely affect ordinary users because, as Hutty says, "one of the major methods of sending spam is by hacking into other people's machines".

Jean-Philippe Courtois, chief executive of Microsoft in Europe, the Middle East and Africa, also supports tough penalties. "You need to make the pain of sending spam high enough to make them think twice before spamming anyone. They'll go into other businesses, which also won't be so nice, but it will reduce the spam problem."

Use common sense, he says. Don't post your address on the internet, use an ISP that offers spam filtering, only deal with trusted vendors, don't respond to spam and don't open emails from people you don't know.

A lot of spam seems to come from free services such as Hotmail, but Courtois says Microsoft is trying to reduce it. It now prevents Hotmail users from sending more than 100 emails a day, and - like PayPal and Yahoo! - is adopting Human Interactive Proofs (HIPs). These include a security challenge that humans can do easily but machines cannot, such as read the text of a distorted image. "That makes sure real people are creating accounts, not machines running scripts," says Courtois.

While all of these approaches are useful, there are two fundamental problems. The first is that the internet's email system, SMTP (Simple Mail Transport Protocol), is badly designed. The second is that HTML - the language intended for marking up web pages - is a terrible way to do "rich text" email including different type faces and illustrations.

SMTP and HTML are simple, obvious, cheap, open and standard, which is why they have been hugely successful. They are also hopelessly insecure, if not positively dangerous. They might have been fine for a trusted network of academic researchers, but if they had been offered commercially, they would have been laughed at.

Scott Welch, co-founder of the company that developed the FirstClass email system, which is now owned by Open Text, says: "SMTP was never designed to be a robust messaging system: it will accept anything.

"It assumes that the sender identifies themselves correctly, so I can send you email from george.bush@ whitehouse.gov and there is nothing you can do, as the recipient, to verify that it was not sent by George Bush at the White House. It's not a Band-Aid problem: that's the way SMTP is."

The lack of checking means you don't even need an email account to send millions of spams, you just have to find a misconfigured mail server - one with an "open relay" (see www.ordb.org).

The problem grew much worse when the web browser became the front end to the internet, and Netscape and Microsoft added email to the browser.

Let's suppose an HTML email arrives in your mailbox. HTML can contain links to pictures, which can be fetched from a remote web server. That server now knows that your mailbox received the email, when you opened it and which kinds of spam email you are most likely to open. HTML email can also contain "web bugs" or beacons", which collect and pass on information, and scripts that can, in insecure systems, read your address book and perform other evil actions, just like a virus.

"The clever spammers put code in their messages that send out a beacon, so you can guarantee that if you run Outlook Express, you are going to get more spam," says Welch. If the spammers are not that clever, they can use Vertical Response's iBuilder or Ad-Tracking or a similar program. Welch points to three problems with Outlook Express - all the result of what he regards as bad choices.

"The first was that they chose to display messages without any input from the user, in the Preview Pane," he says. "The second was to use, as the engine for the display, a scriptable web browser. The third was to store your address book, unencrypted, on the same machine."

"A spam is a message, not something that is inherently evil," says Hutty. "Messaging is good. The problem with spam is that one person sends it to a million people regardless of whether they want it, and I don't think layers and layers of authentication are going to stop that."

The IETF research group is working on a draft Designated Senders Protocol "to identify hosts authorized to send SMTP traffic" and, ironically, so are the direct marketers whose email messages are being filtered out as spam. Under Project Lumos, the American Email Service Provider Coalition (ESPC) is planning to set up a registry to certify the people who send legitimate bulk email. They will be required to provide secure proof of their identity in the SMTP header. Jim Nail, a senior analyst at Forrester Research in Boston, agrees "that's the direction we need to go".

If the mail most at risk - circulars, newsletters, special offers, etc - had its own authenticated "passport", while all mail that falsifies its origin was filtered out, most spam could be eliminated. "There will always be some spam," says Nail, "but two to three years out, I think the volume will diminish. I'm an optimist."

How to stop spam

· All governments must make spam illegal, set tough penalties, and actively enforce the law. ISPs should be required to block all messages from internet domains that do not enact and enforce acceptable anti-spam laws, including whole countries such as China and South Korea.

· All ISPs must offer users the option of a spam-filtered email account, and must, within three hours, cancel and block the accounts of any customers who either send spam or run servers with "open relays" that transmit spam.

· All email must correctly identify its origin, and all bulk email must also provide a way for users to unsubscribe from future messages without open ing the email. Bulk mail can only be sent to customers who have "opted in" to receive it.

· All mail software must send plain text as well as HTML/ "rich text". It must also enable users to prevent HTML from being sent, and it must allow recipients the option to turn off the HTML display, so they can protect themselves from "web bugs" and beacons.