Posted on 27-6-2003
Spambusters
by Jack Schofield,
June 26, 2003, The
Guardian
It's time to stop spam. The percentage of spam has grown from
7% of all email in 2001 to 45% now, and in another year or two,
it could be high enough to make email unusable. Perhaps we can
never stop spam completely, but we must stem the flood before
it's too late.
There are signs of progress. Microsoft has just followed AOL's
lead in launching 15 lawsuits against spammers, including two
in the UK. The European Union has already taken the most significant
decision: from October 31, users must "opt in" to
receive unsolicited email adverts, rather than "opt out"
of them.
The US government is considering several anti-spam bills, and
some of them will allow spammers to be jailed. The 30 countries
in the OECD (Organisation
for Economic Co-operation and Development, have just agreed
a set of guidelines "for international co-operation to
protect consumers against the growing problem of cross-border
fraud, particularly on the internet".
The Internet Engineering Task Force (IETF) has set up an Anti-Spam
Research Group. More and more internet service providers (ISPs)
- including BT Openworld and MSN - and mail users are installing
software to block spams. And so on.
In the UK, the All Party Parliamentary Internet Group (APIG
) is hosting a spam summit in Westminster on July 1, and the
House of Commons will hold its first public hearing on spam
on July 3. The British government has always seemed confused
about the opt in/opt out issue, so it is time to make sure it's
got the message.
Malcolm Hutty, regulation officer for Linx, the London Internet
Exchange, says: "Opt in/opt out matters very much indeed.
It should be opt in: we don't like opt out at all. Unless you
have opted in to receive something, it's spam."
Does government action matter? Linx connects about 140 British
ISPs to one another and to the internet, and its recommended
practices are much tougher than any regulations the government
will adopt. However, Hutty welcomes them.
"The regulations are going to be important because they
will allow someone to bring a prosecution against spammers,
including the ones inside the UK who are using machines outside
the UK. We'd very much like the information commissioner to
go after them with a big stick."
British ISPs act against spammers by cancelling their accounts.
However, Hutty says this isn't much help against the "persistent
bad guys, because they just set up a succession of accounts".
But it can adversely affect ordinary users because, as Hutty
says, "one of the major methods of sending spam is by hacking
into other people's machines".
Jean-Philippe Courtois, chief executive of Microsoft in Europe,
the Middle East and Africa, also supports tough penalties. "You
need to make the pain of sending spam high enough to make them
think twice before spamming anyone. They'll go into other businesses,
which also won't be so nice, but it will reduce the spam problem."
Use common sense, he says. Don't post your address on the internet,
use an ISP that offers spam filtering, only deal with trusted
vendors, don't respond to spam and don't open emails from people
you don't know.
A lot of spam seems to come from free services such as Hotmail,
but Courtois says Microsoft is trying to reduce it. It now prevents
Hotmail users from sending more than 100 emails a day, and -
like PayPal and Yahoo! - is adopting Human Interactive Proofs
(HIPs). These include a security challenge that humans can do
easily but machines cannot, such as read the text of a distorted
image. "That makes sure real people are creating accounts,
not machines running scripts," says Courtois.
While all of these approaches are useful, there are two fundamental
problems. The first is that the internet's email system, SMTP
(Simple Mail Transport Protocol), is badly designed. The second
is that HTML - the language intended for marking up web pages
- is a terrible way to do "rich text" email including
different type faces and illustrations.
SMTP and HTML are simple, obvious, cheap, open and standard,
which is why they have been hugely successful. They are also
hopelessly insecure, if not positively dangerous. They might
have been fine for a trusted network of academic researchers,
but if they had been offered commercially, they would have been
laughed at.
Scott Welch, co-founder of the company that developed the FirstClass
email system, which is now owned by Open Text, says: "SMTP
was never designed to be a robust messaging system: it will
accept anything.
"It assumes that the sender identifies themselves correctly,
so I can send you email from george.bush@ whitehouse.gov and
there is nothing you can do, as the recipient, to verify that
it was not sent by George Bush at the White House. It's not
a Band-Aid problem: that's the way SMTP is."
The lack of checking means you don't even need an email account
to send millions of spams, you just have to find a misconfigured
mail server - one with an "open relay" (see www.ordb.org).
The problem grew much worse when the web browser became the
front end to the internet, and Netscape and Microsoft added
email to the browser.
Let's suppose an HTML email arrives in your mailbox. HTML can
contain links to pictures, which can be fetched from a remote
web server. That server now knows that your mailbox received
the email, when you opened it and which kinds of spam email
you are most likely to open. HTML email can also contain "web
bugs" or beacons",
which collect and pass on information, and scripts that can,
in insecure systems, read your address book and perform other
evil actions, just like a virus.
"The clever spammers put code in their messages that send
out a beacon, so you can guarantee that if you run Outlook Express,
you are going to get more spam," says Welch. If the spammers
are not that clever, they can use Vertical
Response's iBuilder or Ad-Tracking
or a similar program. Welch points to three problems with Outlook
Express - all the result of what he regards as bad choices.
"The first was that they chose to display messages without
any input from the user, in the Preview Pane," he says.
"The second was to use, as the engine for the display,
a scriptable web browser. The third was to store your address
book, unencrypted, on the same machine."
"A spam is a message, not something that is inherently
evil," says Hutty. "Messaging is good. The problem
with spam is that one person sends it to a million people regardless
of whether they want it, and I don't think layers and layers
of authentication are going to stop that."
The IETF research group is working on a draft Designated Senders
Protocol "to identify hosts authorized to send SMTP traffic"
and, ironically, so are the direct marketers whose email messages
are being filtered out as spam. Under Project Lumos, the American
Email Service Provider Coalition (ESPC) is planning to set up
a registry to certify the people who send legitimate bulk email.
They will be required to provide secure proof of their identity
in the SMTP header. Jim Nail, a senior analyst at Forrester
Research in Boston, agrees "that's the direction we need
to go".
If the mail most at risk - circulars, newsletters, special offers,
etc - had its own authenticated "passport", while
all mail that falsifies its origin was filtered out, most spam
could be eliminated. "There will always be some spam,"
says Nail, "but two to three years out, I think the volume
will diminish. I'm an optimist."
How to stop spam
· All governments must make spam illegal, set tough penalties,
and actively enforce the law. ISPs should be required to block
all messages from internet domains that do not enact and enforce
acceptable anti-spam laws, including whole countries such as
China and South Korea.
· All ISPs must offer users the option of a spam-filtered
email account, and must, within three hours, cancel and block
the accounts of any customers who either send spam or run servers
with "open relays" that transmit spam.
· All email must correctly identify its origin, and all
bulk email must also provide a way for users to unsubscribe
from future messages without open ing the email. Bulk mail can
only be sent to customers who have "opted in" to receive
it.
· All mail software must send plain text as well as HTML/
"rich text". It must also enable users to prevent
HTML from being sent, and it must allow recipients the option
to turn off the HTML display, so they can protect themselves
from "web bugs" and beacons.
|