Spam elimination techniques proposed

Although some industry pundits recently predicted that spam will slow down to a trickle by 2006, others are wondering whether that’s possible without first solving the problem of e-mail anonymity.

At the recent World Economic Forum in Davos, Switzerland, Microsoft Corp. chairman and chief software architect Bill Gates said he foresees the demise of spam within as little as two years.

But in an interview with ComputerWorld Canada, Redmond, Wash.-based Microsoft spokesperson Sean Sundwall said he wasn’t so sure whether Gates meant that literally. “It is quite possible that we will have spam in our e-mail boxes but it might be an anomaly,” he said. “If not literal, it would at least follow the spirit of the law. We want it to be to trickle.”

Sundwall said spam, which according to Microsoft makes up 60 to 75 per cent of e-mail worldwide, is so popular because it’s such a cheap way for the sender to deliver millions of messages at once. Senders get paid according to how many recipients click on URLs embedded in spam messages or respond to spam-delivered offers.

For Microsoft as an ISP, “this is a humungous drain on resources,” said Sundwall. Customers also have to deal with false positives – legitmate e-mail that gets flagged as spam by filtering software – often by manually going through their junk mail folders. “Plus, we still have to allocate space for those messages to sit in until they get deleted,” he said.

In a bid to eradicate spam, the software giant is considering a variety of technological approaches. One is the use of computational puzzles, which “exact a tax on the computer that is sending the e-mail” by requiring the sending computer to perform a calculation before the e-mail arrives in the recipient’s inbox.

“(The calculation) could be as simple as ‘two plus two equals four’…and would only take five to ten CPU cycles and then it can go through,” Sundwall explained. “For [someone] sending an e-mail to mom and dad, you don’t notice the extra processing power. But for someone sending a million messages a day, and with their server doing a computation for each one, suddenly something extremely cheap to do becomes extremely expensive.”

Another approach is using challenge-response technology, which bounces a sent message back to the sender, who then types into a text box the characters that appear in a randomly generated graphic. In the spam world, “you can imagine with some of these one-man operations how totally impractical it would be,” he said. ‘

Internet Light and Power, an ISP based in Toronto, has a challenge-response antispam product, iPermitMail. The firm’s director of new product development, Scott Hicks, said that with iPermitMail, one automated message gets sent back to the sender, asking for identity verification. “Once you send it back, you’re…stored in [the recipient’s] accepted user list…(and) your mail is never stopped.”

Hicks added that since much of spam is automatically generated, there is often no human on the other end to reply to the bounced-back message. And if there is a live person sending out spam, “they will not reply to it; the cost of that kills their margin.”

Unfortunately, said Sundwall, challenge-response technologies still put the onus on the user. “We have to make the user experience one that is not so intrusive that people say, ‘I liked it better when spam was getting through.” He added that if everyone were to embrace challenge-response, the world’s e-mail traffic would automatically double.

Phebe Waterfield, analyst, security solutions and services with research firm The Yankee Group in Boston, doesn’t think the challenge-response method will get as much buy-in from enterprise users as some vendors hope. “The point of e-mail is improving productivity, and those kind of solutions do nothing to improve productivity.”

In addition, she said, “in some cases users will find they want to receive and need to receive unsolicited e-mail.” For example, they might count on receiving messages from unknown senders for lead-generation purposes. Adding an extra step for the would-be customer to get through to the company could cause the loss of some potential business, she said. ]

Challenge-response and computational puzzles approach the spam problem from a network perspective, but Peter Christy, principal, NetsEdge Research Group in Los Altos, Calif., said it’s also possible to deal with spam from an economic perspective.

Pre-bonding, which San Bruno, Calif.-based messaging gateway appliance vendor Ironport Systems is touting, requires a company that wants to send mass e-mails to contribute some money upfront to back up its reputation and belong to a safe list. “And every time that reputation is impugned, that costs [the sender] money,” said Christy. “It allows everyone to know whether you control spam on your own mail sources, and rewards you by having your mail trusted. If not, there’s a public reason to treat your mail with skepticism.”

The other economic solution being proposed by Safemail Corp. in Grapevine, Tex., is the electronic stamp, which would have a similar function to a postage stamp, and would cost about one penny per e-mail. Electronic stamps would make it “hugely more expensive” for spammers to send out illegitimate e-mails. For legitimate marketers, the cost of e-mail would also skyrocket. However, e-mail would still be “two orders of magnitude cheaper than direct mail, which costs about $1 per item,” he said.

Waterfield was skeptical about the fee-payment proposal. “I think they’re off their rockers; I don’t think people will want to pay to send e-mail.” Although the waiving of the fee for known senders has also been proposed, Waterfield said the problem of truly identifying the sender still remains. “E-mail has no identification in it….You can very easily hide who you are.”

She said the Email Service Provider Coalition, formed by the Network Advertising Initiative in Washington, D.C., is tackling the identity problem by working on a blueprint, code-named Project Lumos, for a technical architecture that deals with e-mail identity. Project Lumos is a registry-based model that holds senders accountable for the mail they send by employing a certification process that makes it impossible for high-volume spammers to conceal their identities. It requires that senders, who are monitored for their performance, to fully verify their identity and adhere to best practices.


More facts on Project Lumos

Project Lumos, an open and interoperable standard based on a decentralized model, identifies four elements of accountability that address essential tactics designed to delineate illegitimate high-volume mailers:

-Certification: a verification process that ascertains the mailer’s identity, thereby facilitating transparency;

-Volume Mail Standards: a process that requires standardization of all sender information in the mail header including the use of an identifiable, trackable unsubscribe URL;

-Secure Identity: an authentication process that provides secure proof of sender identity in the SMTP header;

-Performance Monitoring: a process that captures, monitors and reports performance data for all senders and mailers

Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now