This month government, regulators and industry met to devise a
global strategy for eradicating junk e-mail. The meeting's chairman
expects success within two years
Governments and industry have pledged to step up the fight against
spam e-mail, following a meeting of representatives from 60
countries earlier this month.
The International Telecommunication Union, which hosted the
meeting, calculates that spam costs businesses £13.5bn a year
worldwide.
The meeting, the first of its kind, was chaired by Robert Horton,
acting chairman of the Australian Communications Authority.
Following the discussions, he claimed that spam could be eradicated
within two years by using technology and a global regulatory
infrastructure.
On 2 July, the UK, US and Australian governments signed an
agreement to fight spam together. Their enforcement authorities
will work together, train together, and forge international
solutions to trace and convict spammers, said UK communications
minister Stephen Timms.
"It is not going to solve spam overnight but it is going to help,"
said Timms. "It reinforces our determination to tackle spam with a
combination of government and industry initiatives, technical
solutions and user awareness."
The UK's anti-spam regulations came into force on 11 December 2003.
Other governments have their own laws, but this agreement marks the
first attempt at harmonisation.
On 11 October, the Office of Fair Trading will host a summit for
consumer protection regulators from 30 countries. The meeting in
London will focus on spam enforcement issues.
Some analysts were sceptical about claims that the end of spam is
in sight. Matt Cain, senior vice-president at analyst firm Meta
Group, said, "The spam blight continues unabated, and we do not
expect legislation or well-publicised litigation against spammers
to have much impact on volume through 2005/2006."
Andy Kellett, senior research analyst at Butler Group, said spam
accounts for more than 60% of all e-mail traffic, with almost 15
billion spam e-mails sent each day. Three years ago, the volume of
e-mail traffic containing spam was less than 10%.
The daily experience of companies bears testimony to the size of
the problem. Ben Booth, group IT director at market research firm
Mori, said, "About 70% of our incoming e-mails are spam. I believe
the economic cost of spam must run into billions."
Booth was sceptical about the government's ability to turn the
tide. "Governments do not understand either the importance of this
problem or how to stop it," he said.
MessageLabs' e-mail filtering service users include the government,
Orange, EMI, Capita and Lloyds TSB. Its senior anti-spam
technologist Andrew Oakley said spam attacks can leave companies
reeling if they are not prepared.
"Between 50% and 70% of all e-mails are spam, wasting time and
resources. There are some serious implications, particularly with
the convergence of spam and viruses. It can harm a company's
reputation if their servers are sending this stuff out," he
said.
"The massive growth in dictionary attacks had us worried for a
while until we developed tools to combat it," said Oakley.
Dictionary attacks are where spammers use zombie PCs (PCs that host
spamming programs without the knowledge of their owners) to spam
systematically through a list of generated, but plausible, e-mail
addresses, in an attempt to hit legitimate users. "Spam-viruses and
dictionary attacks went from hardly any in the past six months to
being just huge," said Kellett.
How to combat spam
Analysts believe a combination of best practice and technology can
go a long way towards eradicating spam.
Cain said, "Enterprises must use all means available to help users
stem the flow of spam. They must warn users of its implicit
hazards, such as fraudulent messages seeking personal information
and messages that contain viruses that can cause users' PCs to send
out spam.
"At a high level within IT organisations, enterprises must make
basic decisions about which features to expose to users from the
core spam-blocking engine, such as end-user-controlled
trusted-sender lists and quarantines. Organisations must determine
if users should be instructed on how to apply additional
spam-blocking features in the e-mail client, as well as the use of
alternative mail systems."
Oakley said users could lower their chances of getting hit by
spammers by using an e-mail address that does not have a real name
in it, because this is harder for a dictionary attack to guess.
Users could also select an e-mail address that is different from
their web domain name, or choose a web account with a provider
other than the large suppliers, which get hit more often.
As well as best practice, companies can use technology to beat
spam. Microsoft offers free anti-spam software for Exchange Server
2003. Smartscreen has been used by the Hotmail e-mail Web service
for the past six months. Using such filters, Microsoft blocked 2.4
billion spam messages a day last year, and three billion a day in
2004, according to Microsoft chairman Bill Gates.
MessageLabs provides anti-virus, anti-spam and anti-porn services
to many large organisations, priced at about £1.85 per user per
month for the three services; or 30p a user per month for just spam
filtering.
Mori is a MessageLabs customer, paying £12,000 a year for its
services. Booth said, "I have not calculated the cost of spam to
us, but we feel £12,000 to stop it is good value, and very
effective: only a small percentage gets through now, and if we
tightened up any more we would start to lose business
correspondence."
Legislation nor technology can work in isolation. End-users also
have a role to play. Spam clogs up networks and poses a security
risk to gullible users. Horton's plans may be ambitious, but
something needs to be done before the internet becomes
unusable.
Outwitting the spammers
Anti-spam measures often involve compiling a blacklist of IP
addresses of known spammers and a whitelist of spam-free domains.
Basic spam blocking also uses signatures - a similar principle to
anti-virus signatures - where the filter matches incoming spam to
lists of known spam footprints. False positives are the collateral
damage of the e-mail world - where the filter blocks legitimate
business e-mails. Directory harvest attacks are also a problem,
and they are on the increase. This is where hackers collect huge
lists of legitimate e-mails by bombarding servers with mails to
made-up e-mail addresses. This will often cause Exchange and
Domino servers to create thousands of non-delivery reports, as many
of the names do not exist, telling harvesters what they need to
know and draining server resources.
Suppliers join forces to stem the flow of junk
e-mail
Microsoft is working with supplier group the Anti-Spam Technical
Alliance (Asta), whose members include Yahoo, EarthLink and AOL, to
produce technology and policies to combat spam. Through Asta,
Microsoft is promoting its Sender ID system to authenticate the
e-mail sender, and thus reduce spam. Asta was formed in April 2003
to recommend actions and policies for ISPs and e-mail service
providers, governments, private corporations and online marketing
organisations. Andy Kellett, senior research analyst at Butler
Group, explained, "Multiple e-mails are simply sent out, and one
does not have to prove that the intention is good - ie,
permission-based marketing. If Asta has its way, the emphasis on
proof will be with the originator to confirm that it is not a
spammer, and that it is licensed via a creditable authority to send
the mail." But Kellett added that spammers were not likely to
follow Asta's rules. "As spam legislation rules are tightened
across the US and Europe, the spammers simply move on to the next
area of physical and technical opportunity," he said. "Action must
be driven by experts with a vested interest in providing a clean
internet, such as Asta. But the resourcefulness of the opposition
must not be underestimated, and any major reduction of the problem
would be a miracle."