Spam: You just can't win

For anyone even slightly optimistic about thwarting the never-ending crush of spam I have two words: don't bother.

At the Information Security Best Practices conference at Wharton School of the University of Pennsylvania, I've learned the following from the first panel.

Comcast's Gerard Lewis, senior counsel and chief privacy officer, noted that the Can-Spam act of 2003 "hasn't done anything to curb spam," but is "a well intentioned law." Indeed, almost all e-mail is classified as spam.

Lewis should know since Comcast moves millions of e-mails a day--450 million on average to be exact. Lewis walked through the evolution of spam and how defenses have moved from generic filtering to a more sophisticated model. The rub: the fancy stuff doesn't work too well either.

Lewis said that giving consumers more control and tools to prevent spam helps a bit. But plenty still fall for social engineering tricks.

What's the solution?

I haven't heard one yet. Chris Marsden, a professor at the University of Essex, said there are a bevy of regulation schemes being cooked up across the pond. But it didn't sound like there were any spam killers coming from the United Kingdom.

Marsden said ISPs will likely see more regulation, but giving consumers more tools isn't the answer per se.

"ISPs have made it clear that consumers will not implement filters," said Marsden. Australia has even sent CDs to citizens to prod them to implement filters. One outcome may be required filtering for spam and content on all PCs as a regulatory requirement.

Think of these efforts as mandatory seat belt laws for Web surfing.

This article was first published as a blog post on ZDNet.