Going Upstream to Fight Spam

Filters and the Can-Spam Act may hold some unwanted e-mail at bay, but neither approach will bring the pandemic under control, according to a leading spam expert.

Eric Raymond, president of the Open Source Initiative, said a technology that recognizes legitimate senders may prove more efficient at curtailing spam than existing filters, which only work on messages that have been downloaded to servers and PCs.

Raymond, an open-source and antispam activist, spoke last week at the Spam Conference at MIT, a gathering of 500 developers, lawyers and researchers from major universities and technology giants like IBM and Microsoft.

Many of the conference participants agreed that the recently enacted federal Can-Spam Act of 2003, which supercedes more than 30 state laws, has done nothing to reduce the amount of spam on the Internet. Spammers are already flouting the new law, which took effect Jan. 1, 2004, said lawyers speaking at the conference. New and improved antispam technologies, the lawyers said, will be necessary to help counter the proliferation of spam.

Raymond is promoting an antispam technology called SPF (sender permitted from), an open-standard SMTP (simple mail transfer protocol) extension that stops spam before ISPs have to download messages by rejecting those e-mails coming from forged addresses. Under SPF, e-mail users enter their valid domains and IP addresses into the SPF registry. More than 4,000 domains have published their SPF records, including AOL, said Raymond. The registry will also be supported by an upcoming version of SpamAssasin and other antispam applications.

SPF is one of the methods that developers presented at the conference for creating so-called “whitelists,” lists of approved e-mail senders that enable e-mail recipients to welcome messages from those who are on the list while flagging or rejecting others.

Whitelists like SPF will complement other technologies, such as domain blacklists that block out specific senders, by forcing spammers to use their own domains, said Raymond.

“We need more approaches like SPF that attack the problem further upstream, by forcing spammers into the open,” he said.

The new technologies should also lighten the workload carried by Bayesian spam filters, which scan the contents of messages for tip-offs that they are spam — deliberately misspelled words such as “V1AGRA,” for example, or randomly generated sender names such as “Sondra Gaines” or “Herndon Georgia.”

Bayesian filters are a popular method for keeping spam out of inboxes. They are included in some e-mail applications (such as Apple’s Mail and Mozilla Mail), but more often appear as an add-on tool that users can download from the Internet.

Bayesian filters have become victims of their own success, however.

Spammers are pumping out more e-mail than ever in an attempt to squeak past the Bayesian filters. They are breaking apart words, pasting encyclopedia entries into their messages and using other techniques to pass their content off as legitimate.

And while the increased traffic is making spamming more expensive for the spammers, the cost of downloading unwanted e-mail is hurting Internet service providers like AOL and MSN, too.

Story continued on Page 2