Spam-Fighting Technologies - 12 Feb 2004

Last week, I wrote about the spread of the MyDoom worm and how wemight help avoid the spread of such nuisances in the future. A reader,Will Harper, wrote to me expressing his concern about unwantedemail--especially spam, or junk email. Will thinks the industry isaiming at the wrong target by going after spammers. He thinks we'd dobetter by targeting advertisers, which he sees as the root of thespamming problem (i.e., without advertisers, spammers would be out ofwork).

I think Will has a valid point, but I also think that advertisers havethe right to advertise through their chosen methods as long as theeffort remains within the bounds of the law. The new CAN-SPAM Actattempts to regulate spam, but it's too early to know the effects ofthe law.

Regardless, it seems apparent that malicious email and spam both arefestering problems in the minds of countless Internet users. As aresult of the irritation we all feel, we're likely headed for changesin the way email is handled. Several entities are already testing newapproaches, even if only in isolated lab environments.

Some people want servers to authenticate SMTP email senders beforeaccepting email from them. Other people want a system in whichrecipients can charge senders that they don't know a fee in exchangefor reading the sender's email message. Still other people thinkeveryone should pay for sending and receiving email. Some analyststhink that this last approach might quickly lead to people paying fortheir Internet connection not based on the bandwidth of theirconnection or their time online (as is most common now) but for thenumber of bytes they send or receive over their connection, regardlessof the content type--somewhat similar to pay-per-view media. Otherideas are on the drawing board too.

Filtering email seems to work reasonably well and doesn't require adrastic change to the current email system. One effective filteringmethod not currently in widespread use is based on the message senderrather than the message content (as is the case with mostspam-filtering software in use today). By maintaining a list ofapproved senders and putting aside until later or deleting any messagethat comes from someone not on the list, you can quickly obtain allyour legitimate email without much effort. This method mimics the waymany people handle paper mail: They grab the stack from the mailbox,open and read the important things first, and set the rest aside forlater or toss them.

Challenge/response is another method for handling email and issometimes used in conjunction with the filtering-by-sender method. Ifa sender isn't in the recipients' approved-senders list, the mailsystem sends a challenge to the sender and the sender must respond. Ifthe response is correct, the mail system adds the sender to therecipient's approved senders list and delivers the sender's currentand future email messages without further intervention. The mailserver drops the messages of senders that don't respond to thechallenge correctly. This approach lightens recipients' email load andhelps curb spam tremendously.

The challenge/response technology works well but presents somedifficulties for disabled people. For example, visually impairedpeople might not be able to respond to a challenge in the form of agraphical image, and hearing-impaired people might have troubleresponding to an audio challenge. Software can sometimes automate theresponse to a visual or audio challenge by parsing the callenge, butspammers could exploit that type of challenge/response system.

Another type of challenge/response method would involve a computercalculation. The calculation would be difficult enough that a systemrequired to perform many such computations (such as a spam server)would have trouble doing so in a reasonable amount of time due toprocessor overhead. However, the computational overhead wouldn't be aproblem for the average user's system, which isn't sending out tens ofthousands or even millions of email messages. This solution soundsviable and would leave email accessible to the disabled as well. Anydecent antispam solution will also prevent the wide spread ofmalicious email messages, which we all know are nuisances of the worstkind.

If you want to help hammer out ideas to shape the future of email,consider joining the Internet Research Task Force (IRTF) Anti-SpamResearch Group (ASRG). I've been following the group's discussionsover the past week, and interesting viewpoints are being presented anddebated. ASRG offers two mailing lists you can join: a low-trafficlist for announcements and a higher traffic list for discussions. Youcan learn more about ASRG and subscribe to the forums at the .