LAST year the amount of unsolicited email shot up by 15 per cent, and suddenly accounted for 58 per cent of all email sent across the internet. There could hardly be starker proof that today鈥檚 technologies for beating spam are failing miserably.
But there is hope on the horizon, delegates to the annual Spam Conference at the Massachusetts Institute of Technology heard last month. An emerging strategy called email 鈥渁uthentication鈥 looks like having the best chance yet of halting spam鈥檚 inexorable rise.
All the major email services already have filters on their servers that try to block spam. These filters are content-based: they sift through emails looking for combinations of words typical of unsolicited ads 鈥 鈥渕ake money fast鈥 is an old favourite 鈥 and ditch messages most likely to be spam.
Advertisement
These filters are frequently upgraded with new spam-catching tricks, but the spammers are outsmarting them every time. Messages advertising Viagra may appear with something like v()agr* in the subject line instead, which is often enough to get them through. Spammers may also load the body of a message with random verbiage 鈥 known as a 鈥渨ord salad鈥 鈥 to dilute the telltale words enough to make the message seem like a legitimate email.
And if some spam gets caught, the spammers just send out more. 鈥淓very time we get better at filters, the spammers increase their volume of messages,鈥 says Matt Prince, a lawyer specialising in technology. He says filters will not solve the problem and that harsher laws are needed. But many at the MIT conference were confident that authentication is the answer. This involves inspecting every email to ensure it comes from a legitimate sender.
Most spam is 鈥渟poofed鈥: it pretends to come from the email addresses of innocent people, which the spammer has found by trawling websites or newsgroups or by sending out a virus that reads the address book of infected PCs. Spoofing evades the blacklists of known spammers鈥 addresses and saves the spammer from angry 鈥渄on鈥檛 darken my inbox again鈥 emails from those who receive them. Meanwhile, the legitimate owner of the spoofed address gets the angry mail, along with any bounced spams that content filters have rejected.
Authentication could put an end to spoofing. Two authentication protocols are currently being studied by the Internet Engineering Task Force for possible adoption as a standard. One, called Lightweight Message Access Protocol (LMAP), is an extension to the internet鈥檚 Simple Mail Transfer Protocol (SMTP). The other, called Domain Keys, is being developed by Yahoo.
SMTP dates back to the trusting early years of the internet when spam, viruses and worms were scarcely dreamed of. It lets a sender enter any address they want in the 鈥渇rom鈥 field of the email 鈥 an obvious boon to spammers. LMAP should close this loophole by requiring email providers to install a small program on their servers to check that the entry in the 鈥渇rom鈥 field is genuine. Before accepting an email, the server will contact the source quoted in the 鈥渇rom鈥 field and ask for its IP number 鈥 in effect, the claimed source鈥檚 internet address. If that does not match the IP number of the actual source, the email will be deemed a spoof and be deleted, or tagged as 鈥渟uspected spam鈥 and diverted to a file for later inspection.
America Online last month began using Sender Permitted From (SPF) 鈥 an LMAP variant 鈥 on its email systems. 鈥淪PF is actually catching spam now,鈥 says its developer Meng Weng Wong of email forwarding service Pobox of Philadelphia, Pennsylvania.
Yahoo鈥檚 Domain Keys approach to authentication is to tag all emails with an encrypted signature that ties the message to its source. Domain Keys software constructs a sequence identifying the content by taking, say, the third letter in every word in the email, and then appends this sequence to an ID sequence that identifies the server that is sending it. The whole signature is then encrypted. The server receiving the email decodes the signature and checks that the message content matches its coded sequence, and that it has come from the domain identified in the signature. The drawback is that it will require a global database of codes identifying all other servers, and licensing encryption software on a large scale will make it expensive.
Whichever anti-spam system wins out, authentication will force spammers to use real domain names, making them easier to catch. They will have to constantly register new, throwaway domains and discard them as soon as they are used and become blacklisted. Some spam will trickle through, but authentication should stop it. 鈥淎nything that makes a spammer鈥檚 life harder is not a bad thing,鈥 says Barry Shein, who runs an internet service provider in Brookline, Massachusetts. 鈥淚f SPF makes them jump, why not?鈥

Trapping junk mail in a tar pit
Fighting spam is an arms race in which software engineers are always trying to devise new weapons. A promising approach now in development is the TarProxy from Marty Lamb of Martian Software in Downington, Pennsylvania. This works by passing suspected spam through an electronic 鈥渢ar pit鈥 to slow it down. The idea is not only to block the initial batch of spam but also prevent the spammer trying to send any more.
When a server sends an email it has to wait on the line for an acknowledgment that it has been received. If TarProxy encounters suspect messages it slows down this initial exchange of data, which normally occurs almost instantaneously. This should cut down the quantity of mail a spammer can send.
Lamb routes incoming email to a 鈥減roxy server鈥, which runs a spam check, such as a content filter. If this reveals the email may be suspect, Tar Proxy slams on the brakes. It can be configured to make acknowledgement take hours, tying up the spammer鈥檚 mailing system all that time.