Finding a way to fry spam

If John Levine were a superhero, his nemesis would be a group of evil-doing spammers around the globe.

For most of his 25-year career, Levine has worked to protect the rights of people on the Internet. Since 2003, he's been co-chair of the Internet Research Task Force's Anti-Spam Research Group. The grandly named organization, which consists of volunteers, conducts informal antispam research.

The group has recently paid particular attention to Simple Mail Transfer Protocol, or SMTP, which is a commonly used protocol to send e-mail. At issue is the protocol's lack of a comprehensive way of verifying an e-mail sender's identity. This makes it easy for people to mask their identities by forging return addresses and taking over victim machines to conduct their activities. Levine's group is looking at ways to better identify the origin of e-mail and to develop abuse reports in a consistent format.

Levine has also been a member of the user advocacy group called the Coalition Against Unsolicited Commercial E-mail, since 1997. And he runs the Network Abuse Clearinghouse, a free service that helps Internet users report and deal with abusive behavior online.

He has written or co-authored many books, including the best-selling "The Internet for Dummies," with more than 5 million copies and derivative titles in print.

As an independent Internet and e-mail consultant, he speaks to many trade and policy groups, such as the Federal Trade Commission's Spam Forum and the Internet Law & Policy Forum.

CNET News.com recently spoke to Levine from his home office in rural New York about the cost of spam, spam-related security issues and how to control the spammers among us.

Q: Spam is definitely an annoyance, but is it a real problem, and does it harm anybody?
A: Wow! How many hours have you got? There are two answers to why spam is a problem. The technical answer is that because of the way Internet and e-mail work, most of the cost of processing an e-mail message is borne by the recipient rather than by the sender. Anyone can get a cheap consumer DSL connection and send a million messages a day without trying very hard, but to receive a million messages a day requires an expensive multiserver mail setup like a large Internet service provider would have.

Purely from a cost perspective, the spammers are foisting all their advertising costs on unwilling recipients, but what is more important is the human cost. As people get more and more spam, two bad things happen. One is that they put more and more intrusive spam filters on so that they are more likely to lose mail they want. Some people who are less technical might just say, "The heck with it" and get rid of their e-mail altogether. All those disgusting subject headings about body parts and pornography and noted scam crooks in Nigeria--who needs that? That is a tragedy, because e-mail is a wonderful technology.

Do you think that spam is a security problem?
Well, spam, per se, is not a security problem. The security problem is the related issue called phishing. Phishing is simply somebody purporting to be an organization that you have a relationship with, and they use this false relationship to steal information from you.

A lot of people have been getting spam that purports to be from PayPal. These e-mails ask you to verify your accounts by sending in your name, address, credit card numbers, social security number, mother's maiden name--even your dog's name. Vast amounts of personal information are stolen this way. Bad guys use it for everything from racking up credit card charges to getting mortgages in persons' names and stealing hundreds of thousands of dollars from them. That isn't specifically spam, but it is facilitated by spam, because the phishing is done by sending spam to lots of victims.

What about worms that are disguised as spam?
Enterprise security

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

Actually, it's the other way around; there is a lot of spam disguised as worms. Until last year, spam was all sent out by spammers using spamware running on their own computers, and sometimes, they would relay it through third-party computers that were poorly configured. But starting in mid-2003, spammers started writing programs like MyDoom. These viruses are specifically written to turn unsuspecting users' computers into spam cannons.

Once one of these viruses or worms is installed on a computer, it sends something back to the person who wrote the virus, who can then basically turn on a mail-sending program that has been installed on the computer. We now see that the majority of spam is sent by these worms and viruses, which makes it much harder to track down the bad guys, since the computer sending the spam is not the spammer; it's some innocent person on some DSL connection.

So, if people don't have control over machines that are sending spam, because they're infected with worms, how do you propose stopping the spam attacks?
It's an administrative issue. It's technically possible for ISPs to watch the amount of mail their users are sending and just count it. If a typical residential mail user on average only sends 10 or 15 messages a day, and one day she starts sending 400,000 messages, the chances of her suddenly having made a whole lot of new friends are low.

So, what ISPs need to do is quarantine that particular computer so that the next time she tries to connect, all she can get to is a Web page that says she has a worm. And it could give her some disinfection advice. There are a few ISPs that do that, but at this point, there are still too many ISPs who say, "Well, let's forget it. We will just beef up our outgoing mail servers and let other people worry about blocking it. That is just not responsible.

Would spam filters or antispam products help eliminate this problem?
It's much easier to filter spam that comes from a distinctive location. For example, I get vast amounts of spam from Korea and practically no real mail.

I tell people that dealing with spam is like curing cancer.

So it is very easy for me to set up my spam filters to say, "Don't accept mail from Korea, unless it is one of the two people I know there." If the spam is coming from Comcast or Verizon or RoadRunner or any of the other large ISPs in the United States, it is much more difficult. I can't just say, "Throw away all the mail from Comcast," because I have hundreds of friends who use Comcast. So in that sense, it does make it much harder to filter.

What are some of the weaknesses and some of the strengths of current antispam techniques?
I tell people that dealing with spam is like curing cancer. For example, cancer isn't one disease; it's 100 diseases, and you will need to come up with a 100 cures for it. Another way spam is like cancer is that when you try to cure cancer, you need to come up with something that will kill the cancer without killing the patient. If you kill the patient, it is easy to get rid of the cancer.

The same is true with spam. If you want to lose all your real mail, it is easy to stop all the spam. The problem is that there are a lot of spam filters that are so intrusive that they block lots of real mail. I think people simply aren't aware of how overreaching their spam filters can be.

Promotional e-mail that they have signed up for is the most likely to be misfiltered. For example, I live in a rural part of upstate New York. I am on the weekly special list of every airline. I have made sure to carefully tune my spam filters, even though those ads have many of the same characteristics as spam.

People who aren't so technically sophisticated might say, "Jeez, Delta Air Lines stopped sending me their newsletter. I wonder why," and the answer is that Delta is still sending it, but their spam filter isn't accepting it. I am also seeing spam filters that are rejecting mail from perfectly legitimate individuals, just because somebody decided, "Well, we don't know who this person is, so we are not going to take their mail." Again, it's wrecking the utility of e-mail, which is a wonderful technology and that isn't really bad.

Some e-mail services are offering disposable e-mail addresses. What do you think of these types of techniques?
They are good, and they are bad. I use something like disposable e-mail addresses. I basically run my own little network with lots of individual domains. So, whenever I sign up for something on a Web site--no matter if it's clothing or a newspaper subscription--I give each one a separate e-mail address. This is useful; when I get e-mails from them, I know who they are. And if I get e-mail from somebody I shouldn't get mail from, I know who leaked my address.

The problem is that when people start handing out addresses at random, and then they start throwing them away at random, it means that your address goes bad in someone else's address book. If you are not careful, you don't know how much mail from your friends you are also turning off.

What do you think the biggest problem facing spam fighters is today?
Honestly, the biggest hurdle is not technical. The biggest hurdle is the lack of effective laws. The biggest reason we still have a spam problem in the United States is that spam is 100 percent legal, with some very minor exceptions. If you send spam with forged headers, that's illegal, but forgery has been illegal all along.

But if your headers aren't forged, and your message starts by saying, "This is spam," and two-thirds of the way through the message it tells you that you can go to a Web site and push buttons to get off the spammer's list--that's legal. ISPs can say, "Well, our customer is complying with the federal law, and the fact that he sent you 14,000 messages you don't want isn't our problem."

The biggest reason we still have a spam problem in the United States is that spam is 100 percent legal, with some very minor exceptions.

If we had effective spam laws, we would be able to get the spam situation under control. It's just like the fax situation. In the 1990s, persons' faxes were full of advertisements. Congress passed a very simple law stating that you cannot advertise by fax to people who haven't asked for it. This hasn't completely gotten rid of junk fax, but it has kept our fax machines usable. Until we have a legal environment like that, we are just going to have this continuing cat-and-mouse game with spammers.

There are a lot of laws on the books, but many aren't enforced. Do you really think that simply enacting legislation is going to do the trick?
The reason that the junk fax legislation was effective is that it's really simple. Basically, if someone hasn't affirmatively said they want you to send them your ad, you can't do it. The equally important part of the law is that the recipient can directly sue, or a state attorney general can sue on behalf of people in the state who have gotten junk faxes.

The Federal Communications Commission can also sue on behalf of people all over the United States, depending on the scale of the offense. The fact that there are numerous methods for enforcement has been really effective. The FCC actually does go after an enormous amount of junk faxes. Fed-up individuals also go after these junk faxers. With a law like that, we can make some progress against spam.

The existing Can-Spam Act states that only state attorneys general can sue, if the FCC says they can. The FCC can sue, too, but we are not going to give them any money to do it. That's not an effective law, so it's not surprising that it hasn't made any difference.

What do you think of Bill Gates' assertion that he will rid the world of spam by 2006?
I believe him, just like I believed him when he said Windows would be the most secure operating system in the world. He is talking about hash cash, which is the idea of forcing unknown mailers to do some sort of slow calculation on the computer to prove who they are before sending e-mail. This is supposed to slow them down. I have followed the progress of hash cash, which was invented in the early 1990s by a woman I know pretty well. She was a friend of mine in high school, and she is really smart. It's a really clever idea, but there are practical reasons why I don't think it is going to scale up to the size of the Internet.

There are lots of fabulous theoretical ideas, but unless you have a reasonable way that you can roll it out to millions of servers and billions of messages a day, it ain't going to work. I think Bill is very optimistic, but I am not sure that he has really considered the issue of dealing with all the mail systems, even the ones that don't run Microsoft software.

In summary, I guess you would say that you think legislation, rather than technology, is going to be the answer to this problem. Right?
You need both. You need technology to corral the spam. If we had better identification, it would be much easier to say, "This message is definitely spam" from someone we know is a bad guy, or "This message is definitely real mail" from someone we know and like.

Once you've done that, attempting to block all the bad mail is really difficult and expensive. Yahoo, Hotmail and America Online say they are each blocking upwards of a billion messages per day. Most of the cost in fighting spam is in looking at a message and rejecting it. It is not fair to all the users of legitimate e-mail to bear those kinds of costs.

Who should be responsible for stopping spam? Should it be end users or service providers?
It has to be everybody. The analogy goes back to junk faxes. Who was responsible for stopping junk faxes? Mostly, it was motivated individual recipients. With the spam problem, I think we are going to need ISPs to be more proactive, too. For example, when they discover that one of their users has an infected computer sending out large amounts of spam, they need to shut them off right away.

Now, many of them write the spammer a letter, but they let them keep doing it. Beyond that, we also need a legal environment, where, if we have persistent spammers, we can actually take legal action against them. The reason people don't send so many junk faxes is because they don't want to be slapped with lots of $500 lawsuits.