杏吧原创

How not to beat spam

There will never be a complete technical solution to unsolicited email, claims Richard Clayton. It is now down to governments to regulate

THEY have done it again. This month, it was finally proved that spammers trying to distribute advertisements for pornographic websites have been using 鈥渢rojan programs鈥, delivered by viruses, to turn personal computers into servers capable of passing on 750,000 items a day. By using viruses, they have upped the ante once more in the fight against unsolicited and unwanted advertising, which now makes up about half of all email traffic. This confirms what has been apparent for some time: we will never beat spammers using technology alone. It is time to move on and tackle the problem in the courts.

Spammers are using ever more sophisticated techniques to get their ads into our inboxes. For years they used throwaway dial-up accounts and 鈥渙pen relay鈥 mail servers that would accept a single incoming email and deliver it to hundreds of recipients. The ISPs have all but stamped this out, so the spammers have taken to hijacking insecure machines, especially those owned by broadband customers. Improving security here will take years. Software and internet experts are touting myriad technical solutions to the problem, but there are flaws in them all.

The technical solutions can be divided into four major categories: blacklisting, authentication, payment and filters. Blacklisting works by blocking email from locations that are being actively exploited by spammers. Unfortunately, the accuracy of blacklists varies considerably, and many ISPs consider it unacceptable to risk blocking legitimate traffic in this way. Nevertheless, blacklists have had some effect. The decision by many American ISPs to block everything from China or South Korea forced both countries to crack down on spammers and fix insecure systems, for fear their economies would suffer.

Authentication, whereby ISPs make you personally accountable for every piece of email sent using your cryptographic identity, and payment, whereby you are forced to pay for any spam you send, both suffer from the same problem. Innocent users who run insecure systems and have their identities stolen by spammers will simply not tolerate permanent disconnection or any significant monetary penalty. Economic solutions work only if you can guarantee that the spammers alone will pay, and they are unlikely to co-operate.

Filtering, the flavour of the month, involves identifying and discarding spam so that only genuine emails reach your inbox, (see New 杏吧原创, 8 March, p 42). But despite some short-term success, filtering is not a long-term solution to spam. An obvious problem is that it can lead to legitimate email being discarded. In February the UK Parliament鈥檚 new filtering system blocked email relating to the Sexual Offences Bill and messages written in Welsh. Filters also need considerable personalisation: you or I may not wish to receive email about Viagra, but the people at pfizer.com certainly do. Even if filters are working well, they only prevent delivery to the end user, and this is just one part of the spam problem. The messages still travel through the network and incur bandwidth and processing costs, which someone has to pay for.

But the real show-stopper is that spam is rapidly evolving under Darwinian selective pressure to evade the filters, just as press advertising evolved to look like editorial (or art) and television commercials can now pass as miniature films. The filters will become ever fuzzier, discarding ever more genuine traffic, as mutations breach their defences, and they will be rendered useless when spam is indistinguishable from normal correspondence with friends, family or colleagues.

So if technology is not the answer 鈥 and the spammers have won every round so far 鈥 then we must turn to regulation. Essentially we have to make spam illegal everywhere. Sending bulk unsolicited email has been unlawful in Europe for years. Individual email addresses are classed as 鈥減ersonal data鈥 (only role-based addresses such as sales@example.co.uk escape this definition), and there are strict limitations on processing personal data for 鈥渦nfair鈥 purposes 鈥 including sending unsolicited email. But anyone who looks into their mailbox will realise that most spam originates in the US, where anti-spamming laws are weak or non-existent.

Given the right powers, the courts could tackle the problem effectively because juries will be able to judge whether mail is unsolicited or unwarranted with more subtlety than any technology. We also need swingeing fines for companies that pay spammers to deliver their advertisements 鈥 precisely the economic lever that killed off Europe鈥檚 pirate radio ships in the 1960s. Finally, anti-spam laws must be enacted planet-wide so that the spammers, who are far easier to trace than many suppose, can be prosecuted wherever they try to hide. The problem has been left for too long in the hands of programmers. It is time for diplomats and politicians to act.

More from New 杏吧原创

Explore the latest news, articles and features