Weapons In The Fight Against Spam

Guest author Nathaniel Borenstein is Mimecast’s chief scientist and the inventor of the MIME email protocol.

Spam represents profound things about the limits of productivity, communication and wisdom. As electronic junk mail, it’s the electronic static that limits collective thought.

Spam is not a simple problem, and it is not likely to ever go away. Unfortunately, spammers have only begun to explore the range of options and techniques open to them, and this digital detritus is inevitable in any open system of communication. 

See also: How To Protect Yourself From Instaspam

Although spam cannot be completely eliminated, an intelligent and deep program of spam control—made up of both technical measures and user education—has been able to limit it to the level of a minor but costly nuisance. At least, so far.

The Moore’s Law Of Our Email Wasteland

Think of spam’s prevalence in the context of Moore’s Law—except in this case, Moore’s Law is on the side of the “bad guys.”

A team of researchers could work for two years and cut the “false negative” rate (or the rate at which spam gets through to users) in half. But at the end of the same two-year period, the spammers, who need do no research at all, have the ability to send twice as much spam for the same cost. 

See also: New Security Flaw Allows Attackers to Hijack WordPress Sites

In that scenario, the net amount reaching users is unchanged. That’s an oversimplification of a complex problem, but it illustrates how the bad guys start out with a significant structural advantage.

Techniques for creating a world with less spam fall under both technical and non-technical categories. While each approach has its benefits, no method is a fool-proof catch-all, which means we must empower and educate users to enlist their own spam defenses.

Filtering

Using content filters on messages is the first and most widely used approach in spam fighting. It protects is used for outbound messages, to make sure a company doesn’t become a vector for anti-social messages, and for incoming messages, to protect users from malicious junk. The filtering can take place on one’s own mail servers, on servers belonging to a third party such as a cloud provider, on intermediate relays, or even on an email client.

Spammers constantly vary their messages, so successful filtering depends on regular and timely updates to filtering rules. (Most filtering systems get their rules from a relatively small set of well-known providers.) But even so, it’s not as effective as it used to be. Spammers watch and respond to trends in filtering, so they can continually innovate their approaches to get around it, as well as simply send more messages.

Authenticating Identity

If spammers would only identify themselves clearly, it would be easy to block spam. This observation has led to a plethora of whitelists and blacklists, but unfortunately, it’s not nearly that straightforward.

For better and for worse, the fundamental design of the Internet enables anonymity. It connects millions of machines, each of which is controlled and authenticated relatively independently. This means that it is generally impossible for a recipient server to confirm any authentication claimed by the sending server, which it has no reason to trust.

There are ways to fix this problem, but they face strong opposition, which makes them unlikely to be deployed. The Internet community has been working for more than 20 years to develop person-to-person authentication in email, resulting in email encryption systems known as S/MIME and PGP. 

These systems have seen stunningly low adoption rates, in part because of their perceived complexity, and because people don’t seem to want strong authentication most of the time.

In recent years, domain-based authentication has emerged, using standards like DKIM and DMARC, whereby cooperating sites can authenticate messages based on where they originate. This allows sites to make informed judgements about the mail that comes from another given site and how likely it is to be spam. 

Domain-based authentication has tremendous potential, and it’s becoming an important new technology in the fight against spam. And, because DKIM allows only the sender’s domain to be authenticated, users can combat spam while preserving the privacy of the human sender.

The down side: This method substantially complicates the work of running an email service. But although it could help distinguish genuine messages from spam, as long as a sizable portion of the Internet isn’t cooperating in this scheme, the Internet’s infrastructure will continue to permit that junk mail.

Payment Models for Email

With traditional postal mail, the quantity of junk mail is limited by the cost of postage. Such incentives clearly don’t exist for email. Imposing a payment model would be a way to change that.

This tactic has been widely discussed, but rarely implemented. First, there is widespread resistance to the idea of paying for “good’ email. The fact that email is essentially free to send is widely seen as a major benefit, so many would be unwilling to give it up—even to eliminate the junk.

A variation on this theme poses an interesting scenario: linking money and authentication practices. The only charge the sender gets is when that authentication fails.

Companies like Yahoo tried “charity stamps,” in which senders link their email to charitable donations. For each message sent, the sender had to demonstrate that money was donated to a charity. For many companies, that would be less than what they give to charity anyway, so the mail would be incrementally free.

To date, none of these systems has found widespread adoption, but such concepts could find renewed interest in an age when email-based attacks and annoyances continue to escalate.

Education

Ultimately, the best hope for beating spam and other malware is to train users not to be fooled.

Most malware depends on tricking users into clicking on a link, opening an attachment or otherwise following some set of instructions. The better-educated users are, the less vulnerable they are to falling for the con. Both organizations and email providers should provide clear information and examples of what not to do. Short, clear and varied messages—that aren’t too frequent—work best, so users don’t tune them out.

Ideally, safe email habits will eventually seem like common sense to most users—like locking their front door before leaving the house. While none of the above methods can stand up against spam on its own, when coupled with user education, there’s a fighting chance. 

Photo by spinster cardigan

Facebook Comments