Tech experts say spammers are on the run
Anyone who's ever spent an hour sweeping perverted rubbish out of his e-mailbox might not expect to find much good cheer at a meeting of antispam experts. But lives spent elbow-deep in filth didn't damage the optimism of the antispam warriors who met at the Massachusetts Institute of Technology earlier this month. It's probably because they think they're winning.
Huh? When's the last time these geeks checked their own e-mails? Despite a newly enacted federal antispam law, the CAN-SPAM Act, companies like Brightmail Inc. say there's no sign that spammers have even slightly reduced their output of illegal mailings.
Why the optimism, then? Because the experts think this is the year when a combination of software, e-mail infrastructure upgrades, and new laws will finally begin to make a difference.
Paul Judge, chief technology officer of CipherTrust Inc., said that spam filters made by his firm and its competitors are now so good that their corporate customers are able to keep their networks relatively spam-free.
"The panic is gone," Judge said. It's a self-serving assessment, yet it reflects the view of a number of attendees. They say "Bayesian filter" programs which learn from experience, along with blacklisting of known spam addresses, can nail over 90 percent of the stuff.
Alas, that still leaves plenty. Besides, the spammers have responded to filtering by pouring billions more messages onto the network, in hopes that a few percent will make it through.
This is bad news -- and good. It means they're spending more on computers and bandwidth in order to make a profit. In the long run, spam blockers don't have to be perfect. They just have to make spamming so costly and difficult that there's no longer any money in it. And that could finally happen.
Apart from filtering spam, there's the prospect of preventing it from entering our mail systems in the first place. Today's e-mail allows a sender to put fake information in the headers, disguising where it came from. You can outlaw this sort of "spoofing" -- the feds just did -- but it's better to redesign the system to make it impossible.
That doesn't mean sacrificing privacy. The system doesn't have to prove that a mail from hiawatha@yahoo.com really came from me. It just has to prove it really came from Yahoo.
And Yahoo thinks it knows how. It has devised an antispoofing system called DomainKeys that would attach an encrypted digital signature to the billions of messages sent by Yahoo users. Any other e-mail service equipped with the DomainKeys system would be able to check the signature and confirm the source of the message. Any messages not really from a Yahoo user would be instantly spotted and discarded as spam.
Sounds lovely -- but not to everybody.
"What are they smoking over at Yahoo?" mused one conference attendee from an e-mail software company. For one thing, Yahoo's supposed to be part of an antispam alliance with other major Internet firms, including Microsoft Corp., America Online, and Earthlink Inc. Yet it blurted out the DomainKeys plan without a by-your-leave to its buddies.
Besides, some critics say the Yahoo plan flunks the "keep it simple, stupid" test. E-mailers around the world would need to set up a complex new encryption system, with lots of computing power to encode and check billions of digitally signed messages.
Is there an easier way? Yahoo's rivals, including AOL, are using an approach called Sender Permitted From, or SPF, that looks a good deal simpler. SPF works like the existing domain name system that's used to help Internet messages find their way. But it adds a double-check that compares the domain name on an incoming message to the numerical Net address it actually came from.
Yahoo, for instance, has large, preassigned blocks of these numerical addresses, which nobody else can use. There are public databases listing which addresses belong to particular Internet providers.
So SPF compares Yahoo's known Internet addresses to the one on an incoming message supposedly from Yahoo. If there's a mismatch, it's probably forged e-mail from a spammer.
The antispam working group of the Internet Research Task Force is keen on this approach, because it requires little new software and hardly any extra computing power. A small but growing number of e-mailers, including AOL, have begun running the system on their servers, but like DomainKeys, SPF won't do much good until most of the world's major Internet companies sign on. Still, either approach will snuff out vast quantities of spam long before it reaches anyone's mailbox. And once again the spammer's cost of doing business goes up.
Of course, nothing costs more than a long court battle followed by a stint in jail. That's just what Jonathan Praed, attorney and founder ot the Internet Law Group, has in mind for spammers.
"They are criminals," he told the crowd of attendees, and even a feeble law like the federal CAN-SPAM Act can be used to put them out of business. A study released last week found that nearly all of the spam sent so far this year violates the law. Praed said that once the government starts enforcing CAN-SPAM, it should be possible to put many offenders out of business permanently.
So is the spam plague about to end? Hardly. Look for the slicker ones to move offshore, in an effort to bypass US law. We'll need international cooperation to bring down these poltroons. But setting up offshore operations and hiring lawyers is expensive. And thwarted by better filters and antispoofing systems, the spammers won't be able to make the money back. They'll go find some other sleazy way to make money, and leave our mailboxes in peace.
Nobody's taking bets on when this will happen. But the experts are confident that it will happen. We're going to beat this thing.
Hiawatha Bray can be reached at bray@globe.com. 