Enemy at the gates

Junk mail is now threatening the entire global e-mail system with meltdown. But is there a way to keep the spammers at bay?
Click to follow

A bout a month ago The Independent's e-mail servers almost collapsed under the weight of incoming connections from the outside world.

A bout a month ago The Independent's e-mail servers almost collapsed under the weight of incoming connections from the outside world. The cause was not eager readers wishing to voice their views on our coverage of issues; the system is perfectly able to cope with human-generated input. What was overwhelming was a "dictionary attack" by a spammer - who had set their computer to try to send hundreds of e-mails per second, trying every permutation of letters in the "independent.co.uk" domain.

Around this time the amount of spam e-mail arriving at my e-mail address passed the 50 per cent mark. Along with receiving your first spam, the "more junk than news" point is a key one in anyone's perception of the spam problem, at which you ask: is this going to keep getting worse?

The pessimistic view according to Steve Linford, who runs the Spamhaus project (www.spamhaus.org) is that it will, and that the global e-mail system is approaching meltdown as the torrent of junk intensifies. "The problem with spam is it doesn't scale," he said last week. "It's not like junk that comes in your letter box, which is only as much as your postman can carry. Spam is the equivalent of a row of trucks that come down your street absolutely laden with junk for you and you have no way to divert it." Brightmail, which specialises in providing an antispam service for ISPs and large organisations, reckons that in March 45 per cent of all e-mails sent were spam.

Ryan Hamlin, the manager of Microsoft's antispam technology group, reckons that "spam has reached epic proportions and we are in a crisis situation". He thinks that "for a lot of people the situation has gotten so bad that they are willing to give up e-mail if the spam situation does not get better" and estimates that next year the cost of dealing with spam could be close to $18bn.

So why do spammers persist? Two things unite them down the years (for the problem isn't new; I've been quizzing spammers about why they do it for a decade). First, they don't think they're doing anything wrong; second, they're certain it's someone else's responsibility to pay for the investment in infrastructure to deal with their outpourings, which have led the internet's e-mail infrastructure to be twice as large as it needs to be.

Spam is parasitic on the resources of the internet. An study found that spammers can make a profit on a response rate as low as 0.001 per cent (one in 100,000); in a typical case, 3.5 million e-mails generated 81 sales in the first week, a rate of 0.0023 per cent. Each sale was worth $19 to the marketing company, so it took in $1,500; the cost of mailing would have been a couple of hundred dollars. Now, just as the rise of viruses in the early Nineties spawned what is now a flourishing anti-virus industry, the rise of spam is leading to a plethora of companies who say they have the means to stop it.

One of the most controversial suggestions, presently being loudly touted by a company called Mailblocks, is the so-called "challenge-response" system. Rather than trying to automate the process of detecting spam (which always carries the risk of trapping innocent and perhaps essential e-mail), the Mailblocks system lets the user define a list of "known senders". When a message arrives from an unknown address, the Mailblocks system holds it and replies with a digital image (not text) of a number, with a form to fill out. Once the form is filled in with the number then the original e-mail goes forward, and the address is added to the "known senders" list, who will not have that hassle again.

Sounds ideal? Not to people like Adam Engst, who runs the Tidbits mailing list (www.tidbits.com) or Declan McCullagh, a technology journalist who runs the Politech mailing list on politics and technology. They think that "challenge-response", as the Mailblocks technique is known, will cause huge hassles if implemented widely.

As Mr Engst explains, challenge-response is not guaranteed to put off the sending of junk e-mail (as spammers often forge the From: and Reply-To: headers of e-mails, or hijack innocent servers). They don't care about e-mail that bounces or the trouble it causes; they only care about the stuff that gets through.

Meanwhile, the collateral damage is likely to be serious if challenge-response really catches on. With Earthlink, one of the US's bigger ISPs, about to trial challenge-response, he isn't happy. "We send e-mail to nearly 50,000 people each week. By the time you take all of our versions and translations into account, dealing with hundreds of individual challenges each week would utterly overwhelm us."

Mr McCullagh takes a similar view - and has already seen some of the consequences. "Politech receives hundreds of new sign-ups per month, and if dumb C-R [challenge-response] systems become widely adopted, verifying hundreds of users per month will present a significant burden. It removes the benefits of having automated authentication... I might as well go back to the way I did it circa 1995, which was editing a text file by hand. My conclusion is that C-R systems have the potential to end legitimate mailing lists as we know them today."

Other alternatives include "Bayesian filtering", which scans every incoming message for tell-tale words and combinations of text - such as HTML links consisting only of numbers, or words like "Viagra" or "porn", or the presence of "Web bugs" (1x1 graphics that spammers use to verify addresses; this is why you should not even open spam while online.) A number of companies including MessageLabs, which already implements a virus-scanning service, now offer spam-trapping using such systems. (This is the solution The Independent implemented after the recent attack.)

Another solution is to refuse e-mails coming from particular locations on the net - so called "blacklists". All have potential to lessen the amount of spam that people see - though not to reduce the amount that is actually sent as spammers bombard the ramparts, attempting to get anything through the rising defences.

What might really work is law. But although the 180 most prolific spammers, such as Alan Ralsky, are known to live in Florida, it's noticeable that the state legislature there has done absolutely nothing to outlaw the sending of spam; in fact, every American state except Florida, Kentucky and Oregon has enacted some form of anti-spam law.

Mr McCullagh doesn't think laws will work: "laws are futile. They will give people a false sense of security," he says. Certainly, as long as spammers can profit from getting a couple of dozen responses to multiple millions of e-mail, the problem is likely to continue. For the moment, all you can do is not open them, and if you do, don't reply.