Spam: Is there any hope?

Spam: Is there any hope?
Spam: Is there any hope?
Monday, February 9, 2004

The volume of spam clogging the nation's In boxes crossed a threshold of sorts last year, prompting action on several fronts to thwart the onslaught of unsolicited commercial e-mail.

Major Internet and software companies, such as Yahoo and Microsoft, are mounting campaigns against spam, and the first federal anti-spam legislation--the "Can-Spam Act"--took effect January 1.

But most experts do not expect to see any decline this year in the number of e-mail promotions for generic Viagra, bogus investment schemes, and the like.

Although UCSC computer scientists are hopeful about the prospects for eventually bringing the plague of spam under control, they say relief is likely to come slowly.

"Eliminating spam is difficult, not least because it is hard to define spam precisely. But I am somewhat optimistic on controlling spam," said Mart'Abadi, professor of computer science at UCSC and an expert on computer security issues.

"As in other security issues, spam prevention deals with an adversary that does not necessarily play by the rules. But some of the concepts and techniques developed in the area of computer security over the years may be quite helpful," Abadi said.

Spam filters are currently the main weapon in the war on spam. But the effectiveness of spam filters is limited by the ability of spammers to counter the filtering technology, said Raymie Stata, an assistant professor of computer science.

"It is too easy for the spammers to adapt to the filters, so there is reason to be somewhat pessimistic that filters by themselves will solve the problem," Stata said.

Stata is cofounder of Stata Labs, which offers a top-rated spam filter based on the open-source Spam Assassin technology. Consumer Reports magazine last year rated the company's free SAproxy spam filter as the most effective at blocking spam while still letting legitimate e-mail get through. SAproxy basically puts the Spam Assassin technology in a more user-friendly package.

Spam Assassin is also used by UCSC's Communications and Technology Services (CATS) on the campus mail server to scan incoming mail. CATS doesn't block messages identified as spam, but marks them so that individual users can easily block them using the filters in e-mail programs such as Eudora. (See sidebar story: "What Can You Do'")

According to Stata, filtering at different levels of the network will always be necessary, but other approaches, both legal and technological, will also be needed to win the war on spam.

The "Can-Spam Act" (officially the Controlling the Assault of Non-Solicited Pornography and Marketing Act) was approved by Congress and signed into law by President Bush in December. Among other things, it makes it illegal to send falsified e-mail headers and requires spammers to let recipients unsubscribe from their lists. But enforcement of such provisions remains a significant challenge.

PROTOTYPE REGISTRY DEVELOPED AT UCSC

The act also paves the way for a national "opt-out" registry for spam similar to the do-not-call list recently established for telemarketers. UCSC computer scientists have already developed the technology to run such a registry.

"An opt-out registry by itself won't get rid of spam, but it gives people another tool to use against the bulk e-mailers," said Arthur Keller, a visiting associate professor of computer science at UCSC, who led the team that designed a protoype system for an opt-out registry.

Four UCSC students worked with Keller to design the opt-out registry: Thomas Belote, Lee Holloway, and John Rodrigues all earned B.S. degrees in computer science, and Dat Nguyen is a graduate student in computer engineering. They designed the prototype with a variety of features to ensure its reliability and security. In January, the technology was licensed to a Chicago-based consulting firm, Unspam.

But the idea of an opt-out registry has its critics. Some consumer advocates would prefer an "opt-in" registry, whereby companies could only send marketing offers to people who have requested them. An opt-in registry would face legal challenges, however, based on the consitutional free-speech rights of advertisers, Keller said.

"After all, it isn't constitutional to ban solicitors going to all houses, but you can post a 'no solicitors' sign in front of your own house," he said.

The opt-out registry is patterned after the highly popular do-not-call list. But the Federal Trade Commission (FTC), which is charged with developing a plan for the registry under the Can-Spam Act, has expressed concern about the security of the addresses registered on the list and the reliability of the registry.

The prototype opt-out registry developed by Keller and his students addresses these problems. Although some experts remain skeptical of the opt-out concept, Keller argues that an opt-out registry can provide the basis for effective legal actions against renegade spammers if it is backed up by sufficient funding for enforcement.

"I'm hoping that our prototype system can serve as a model for a reliable and secure registry," he said.

CHANGE IN INTERNET EMAIL PROTOCOLS PROPOSED

Another approach proposed by some experts would involve making a minor change in the Internet protocols used to distribute e-mail. The aim would be to make it more difficult for spammers to cover their tracks by falsifying their electronic identities. Even a small change could greatly enhance the effectiveness of both spam filters and an opt-out registry.

"What is needed is some form of authentication or accountability in the sending of e-mail," Stata said. "My hope is that a small change in the relay protocols will introduce enough accountability to allow these other solutions to work better."

Implementing such a change throughout the Internet infrastructure, however, is no simple task. The Internet is made up of many interconnected networks that are owned and operated by different companies. The companies would have to agree to support the new protocol, and it would take time to roll it out, Abadi said.

Yet another proposal, most recently advocated by Microsoft chairman Bill Gates, would involve charging senders of e-mail a small fee or tax. The fee would be so small as to be insignificant for regular e-mail users, but would add up to substantial amounts for the spammers who send millions of e-mails daily. A variation on this theme would give recipients the option to decide which senders to charge and how much, depending on how annoying the e-mail is.

MULTIFACETED APPROACH SUPPORTED

Keller said he favors the multifaceted approach advocated in an article in Business Week magazine last year (August 11, 2003). The article called for a combination of a centralized opt-out registry; stepped-up enforcement of anti-spam laws, along with a "right of private action" allowing individuals to sue spammers (something specifically denied by the Can-Spam Act); international cooperation; new Internet e-mail protocols; and more effective filtering technologies.

"It is clear that no one approach alone will solve the problem of spam," Keller said.

At stake is the usability of e-mail itself. In a recent national survey, 25 percent of e-mail users said the ever-increasing volume of spam has reduced their overall use of e-mail, and 60 percent of that group said spam has reduced their e-mail use in a big way.

According to Stata, however, the war on spam is just getting started.

"I think we will see a fierce battle, and at first it may look like the spammers are winning, but eventually I believe a combination of legislation, infrastructure changes, and filtering at multiple levels will come together to solve the problem," he said.