Only by removing the financial benefits of spam will its volume be
reduced
The explosion of spam has prompted a massive reaction. The victims
are looking for a cure and the suppliers are scrambling to grab a
piece of a hot market.
ISPs are co-operating on their approach to control spam, while
e-marketers are trying to avoid being perceived as part of the
problem. Even governments are getting involved as legislators
consider imposing restrictions on commercial e-mail.
There are several different anti-spam solutions available. The most
common are blacklist services, fingerprinting, heuristics, and
keyword and lexical analysis.
One of the oldest and simplest techniques is to block any e-mail
from a server used by spammers. Both commercial and non-profit
organisations maintain these blacklists and many anti-spam filters
can access the lists, of which there are hundreds. Unfortunately,
they tend to be broad and not suited for corporate use.
Another basic technique is to scan for certain keywords used in the
e-mail. A variant of this approach is lexical analysis, in which
the context of the words is also considered.
However, both these approaches could block a large number of
legitimate messages, or "false positives", and spam not included in
the blacklist can get through the filters, or "false negatives".
As spam moves to HTML, word-based filters will become increasingly
ineffective. Bayesian filtering offers a twist on keyword analysis
by taking the characteristics of legitimate e-mails into account to
provide a balanced score.
The most accurate technique is spam fingerprinting. Specific spam
messages are identified, a unique "fingerprint" is developed and
scanners find and remove those e-mails.
Fingerprinting yields few false positives but its overall success
hinges on the comprehensiveness of its database and the timeliness
of the updates.
Heuristics is an increasingly common method for identifying spam.
This relies on a large number of rules on an e-mail's content. Its
success at blocking spam seems to come at a fairly high price in
false positives, but the sensitivity of filters can be adjusted to
find an acceptable balance.
None of these techniques alone is sufficient to shut out spam.
Corporate measures must be multi-faceted and there is also a
growing perception that technology alone is not able to solve the
problem.
ISPs such as AOL, Yahoo and Microsoft have announced a partnership
to develop guidelines for fighting spam, although nothing has been
defined at this time.
E-mail marketing groups are proposing self-regulation. The Internet
Research Technology Forum, a sister group to the Internet
Engineering Task Force, is also researching this problem, but all
of these efforts are very much in their infancy.
Most legislation takes one or more approaches to regulating spam:
prohibiting forged e-mail addresses, prohibiting misleading subject
lines, ensuring there is a way for recipients to opt out through
e-mail or a phone call, labels (such as "ADV" for "advertisement"),
and establishing "do not e-mail" registries. Some legislation is
already in force in many US states and Europe and more legislation
is likely.
However, regardless of what anti-spam legislation is ultimately
enacted, it is unlikely to completely eliminate the problem.
First, the offenders are notoriously difficult to catch. Second,
spammers can always move operations to jurisdictions in which the
laws do not apply, and a large proportion of spam is already sent
from overseas.
Organisations need to be realistic. Spam is likely to get worse
before it gets better. Improved filters and stronger legislation
can help, but in the longer term there should be fundamental
changes in the way e-mail is sent and delivered, be they
technological or economic.
Without technological improvements to identify spammers, forged
e-mail addresses will continue and spammers will ignore
prohibitions. Without changes to the financial model for e-mail,
there will always be a monetary incentive to engage in
spamming.
Jan Sundgren is an industry analyst and
Jonathan Penn is a research director at Forrester
Research
www.forrester.com