Spam-Fighting Technologies - 11 Feb 2004

Last week, I wrote about the spread of the MyDoom worm and how we might help avoid the spread of such nuisances in the future. A reader, Will Harper, wrote to me expressing his concern about unwanted email--especially spam, or junk email. Will thinks the industry is aiming at the wrong target by going after spammers. He thinks we'd do better by targeting advertisers, which he sees as the root of the spamming problem (i.e., without advertisers, spammers would be out of work).

I think Will has a valid point, but I also think that advertisers have the right to advertise through their chosen methods as long as the effort remains within the bounds of the law. The new CAN-SPAM Act attempts to regulate spam, but it's too early to know the effects of the law.

Regardless, it seems apparent that malicious email and spam both are festering problems in the minds of countless Internet users. As a result of the irritation we all feel, we're likely headed for changes in the way email is handled. Several entities are already testing new approaches, even if only in isolated lab environments.

Some people want servers to authenticate SMTP email senders before accepting email from them. Other people want a system in which recipients can charge senders that they don't know a fee in exchange for reading the sender's email message. Still other people think everyone should pay for sending and receiving email. Some analysts think that this last approach might quickly lead to people paying for their Internet connection not based on the bandwidth of their connection or their time online (as is most common now) but for the number of bytes they send or receive over their connection, regardless of the content type--somewhat similar to pay-per-view media. Other ideas are on the drawing board too.

Filtering email seems to work reasonably well and doesn't require a drastic change to the current email system. One effective filtering method not currently in widespread use is based on the message sender rather than the message content (as is the case with most spam-filtering software in use today). By maintaining a list of approved senders and putting aside until later or deleting any message that comes from someone not on the list, you can quickly obtain all your legitimate email without much effort. This method mimics the way many people handle paper mail: They grab the stack from the mailbox, open and read the important things first, and set the rest aside for later or toss them.

Challenge/response is another method for handling email and is sometimes used in conjunction with the filtering-by-sender method. If a sender isn't in the recipients' approved-senders list, the mail system sends a challenge to the sender and the sender must respond. If the response is correct, the mail system adds the sender to the recipient's approved senders list and delivers the sender's current and future email messages without further intervention. The mail server drops the messages of senders that don't respond to the challenge correctly. This approach lightens recipients' email load and helps curb spam tremendously.

The challenge/response technology works well but presents some difficulties for disabled people. For example, visually impaired people might not be able to respond to a challenge in the form of a graphical image, and hearing-impaired people might have trouble responding to an audio challenge. Software can sometimes automate the response to a visual or audio challenge by parsing the callenge, but spammers could exploit that type of challenge/response system.

Another type of challenge/response method would involve a computer calculation. The calculation would be difficult enough that a system required to perform many such computations (such as a spam server) would have trouble doing so in a reasonable amount of time due to processor overhead. However, the computational overhead wouldn't be a problem for the average user's system, which isn't sending out tens of thousands or even millions of email messages. This solution sounds viable and would leave email accessible to the disabled as well. Any decent antispam solution will also prevent the wide spread of malicious email messages, which we all know are nuisances of the worst kind.

If you want to help hammer out ideas to shape the future of email, consider joining the Internet Research Task Force (IRTF) Anti-Spam Research Group (ASRG). I've been following the group's discussions over the past week, and interesting viewpoints are being presented and debated. ASRG offers two mailing lists you can join: a low-traffic list for announcements and a higher traffic list for discussions. You can learn more about ASRG and subscribe to the forums at the ASRG Web site.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.