Why spam could destroy the Internet

Imagine an Internet with no e-mail. As ludicrous as it sounds, it could happen. And it won't take some new virus or worm to render the Internet useless. All it will take is unsolicited commercial e-mail, otherwise known as spam.

You think I'm kidding? Consider this: Spam begets blacklists, and ISPs use blacklists to isolate sources of spam. Already, these blacklists are preventing thousands, perhaps millions of innocent e-mails from arriving at their destinations. At the rate we're going, it won't be long before all e-mail ---- spam or not --- ends up in the dead letter bin.

As I described in my previous column, a lot of legitimate e-mail is being blocked from getting to its destination because the system from which the e-mail originates has the same unique Internet Protocol (IP) address as a positively identified source of spam. In other words, if the service provider that hosts your e-mail is using the same physical system to host the e-mail of another customer, and that customer turns out to be a spammer who is discovered by the organizations that run the blacklists, then that system's IP address, along with all of the outbound e-mail (including yours) that comes from it, gets blacklisted.

But this guilt-by-association problem gets far worse. Service providers that don't play an active role in solving the spam issue may actually get labeled as part of the problem. If, for example, spam is emanating from an e-mail provider's system (discovered through services like SPAMCop), then that e-mail provider is labeled as an entity that doesn't adequately clamp down on its customers who spam.

In some cases, the actual source of that spam may not even be a customer of that e-mail provider. Spammers like to cover their tracks through the unauthorized use of mail relays that e-mail system administrators --- even regular corporate ones --- have mistakenly left open for anonymous use. This is one reason that it's impossible to reply to some spam.

When used for legitimate reasons, relays route e-mail through an SMTP server from a system that's not on that SMTP server's host network to e-mail addresses that are usually foreign to the SMTP server's host network. But, spammers have discovered the advantages of that anonymity. To figure out whose e-mail systems they can take advantage of, spammers use publicly available tools to scan domains for relays that are open for anonymous use. Unfortunately, the blacklisters use these same tools to find organizations that haven't, in the blacklisters' minds, taken all appropriate measures to stop spam. Even if a relay hasn't been used by a spammer, the host of that relay, which could be any business, is considered part of the problem by the blacklisters.

As a result, if any organization suspected of supporting spammers (through direct support, or through lackadaisical administration) has been assigned more than one IP address, the blacklisters will hunt down the provider's 'other IP addresses and list those as well. This invariably sweeps up even more innocent victims in the faulty dragnet.

But the blacklisters don't stop there. If a suspect organization and the ISP that allocates the IP addresses to that organization are not one in the same, the blacklisters will add the suspect organization's ISP to their lists as well. The thinking is that if an ISP isn't part of the solution, then it must be a part of the problem. The blacklisters hope is that other ISPs will not only set their routers to block SMTP traffic from all of the suspect organizations' IP addresses, but also from the entire upstream ISP. The result, as many honest e-mail users have discovered, is that large blocks of IP addresses are sometimes isolated. As one blacklister's list makes clear, blacklisted ISPs include some very prestigious organizations like Level 3, AT&T, Sprint, Yahoo, UUNET, Exodus, and Qwest.

What would happen if all SMTP traffic going in an out of these and other large service providers was blocked? A majority of the Internet's e-mail, including yours, would never reach its destination. You might never even know your e-mail wasn't getting out because some e-mail servers aren't set to advance a rejected delivery notice to your inbox.

If you think that large prestigious ISPs are impervious to the leverage of the blacklisters, consider a recently issued apology from Earthlink to people who tried to reach its customers.

"During the [period of Oct 21-Oct 25], the Earthlink mail servers erroneously refused mail connections from many hosts across the Internet. This problem happened due to a bug in the way our mail server software loads configuration data used to block spam destined to our members. The error message you received: '550 Dialups/open relays blocked. Contact openrelay@abuse.earthlink.net' is normally intended for mail hosts that Earthlink has blocked in order to protect our subscribers from unwanted commercial e-mail. However during this week, the error was passed to many mail servers which were not intentionally blocked by Earthlink. If you received this error during this time frame, it's likely that you or your e-mail provider are not being blocked, and have been able to successfully route mail to the Earthlink network as of the evening hours of 10/25. If you find yourself still running into this error at the time you receive this message, then your host has been blocked and you are asked to please reply to this mail or contact openrelay@abuse.earthlink.net for assistance in being unblocked. We sincerely apologize for the inconvenience this problem created. We strive for uninterrupted service for all of our customers (and those trying to communicate with them), and we realize the disturbance that such an outage creates impacts people in important ways."

Earthlink isn't the only ISP whose customers (and customers' constituents) are being affected. A message on broadband provider Roadrunner's site makes it clear that the unfortunate problem of innocent mails getting blocked is the user's problem to resolve. Not RoadRunner's.

Says the message, "Road Runner utilizes local blocks in addition to the MAPS (that's the reverse of S-P-A-M for Mail Abuse Prevention System) databases. These blocks are often temporary, and placed up as a defensive measure against active SMTP Denial of Service attacks, or to prevent active, large scale spam in progress attacks. A short note to our subscribers: If and when e-mail blocks are implemented, if someone sends an e-mail message and the sender's IP address or SMTP (outgoing mail) server is on one of these block lists, then the incoming e-mail is blocked (either permanently or temporarily). This solution may result in the inadvertent blocking of some e-mail that is not traditional spam. This is an unfortunate, but necessary action that must be taken to protect the majority of our subscribers from this security issue. Only upon working with the affected ISP will this issue be resolved. We would therefore like to stress that you should contact the affected ISP for assistance in resolving the situation."

Who, besides the spammers, is at fault for this downward spiral of the Internet's utility?

Some blame the blacklisting ecosystem, which includes organizations like the Open Relay Database, the Relay Stop List, the Distributed Server Boycott List, Wirehub, Spamhaus, Spamsites.org Monkeys.com, Blitzed.org, SPEWS and Osirusoft. It's the overly aggressive nature of the blacklists, the arrogance of the people that run them, and the lack of legal recourse, that some consider to be the root of the problem.

Don't shoot the messenger, blacklisters will argue. They only provide information and don't do the physical blocking.

Reader complaints, suggestions

In response to last week's column, I've received numerous complaints from ZDNet readers that, in their experience, taking any sort of threatening posture against the blacklisters often results in a deaf ear, permanent blacklisting (regardless of innocence or guilt) with no chance of delisting, and public ridicule. Indicative of this attitude is a message posted by Osirusoft's Joe Jared on his blacklisting site that says "No e-mail received here shall be considered confidential, and may actually be publicly disclosed [on the NNTP newsgroup news.admin.net-abuse.e-mail]. If you wish to e-mail me about spamsites.org, spamhaus.org, or spews.org listings, they will surely be publicly available [in that newsgroup]. The same goes for voice-mail, depending on its entertainment value."

While some believe that blacklisters are the problem, others believe the culprits to be ISPs and hosting companies that don't crack down on spammers operating within their domains. Many ZDNet readers asked me why I wasn't holding the feet of my e-mail/Web hoster ReadyHosting to the fire for not cracking down on its spammer customers.

Theoretically, if service providers banded together for a worldwide smackdown, or if users like me refused to give their business to hosters that provide safe harbor to spammers, the problem might go away. Unfortunately, figuring out who to ban is easier said than done. Not only do problems exist with maintaining accurate blacklists, but there is the thorny issue of separating the legitimate mass mailings from illegitimate ones. For example, although all of ZDNet's newsletters are opt-in newsletters, they have frequently been misclassified as spam.

Ironically, many of us contribute to the problem. The blacklists depend, to a large extent, on e-mail users who feel the need to do something more about spam than set up filters on their inboxes. When we use spam reporting tools like SpamCop, that information eventually finds its way to a blacklist.

Regardless of who's at fault for innocent e-mails getting trapped in the spammer dragnet, one thing is clear: the system of blacklists is achieving the opposite of its intended effect-- to promote the free flow of legitimate e-mail that's unencumbered by the negative effects of unsolicited commercial e-mail. Several ZDNet readers have called for an end to the blacklists, saying they'd rather put up with the spam if it means that the e-mail that they need to send and receive finds its way to the right inboxes.

Other readers want other options considered. Anti-spam legislation is frequently discussed, but federal, state, and local governments have been slow to act. Even if they did, legal solutions don't address the Internet's international nature. If spam were somehow outlawed in the U.S., the spammers would simply set up shop elsewhere.

Even if clamping down on spammers within the U.S. could stem the tide, it would be difficult to craft laws that are enforceable. Instead of outlawing spam itself, governments could outlaw specific practices and techniques used by spammers. For example, as a form of trespassing or theft, unauthorized use of a mail relay should be punishable by a fine or prison term.

The same goes for misrepresentation of identity. One technique that spammers now use is to group their mailings by target domain. For example, if a spammer's database has 20 e-mail addresses from the domain "cnet.com," the spammer will send one e-mail that carbon copies all of them, and that looks as though it's coming from one of them (since the sender's address can be easily spoofed). To recipients, the e-mail looks like it's coming from someone within the company. (The spammer does this to increase the likelihood that the unsolicited mail will get opened.) Any misrepresentation of identity, including this sort of impersonation and spoofing of reply-to or sent-from addresses, should also be made illegal.

Despite the failure of blacklists as well as the filters that many of us have put on our e-mail clients and servers, ZDNet reader George Ou thinks there's an opportunity for technology to step in.

"Blacklisting is a good way to go as long as you can blacklist the SMTP mail server, not the IP address," says Ou. "And, the only way to do that is to require each SMTP server to have a unique Digital Signature that's applied to all outgoing e-mail." Ou acknowledges that such a solution would require major changes. " But to get any kind of real handle on secure SMTP communications, this is the only way to go. IP addresses can be spoofed and are expensive, public certificates are not free, but they are not scarce and are not that expensive if you get it from a cheaper vendor."

One company that's in a unique position to bootstrap such a trend is Verisign, which handles both domain registrations and digital certificates. Verisign advanced products director Nico Poppe agrees that the company is uniquely positioned to do more than seed the mail community with free technology in a way that's mutually beneficial to both Verisign and anti-spammers. It can also serve as a credible and publicly accountable blacklist manager.

But Poppe takes that idea one step further. "Applying certificates at the SMTP server level is definitely the starting point," he says. "But, to the extent that server isolation is one notch in granularity below IP address-based black or white listing, it should be taken one layer further to the user level. Once that happens, then ISPs, corporate network managers, and Internet users can authenticate all forms of digital messaging such as mail, voice, short message service, video, and instant messaging and build flexible policies around that."

Poppe is referring to our ability to set policies on who can communicate with us, how they can communicate with us, and the extent to which they can communicate with us. For example, I may set my inbox to accept e-mail from you, but I may refuse attachments unless you're on my white list. Or, I could set my videoconference gear to automatically accept inbound calls from a specific group of people.

Poppe indicated that Verisign wasn't contemplating a role in the spam ecosystem until my interview with him. Certainly, Verisign would face huge challenges in getting the Internet community to adopt such an idea en masse.

I believe that any such the endeavor would require an independently formed international coalition/lobby that represents the interests of all parties, including outraged users like you and me. The coalition could be funded by vendors who stand to gain in some way. Verisign, for example, could upsell business users to policy management and blacklist subscription services. AOL, Yahoo, and MSN (Microsoft) could benefit through the reduction of costs associated with the resources now allocated to fighting spam. Companies like Lotus could spend less time developing anti-spam algorithms.

A solution to the spam problem lies in a combination of technology, community involvement, and legislation that expands the scope of activities that are already illegal to specifically include the context of e-mail. The physical world counterparts to many of the spammers' virtual world practices (impersonation, trespassing, and false advertising) are the sort of activities that would land you or me in jail.

It's time we stop discriminating based on the crime's virtual nature. And, in favor of a more radical and all encompassing approach, it's time we put an end to the useless prevention methods currently in place before they bring an end to the Internet as we know it.

Should David lead a high-powered, well-funded global anti-spam coalition that can rid the world of spam once and for all? Or, do you have your own prescription for this highly infectious disease? Share your outrage with your fellow ZDNet readers using TalkBack below, or write to david.berlind@cnet.com.