This month government, regulators and industry met to devise a global strategy for eradicating junk e-mail. The meeting's chairman expects success within two years
Governments and industry have pledged to step up the fight against spam e-mail, following a meeting of representatives from 60 countries earlier this month.
The International Telecommunication Union, which hosted the meeting, calculates that spam costs businesses £13.5bn a year worldwide.
The meeting, the first of its kind, was chaired by Robert Horton, acting chairman of the Australian Communications Authority. Following the discussions, he claimed that spam could be eradicated within two years by using technology and a global regulatory infrastructure.
On 2 July, the UK, US and Australian governments signed an agreement to fight spam together. Their enforcement authorities will work together, train together, and forge international solutions to trace and convict spammers, said UK communications minister Stephen Timms.
"It is not going to solve spam overnight but it is going to help," said Timms. "It reinforces our determination to tackle spam with a combination of government and industry initiatives, technical solutions and user awareness."
The UK's anti-spam regulations came into force on 11 December 2003. Other governments have their own laws, but this agreement marks the first attempt at harmonisation.
On 11 October, the Office of Fair Trading will host a summit for consumer protection regulators from 30 countries. The meeting in London will focus on spam enforcement issues.
Some analysts were sceptical about claims that the end of spam is in sight. Matt Cain, senior vice-president at analyst firm Meta Group, said, "The spam blight continues unabated, and we do not expect legislation or well-publicised litigation against spammers to have much impact on volume through 2005/2006."
Andy Kellett, senior research analyst at Butler Group, said spam accounts for more than 60% of all e-mail traffic, with almost 15 billion spam e-mails sent each day. Three years ago, the volume of e-mail traffic containing spam was less than 10%.
The daily experience of companies bears testimony to the size of the problem. Ben Booth, group IT director at market research firm Mori, said, "About 70% of our incoming e-mails are spam. I believe the economic cost of spam must run into billions."
Booth was sceptical about the government's ability to turn the tide. "Governments do not understand either the importance of this problem or how to stop it," he said.
MessageLabs' e-mail filtering service users include the government, Orange, EMI, Capita and Lloyds TSB. Its senior anti-spam technologist Andrew Oakley said spam attacks can leave companies reeling if they are not prepared.
"Between 50% and 70% of all e-mails are spam, wasting time and resources. There are some serious implications, particularly with the convergence of spam and viruses. It can harm a company's reputation if their servers are sending this stuff out," he said.
"The massive growth in dictionary attacks had us worried for a while until we developed tools to combat it," said Oakley.
Dictionary attacks are where spammers use zombie PCs (PCs that host spamming programs without the knowledge of their owners) to spam systematically through a list of generated, but plausible, e-mail addresses, in an attempt to hit legitimate users. "Spam-viruses and dictionary attacks went from hardly any in the past six months to being just huge," said Kellett.
How to combat spam
Analysts believe a combination of best practice and technology can go a long way towards eradicating spam.
Cain said, "Enterprises must use all means available to help users stem the flow of spam. They must warn users of its implicit hazards, such as fraudulent messages seeking personal information and messages that contain viruses that can cause users' PCs to send out spam.
"At a high level within IT organisations, enterprises must make basic decisions about which features to expose to users from the core spam-blocking engine, such as end-user-controlled trusted-sender lists and quarantines. Organisations must determine if users should be instructed on how to apply additional spam-blocking features in the e-mail client, as well as the use of alternative mail systems."
Oakley said users could lower their chances of getting hit by spammers by using an e-mail address that does not have a real name in it, because this is harder for a dictionary attack to guess. Users could also select an e-mail address that is different from their web domain name, or choose a web account with a provider other than the large suppliers, which get hit more often.
As well as best practice, companies can use technology to beat spam. Microsoft offers free anti-spam software for Exchange Server 2003. Smartscreen has been used by the Hotmail e-mail Web service for the past six months. Using such filters, Microsoft blocked 2.4 billion spam messages a day last year, and three billion a day in 2004, according to Microsoft chairman Bill Gates.
MessageLabs provides anti-virus, anti-spam and anti-porn services to many large organisations, priced at about £1.85 per user per month for the three services; or 30p a user per month for just spam filtering.
Mori is a MessageLabs customer, paying £12,000 a year for its services. Booth said, "I have not calculated the cost of spam to us, but we feel £12,000 to stop it is good value, and very effective: only a small percentage gets through now, and if we tightened up any more we would start to lose business correspondence."
Legislation nor technology can work in isolation. End-users also have a role to play. Spam clogs up networks and poses a security risk to gullible users. Horton's plans may be ambitious, but something needs to be done before the internet becomes unusable.
Outwitting the spammers
Anti-spam measures often involve compiling a blacklist of IP addresses of known spammers and a whitelist of spam-free domains. Basic spam blocking also uses signatures - a similar principle to anti-virus signatures - where the filter matches incoming spam to lists of known spam footprints. False positives are the collateral damage of the e-mail world - where the filter blocks legitimate business e-mails. Directory harvest attacks are also a problem, and they are on the increase. This is where hackers collect huge lists of legitimate e-mails by bombarding servers with mails to made-up e-mail addresses. This will often cause Exchange and Domino servers to create thousands of non-delivery reports, as many of the names do not exist, telling harvesters what they need to know and draining server resources.
Suppliers join forces to stem the flow of junk e-mail
Microsoft is working with supplier group the Anti-Spam Technical Alliance (Asta), whose members include Yahoo, EarthLink and AOL, to produce technology and policies to combat spam. Through Asta, Microsoft is promoting its Sender ID system to authenticate the e-mail sender, and thus reduce spam. Asta was formed in April 2003 to recommend actions and policies for ISPs and e-mail service providers, governments, private corporations and online marketing organisations. Andy Kellett, senior research analyst at Butler Group, explained, "Multiple e-mails are simply sent out, and one does not have to prove that the intention is good - ie, permission-based marketing. If Asta has its way, the emphasis on proof will be with the originator to confirm that it is not a spammer, and that it is licensed via a creditable authority to send the mail." But Kellett added that spammers were not likely to follow Asta's rules. "As spam legislation rules are tightened across the US and Europe, the spammers simply move on to the next area of physical and technical opportunity," he said. "Action must be driven by experts with a vested interest in providing a clean internet, such as Asta. But the resourcefulness of the opposition must not be underestimated, and any major reduction of the problem would be a miracle."