Suggestion for Solving the Spam
March 21, 2010
Unsolicited commercial email, or spam, is an overwhelming problem for consumers, businesses, non-commercial organizations, and Internet Services Providers. A cornerstone to solving the spam problem is to hold email senders accountable for the mail they send and their sending practices. This white paper proposes a federated Registry model for registering and certifying volume email senders. The proposed federated Registry will provide services to ensure a secure representation of the senders identity, adherence of the sender to applicable public procedures and policies, and assessment of the senders performance. By including the Registry information in the SMTP mail header of certified email, receiving email gateways can make more accurate and consistent decisions regarding the processing of incoming email.
Unsolicited commercial email, or spam, is consistently identified as one of the primary issues for consumers, businesses, non-commercial organizations, and Internet Services Providers (ISPs). Spam represents a substantial proportion of the billions of emails sent each day, and the volume of spam is increasing exponentially. The volume of spam adversely effects recipients of the email and the providers of email services. All organizations that receive mail – ISPs, businesses, governments, and institutions ñ are experiencing rising costs as the magnitude of email continues to increase.
Spam impacts employee productivity by forcing employees to sort through their inboxes for pertinent communications, and systems administrators are fighting a losing battle in their attempt to stem the spam flood before it reaches individual mailboxes. To many individuals, the incidence of pornographic spam to their inboxes is offensive, and could represent a legal liability to organizations. Lastly, spam is frequently the medium used to defraud consumers and steal personal and financial information. While quantifying the cost of the effects of spam is difficult to measure, it is unquestionable that spam threatens the trustworthiness and viability of email and eCommerce.
In an effort to curb unwanted and offensive email, organizations and individuals have implemented antispam measures that include blacklists, whitelists, and content filters. These solutions are fundamentally heuristic and have their own inherent problems. Anti-spam measures are not perfect in their ability to distinguish spam from legitimate email.
Because Simple Mail Transfer Protocol (SMTP) is not secure, it is exploited by illegitimate bulk mailers to obscure their identity and forge their email headers. Illegitimate mailers are thereby able to send millions of fraudulent spam messages with indifference to any repercussions.
The flexibility of email content and origin in the current infrastructure, combined with the heuristic nature of the current spam fighting tools, results in a never-ending cat and mouse game of attempts at detection by the spam solutions and deception by the spammers.
Spam filtering as it exists to today is good but still imprecise. Not only does it fail to catch a great deal of spam, and incorrectly mark legitimate email as spam, current spam filtering solutions are unable to verify that the mail was actually sent by the sender that is identified in the email. Further, maintaining spam filter settings on requires constant attention because spammers continuously change their practices to circumvent filtering tools.
The use of email filtering software is a widely accepted tool for distinguishing spam. Email filtering software (at the incoming mail gateway and/or the user’s personal computer) applies content and header – based analysis rules to identify spam and remove it from the system. However, cleverly written emails often evade the logic of the software, and configuring the filters to catch spam without a percentage of false positives is impossible.
Organizations also use blacklists or blocklists of IP addresses compiled by members of the Internet community to identify potential spam sources. The receiving mail gateways are configured to block all mail from these sources. However, even the operators of these lists acknowledge that blacklists are imprecise and can result in blocking email from legitimate senders and IP addresses. The outcome of blocking legitimate senders and IPs is collateral damage, or put more plainly, wanted email does not get delivered to the intended recipient.
If the ability to evade these filtering techniques isn’t enough, the current Simple Mail Transfer protocol (SMTP), by design, is not secure. SMTP makes it easy for illegitimate bulk commercial mailers to use technology to forge email headers and obscure their identities. Spammers routinely misrepresent the email sender information in the SMTP headers, and may even lie about their identity in an attempt to get their messages delivered.
Information falsification combined with the use of open proxies, further enables illegitimate senders to conceal their identities. By accessing incorrectly configured email servers or computers hijacked through viruses or by hacking, spammers send millions of anonymous spam messages.