False Hope for Stopping Spam
Sure, there’s a new federal law, and e-mail filtering tools are getting better. But a growing alliance between spammers, hackers, and organized crime bodes poorly for the future of e-mail.
The spam wars are taking a turn-and right now, the good guys are losing. New legislation, new technology, and draconian anti-spam policies on the part of some Internet service providers are doing nothing to stem the tide of unsolicited e-mail. The stakes are far bigger than you probably imagine: Spammers hold the power to turn the tools of our technological society against us, for their gain and pleasure. And so far, we have been unable to devise technical means to prevent these tools from being misused.
Most foot soldiers in the spam wars are too busy fighting day-to-day skirmishes to have such grandiose thoughts. A handful of coders genuinely believe that this is a battle that they can win with better software and protocols. Others seem to think that this war will be nothing more than a never-ending arms race resulting in greater annoyance but no serious harm.
Some of the greatest spam fighters in the world gathered last month at MIT for the second Spam Conference. The year’s big take-home message was that legislation like the recently passed CAN-SPAM Act of 2003 will not work-in part because more and more spam is originating outside the United States. Indeed, many of the conference’s participants were positively down on the federal anti-spam bill because it nullified many stronger measures that had been passed in states like Washington and California. But even if legislation won’t solve the problem, the hope was that fundamental changes being made to the way that e-mail flows over the Internet might stop the flood of spam, even if those changes have some unfortunate side effects for today’s Internet users.
Most of the technologists at the conference seemed pretty upbeat, as if they thought that the tide was finally turning. I think that this is a false hope; new technology aside, I’m watching a growing alliance between spammers, computer hackers and organized crime. This is a business relationship that bodes poorly for us all.
Years ago, computer security professionals condescendingly dismissed most hackers as “ankle-biters”: annoying kids who deface a Web site here and shut down an e-commerce server there, but who are incapable of jeopardizing the future of network computing. That’s changed. Hackers are now on the spammers’ payrolls. Some have created computer worms and viruses that break into computers and then turn those compromised machines into launching pads for sending out millions of spam messages.
Other hackers have taken to manipulating the fabric of the Internet’s routing system. First they find a set of IP addresses that aren’t in use-for example, addresses belonging to a dot-com company that went bankrupt. Then the hackers break in to the router of a medium-sized Internet service provider. They tell the router that the company is back in business and that it should announce to the rest of the Internet that it has the IP addresses. The hackers’ spammer then uses these addresses to send out a few million e-mails. Finally, the hackers tell the router to “drop the announcement”-and the IP addresses vanish once again from the face of the Internet.
These technical advances are having an impact. According to Brightmail, an anti-spam company that claims to filter 15 percent of the e-mail that is delivered on the Internet, spam constitutes 56 percent of all Internet e-mail-up from 40 percent one year ago. But even that depressing statistic underestimates the problem. For while some organizations and individuals get little or no spam, others get a torrent. Like me, for instance.
After the Spam Conference I decided to analyze the log files for my home e-mail server. I have a small domain I run for my personal e-mail. On Saturday, January 26, I received 114 legitimate e-mail messages from friends, business associates, and various mailing lists. (I know that this number is kind of low, but it was a weekend!) On that same day, I received 174 pieces of spam that were automatically identified by SpamAssassin, the open-source anti-spam filter. So I’m running 60 percent spam-a little worse than the Brightmail average. Except that even my 60 percent number underestimates the problem. That’s because my computer automatically rejects e-mail that’s sent to invalid addresses at the domain. Indeed, on that same Saturday, my server rejected 1,699 e-mail messages because they were sent to mailboxes on the computer that do not exist. Add those to the running total, and the amount of spam that my system was exposed to on January 26 rises to 94 percent of all received e-mail.
But even that number doesn’t tell the whole story.
I went through my computer’s log files and looked in detail at those 1,699 rejected messages. Many of the e-mail addresses were completely made up by the spammers-names like donna, jim, john, and others that spammers guessed in the hopes of finding a lucky match. This is what spamfighters call a “dictionary attack.” A little more investigation and I started finding bugs in the software that the spammers were using to send out their e-mail. For instance, one spammer tried over and over to deliver a message to the same address: “nekpdqs.” There were 30 individual attempts to deliver to this between 1:40 and 1:42 a.m. Each of these attempts had the sender of firstname.lastname@example.org. When I clicked through to www.oshirase.biz, I saw some Japanese characters and a “403 Forbidden” error; the spam originated somewhere in Japan.
It’s no surprise that my server is being hassled by spammers from Japan. At the Spam Conference, Geoff Hulten from Microsoft’s anti-spam technology and strategy group said that much of the spam that Hotmail receives comes from China and Japan-in fact, those countries are now the second and third largest senders of spam. The United States is still Number 1, of course, but our Asian cohorts are moving up fast. What’s particularly troubling is that while spam from the United States runs roughly 50/50 with legitimate e-mail, spam from Asia outweighs legitimate e-mail by nearly 10-to-1.
These increasingly sophisticated spam attacks are one reason that e-mail providers like Yahoo! and Microsoft are moving full-speed ahead with their next generation anti-spam tools. But this new anti-spam technology could do more than let a company distinguish spam from “ham,” as good messages are sometimes called by folks in the e-mail filtering biz. It could also help the large providers maintain and even solidify their market dominance, by making it increasingly difficult for small businesses to operate their own e-mail systems.
Yahoo!’s idea is a system called “Domain Key,” which the company plans to release later this year. Domain Key is a set of programs and procedures that e-mail providers like Yahoo! and Hotmail would use to digitally sign all outgoing messages. Signatures of non-spamming companies could be digitally registered. An e-mail system receiving a digitally signed message could use the signature to verify the sending company. Anti-spam systems would need to be look only at unsigned mail.
An important feature distinguishes Domain Key from other digitally signed e-mail proposals: Instead of creating a key for each person sending e-mail, Domain Key has a different key for each company or e-mail domain. In theory, this makes the system easier to deploy, since only mail servers-not individual e-mail users-need to be upgraded to support the Domain Key system. But some people I spoke with at the Spam Conference are angry that Yahoo! is not going through the Internet’s standards committees, but is instead just going to roll out Domain Key on its production servers.
A competing system that’s gaining ground is called Sender Permitted From, or SPF. This system, currently making its way through the Internet Engineering Task Force, lets mail administrators publish the IP addresses of their outgoing mail servers. I can publish a notice for a domain that tells people receiving e-mail the IP address of my mail server. Then, if a recipient of an e-mail message sees mail that claims to be from my domain but that is coming from a different IP address, they know that the e-mail is not legitimate. Publishing these so-called SPF records is a kind of Internet self-defense. Unfortunately, SPF breaks some mail-forwarding schemes. Consider MIT’s “e-mail forwarding for life” system, which lets alumni use @alum.mit.edu addresses for their outgoing mail. MIT couldn’t publish an SPF record for the alum.mit.edu domain, because the alumni aren’t sending their e-mail through MIT’s mail servers.
Because SPF is going through the Internet standardization process, its kinks will more than likely be worked out in a manner that’s systematic and fair to most of the people who are involved.
Neither SPF nor Domain Key is perfect. Neither can stop spam from new domains that have never been registered before and don’t have associated Domain Keys or published SPF records. And neither can stop spam that comes from legitimate Yahoo! and Hotmail customers-spam that’s sent out by computer worms and viruses. That’s why the SPF Web site emphasizes that “SPF is primarily an anti-forgery effort.” SPF’s main result will be to prevent spammers from using e-mail addresses ending with @aol.com and other well-known domains. But forcing spammers away from these domains and to fly-by-night domains will in turn make the spam easier to filter out.
The Spam Conference gave me lots of good ideas for short-term technical fixes that I can use to help deal with my spam problem-at least for the next few months. I went home and published an SPF record for my home domain. Then I reconfigured my e-mail server to bounce suspected spam back to the sender, rather than dropping it into my spam box. The reason for this change is that I wasn’t looking inside my spam box, and mail was getting lost. At least this way the senders will know that their mail isn’t getting through, and they can call me on the phone.
And so today my spam problem is once again under control.
In the long term, however, these fixes are sure to fail. And there’s a worrisome lesson here. E-mail and Internet-based communications are powerful tools-and just a few people have figured out ways to turn them against the vast majority of Internet users, at a cost to businesses that is now estimated at over a billion dollars. What will happen when the new powerful tools of biotechnology and nanotechnology become widespread? If we can’t tackle the spam problem, then the future may be quite bleak.