LAST year the amount of unsolicited email shot up by 15 per cent, and suddenly accounted for 58 per cent of all email sent across the internet. There could hardly be starker proof that today’s technologies for beating spam are failing miserably.
But there is hope on the horizon, delegates to the annual Spam Conference at the Massachusetts Institute of Technology heard last month. An emerging strategy called email “authentication” looks like having the best chance yet of halting spam’s inexorable rise.
All the major email services already have filters on their servers that try to block spam. These filters are content-based: they sift through emails looking for combinations of words typical of unsolicited ads – “make money fast” is an old favourite – and ditch messages most likely to be spam.
Advertisement
These filters are frequently upgraded with new spam-catching tricks, but the spammers are outsmarting them every time. Messages advertising Viagra may appear with something like v()agr* in the subject line instead, which is often enough to get them through. Spammers may also load the body of a message with random verbiage – known as a “word salad” – to dilute the telltale words enough to make the message seem like a legitimate email.
And if some spam gets caught, the spammers just send out more. “Every time we get better at filters, the spammers increase their volume of messages,” says Matt Prince, a lawyer specialising in technology. He says filters will not solve the problem and that harsher laws are needed. But many at the MIT conference were confident that authentication is the answer. This involves inspecting every email to ensure it comes from a legitimate sender.
Most spam is “spoofed”: it pretends to come from the email addresses of innocent people, which the spammer has found by trawling websites or newsgroups or by sending out a virus that reads the address book of infected PCs. Spoofing evades the blacklists of known spammers’ addresses and saves the spammer from angry “don’t darken my inbox again” emails from those who receive them. Meanwhile, the legitimate owner of the spoofed address gets the angry mail, along with any bounced spams that content filters have rejected.
Authentication could put an end to spoofing. Two authentication protocols are currently being studied by the Internet Engineering Task Force for possible adoption as a standard. One, called Lightweight Message Access Protocol (LMAP), is an extension to the internet’s Simple Mail Transfer Protocol (SMTP). The other, called Domain Keys, is being developed by Yahoo.
SMTP dates back to the trusting early years of the internet when spam, viruses and worms were scarcely dreamed of. It lets a sender enter any address they want in the “from” field of the email – an obvious boon to spammers. LMAP should close this loophole by requiring email providers to install a small program on their servers to check that the entry in the “from” field is genuine. Before accepting an email, the server will contact the source quoted in the “from” field and ask for its IP number – in effect, the claimed source’s internet address. If that does not match the IP number of the actual source, the email will be deemed a spoof and be deleted, or tagged as “suspected spam” and diverted to a file for later inspection.
America Online last month began using Sender Permitted From (SPF) – an LMAP variant – on its email systems. “SPF is actually catching spam now,” says its developer Meng Weng Wong of email forwarding service Pobox of Philadelphia, Pennsylvania.
Yahoo’s Domain Keys approach to authentication is to tag all emails with an encrypted signature that ties the message to its source. Domain Keys software constructs a sequence identifying the content by taking, say, the third letter in every word in the email, and then appends this sequence to an ID sequence that identifies the server that is sending it. The whole signature is then encrypted. The server receiving the email decodes the signature and checks that the message content matches its coded sequence, and that it has come from the domain identified in the signature. The drawback is that it will require a global database of codes identifying all other servers, and licensing encryption software on a large scale will make it expensive.
Whichever anti-spam system wins out, authentication will force spammers to use real domain names, making them easier to catch. They will have to constantly register new, throwaway domains and discard them as soon as they are used and become blacklisted. Some spam will trickle through, but authentication should stop it. “Anything that makes a spammer’s life harder is not a bad thing,” says Barry Shein, who runs an internet service provider in Brookline, Massachusetts. “If SPF makes them jump, why not?”

Trapping junk mail in a tar pit
Fighting spam is an arms race in which software engineers are always trying to devise new weapons. A promising approach now in development is the TarProxy from Marty Lamb of Martian Software in Downington, Pennsylvania. This works by passing suspected spam through an electronic “tar pit” to slow it down. The idea is not only to block the initial batch of spam but also prevent the spammer trying to send any more.
When a server sends an email it has to wait on the line for an acknowledgment that it has been received. If TarProxy encounters suspect messages it slows down this initial exchange of data, which normally occurs almost instantaneously. This should cut down the quantity of mail a spammer can send.
Lamb routes incoming email to a “proxy server”, which runs a spam check, such as a content filter. If this reveals the email may be suspect, Tar Proxy slams on the brakes. It can be configured to make acknowledgement take hours, tying up the spammer’s mailing system all that time.