Dam the spam

For years, e-mail providers have struggled to deflect junk mail before it hits their customers' inboxes, but the job keeps getting harder


When I returned from a two-week vacation, I had 801 e-mail messages waiting at my work account. And 330 of them were spam.

Even over a broadband connection, 330 messages do not download immediately. It took a lot longer to find and delete each of these junk e-mails -and then there was the risk of my mail program crashing while displaying some overformatted message.

Multiply that cost by millions of users and you can imagine the headaches that spam causes for Internet providers.

"Anywhere from 30 to 50 per cent of (our) incoming traffic is spam," said Mary Youngblood, manager of EarthLink's abuse team.

For years, e-mail providers have struggled to deflect this traffic before it hits their customers' inboxes, but the job keeps getting harder.

Although the typo-riddled, logic-starved contents of a typical piece of spam might suggest its sender is a knuckle-dragging moron barely able to put fingers to a keyboard, spammers can be quite resourceful at infesting the Internet with their pitches.

For example, when Internet providers wised up to spammers' abuse of their accounts, bulk mailers started hijacking mail servers left open to relay third-party traffic, jamming millions of messages through these "open relays".

Many mail-server operators no longer run open relays, but not everyone has caught on. EarthLink's Youngblood said the company maintains a blacklist of more than 12,000 such sites from which it refuses mail.

Julian Haight, who runs a spam-reporting service called SpamCop, said bulk mailers are now turning to "form mail" and "open proxy" exploits. In the first attack, they hack into those "mail this page to a friend" forms you see on Web pages. In the second, they use computers running insecure proxy-server software (usually employed to connect offices to the Internet) to hide their tracks.

And so the struggle continues.

"We are always going to be putting our finger at the new leak in the dam," said America Online spokesman Nicholas Graham.

Technology keeps promising solutions, but -as with every other social problem online -it never quite seems to work as hoped. I tried two anti-spam measures on my work account recently: Brightmail's spam-screening service and a test release of Spamnix, a plug-in for the Eudora mail program that incorporates the SpamAssassin filter.

San Francisco-based Brightmail (www.brightmail.com) maintains a database of junk mail sent to decoy addresses. If your Internet provider or employer subscribes to Brightmail's service, it can use this database to flag suspected spam or have it deleted.

Brightmail makes a point of not fingering legitimate e-mail as spam. "We can't afford to start sidelining legitimate business mail," said Enrique Salem, the company's president and chief executive. Perhaps as a result, it also can miss plenty of seemingly obvious junk mail. On a Friday, for instance, Brightmail nailed 14 pieces of spam but let 15 others through by mid-afternoon.

The SpamAssassin filter (www.spamassassin.org) aims to can spam based on things like phrases in a message, the routing data in its headers and even the program used to send it. That makes it more effective than Brightmail but also more likely to clobber innocent mail.

In my own tests, for every two to four spams this filter nabbed, it misidentified one legitimate e-mail. Most of this collateral damage was news releases that I didn't really miss, but it also nailed a draft of this column I had e-mailed to myself.

Justin Mason, the Dublin-based author of SpamAssassin, warned that this filter isn't accurate enough to be trusted to delete spam unread. "This kind of setup needs 99.999 per cent rates of correct matching, and no known spam-filtering system can do this," he wrote.

He's right; an experienced Internet user can spot spam from the subject header alone, but teaching the same intelligence to software remains a challenge.

More aggressive anti-spam efforts, such as the Mail Abuse Prevention System, the Spamhaus Project and the Open Relay DataBase, assemble blacklists of insecure mail servers and other spam-friendly sites. Internet providers can then refuse all traffic from these places, in the hope of persuading them to mend their ways.

Collateral damage is a huge risk with these blacklists, which can suffer from incorrect or out-of-date information. But this "vigilante justice", as opponents describe it, has to be expected when other kinds of justice are so scarce: There's no national anti-spam law, nor would one stop many overseas spammers.

We are already seeing collateral damage of another sort, as overwhelmed e-mail users delete anything that looks like junk e-mail.

What can you do about this? First, keep your e-mail address private. Don't publish it on the Web; use a throwaway account from one of the free Web mail sites for things like product registrations. When you do get spam, never reply to it. To state the blindingly obvious, spammers are liars; the only people to get rich quick off their get-rich-quick pitches are themselves.

The best thing you can do with spam is forward it to your Internet provider. "Forwarding incidents of spam to us is not a waste of time," said AOL's Graham, who said the service uses those reports to improve its own filters and, sometimes, as evidence in lawsuits.

Finally, when you write e-mail, you can do your correspondents a favour by making sure it doesn't look like spam. Don't get cute with punctuation, capitalisation or multiple exclamation points in the subject line. It's lousy that we have to go to all this trouble, but I don't see any way around it while the spammers are still in business.

© Los Angeles Times-Washington Post News Service