The evil that lurks in e-mail

Since ISPs and the government are nearly powerless to stop spam, Larry Seltzer thinks corporations should take matters into their own hands.

E-mail is a wonderful thing, but there's plenty wrong with it.

The worst thing about the e-mail infrastructure on the Internet is that its design allows abusive, unsolicited bulk mail, often with counterfeit addressing, also known as spam.

The response to spam from the software industry, ISPs and the government gets a solid F in my grade book. Spam runs as rampant as fleas through a barnyard. Nakedly fraudulent techniques, like faking the data in mail headers to prevent tracing, are not only widespread but legal. Given how stupid and offensive almost all spam is, you might wonder why it makes sense for spammers to send it? The answer is that the costs of sending it are negligible, and one sucker who responds probably covers the costs of thousands, perhaps tens of thousands of solicitations.

A few months ago I read a proposal to tax sent e-mails as a way of addressing this problem. It would be tough to do, considering the international nature of the Internet, but I'm almost at the point of supporting it.

But in the meantime, ISPs and the government have let you down, so it's up to you to defend yourself against spam. As with so much else in the Internet software business, there are several ways to go about it. There are a few products that focus on filtering individual e-mail accounts at the client system. What's most interesting about these is how primitive and rare they are, given how widespread the spam problem is. But in any event, as with antivirus software, client-based solutions are inadequate in corporations because they require administration, updates on every client system, and they don't address the traffic that spam consumes on the network.

For many years there have also been blacklisting organizations, most famously MAPS that attempt to identify services and specific servers that facilitate spam. But while the MAPS methodology is appealing as a macro approach to fighting spam, it ends up blocking legitimate mail because it tars all mail coming from the suspect source. There are also "whitelist" attempts (ref="">such as this one), but this seems impractical to me. First, a whitelist necessarily means you may block legitimate mail from unknown sources, and it's unlikely that you will find this acceptable. But the real problem is that whitelisting is difficult since spammers can forge mail headers.

The right way for corporations to deal with spam is at the mail server/gateway level. There are a few companies in this business, some with a fair amount of experience. The best known is BrightMail. Their anti-spam product seems more targeted at ISPs and similar companies, but it also should work for enterprises.

ActiveState is best known as the author of some excellent language products for Windows, but they also have an anti-spam gateway product called PerlMX. The new PerlMX 2.0 specifically works as an add-on to the popular SendMail product through its Milter interface, which means it's not available on Windows mail servers. Version 2.1 of PerlMX will support a standalone mail transfer agent (MTA) mode that will allow it to work with any mail server, including Exchange.

Blocking spam at the server blocks it for all your users and means there is only one point that needs to be updated for changes in spam filtering technique. There are a variety of techniques that can be used, such as looking for the obvious obscene phrases and also for a variety of mail header characteristics that spamming software tends to introduce. And users can view the messages sent to them that have been blocked to make sure that there were no false positives.

Both ActiveState and BrightMail offer antivirus protection, which makes sense assuming it's going to scan all your mail anyway. Unfortunately, you'll still need other antivirus software to check non-mail protocols, so it's not clear that there's any real advantage to using these products for that purpose. ActiveState does have some other interesting options, like policy compliance scanning to ensure that e-mail conforms to specific standards for format and certain content rules.

If there were any justice in the world, software and the law would have an effective way to deal with spam, but it's obvious that we're all on our own for this one. If we really want to put a stop to spam, we're going to have to find better technology to block it.

What's your company doing to combat spam? Speak your mind in our TalkBack forum, or send a message to Larry.