Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo

 

Unsupported browser: Your browser does not meet modern web standards. See how it scores »

I went through my computer’s log files and looked in detail at those 1,699 rejected messages. Many of the e-mail addresses were completely made up by the spammers-names like donna, jim, john, and others that spammers guessed in the hopes of finding a lucky match. This is what spamfighters call a “dictionary attack.” A little more investigation and I started finding bugs in the software that the spammers were using to send out their e-mail. For instance, one spammer tried over and over to deliver a message to the same address: “nekpdqs.” There were 30 individual attempts to deliver to this between 1:40 and 1:42 a.m. Each of these attempts had the sender of card2@oshirase.biz. When I clicked through to www.oshirase.biz, I saw some Japanese characters and a “403 Forbidden” error; the spam originated somewhere in Japan.

It’s no surprise that my server is being hassled by spammers from Japan. At the Spam Conference, Geoff Hulten from Microsoft’s anti-spam technology and strategy group said that much of the spam that Hotmail receives comes from China and Japan-in fact, those countries are now the second and third largest senders of spam. The United States is still Number 1, of course, but our Asian cohorts are moving up fast. What’s particularly troubling is that while spam from the United States runs roughly 50/50 with legitimate e-mail, spam from Asia outweighs legitimate e-mail by nearly 10-to-1.

Some of the spammers are getting very clever-and very dangerous. Brightmail CTO Ken Schneider says that some spammers have taken legitimate account e-mail from Citibank, modified a single HTML link in the body of the message so that instead of pointing at Citibank’s server, it points at a pirate server in China, and then sent out the e-mail to millions of addresses.  All of the other links on the e-mail, including Citibank’s contact information and its privacy policy, properly point to the Citibank server. But a person who unsuspectingly clicks on that one rogue link will end up on the pirate server in China. Try to log in there with a valid username and password, and the pirates gain full access to the user’s Citibank account. This is spam in the service of organized crime. Ironically, when Brightmail blocks these e-mails, unsophisticated users sometimes complain that Brightmail is blocking a legitimate message-the spoofs are that good.

These increasingly sophisticated spam attacks are one reason that e-mail providers like Yahoo! and Microsoft are moving full-speed ahead with their next generation anti-spam tools. But this new anti-spam technology could do more than let a company distinguish spam from “ham,” as good messages are sometimes called by folks in the e-mail filtering biz. It could also help the large providers maintain and even solidify their market dominance, by making it increasingly difficult for small businesses to operate their own e-mail systems.

Yahoo!’s idea is a system called “Domain Key,” which the company plans to release later this year. Domain Key is a set of programs and procedures that e-mail providers like Yahoo! and Hotmail would use to digitally sign all outgoing messages. Signatures of non-spamming companies could be digitally registered. An e-mail system receiving a digitally signed message could use the signature to verify the sending company. Anti-spam systems would need to be look only at unsigned mail.

An important feature distinguishes Domain Key from other digitally signed e-mail proposals: Instead of creating a key for each person sending e-mail, Domain Key has a different key for each company or e-mail domain. In theory, this makes the system easier to deploy, since only mail servers-not individual e-mail users-need to be upgraded to support the Domain Key system. But some people I spoke with at the Spam Conference are angry that Yahoo! is not going through the Internet’s standards committees, but is instead just going to roll out Domain Key on its production servers.

0 comments about this story. Start the discussion »

Tagged: Communications

Reprints and Permissions | Send feedback to the editor

From the Archives

Close

Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me
×

A Place of Inspiration

Understand the technologies that are changing business and driving the new global economy.

September 23-25, 2014
Register »