Spam ban, thank you Ma’am

2000-06-15

It all sounds so simple. Late last week the US House of Representatives’ Commerce Committee agreed to support a bill that could make the problem of unsolicited email, or spam, a thing of the past. According to \link{http://www.theregister.co.uk,The Register}, central to the bill is the requirement that spammers include a valid return address in their emails – this alone could be sufficient to deter the majority of their number.

Spam is as big a problem as ever. It was reported on News.com last week that a recent study found ISPs and free email services were capable of blocking up to 73% of unsolicited email. The downside is that the 27% figure refers to an ever-increasing pile of junk email, with spammers becoming increasingly determined to get through the Net. On a positive note, the anti-spam measures were not found to be preventing a single kosher email from being delivered.

So – why should a simple measure like the return address make such a difference? There are several reasons. First of all, as mentioned, the measure is likely to put potential spammers off. It is one thing to spam anonymously, but to move out into the open is an entirely different matter. Second, with the existence of a source of the email, it will be easier for the recipient to take steps to prevent further emails from the same place. The address can be blocked, or reported to the ISP or to an anti-spam organisation, or even flamed with a few hundred responses. Third, by making anonymous unsolicited email illegal, the case can be brought against individuals more easily than under present laws.

Of course, there will be nothing to prevent spammers from continuing to use insecure servers as through-routes for the thousands of messages that they send. The method is simple: dial up to an ISP, set mail.acme.com (where Acme have an incomplete or incorrect security configuration) as the mail gateway, then fire a thousand or so emails at the Acme server which then forwards them to the destination addresses. After a while, disconnect from the ISP, reconnect to a different ISP (with a different IP address) and do the same thing. Tracing the initiator of such emails is virtually impossible at present. It can be hoped that the number of servers that leave themselves open to this kind of attack is dwindling as sites become more security savvy, either before or after finding themselves victims.

Unsolicited email is a product of an insecure global network, weakly legislated and poorly policed. Things will probably get worse before they get better, for example as the mass rollout of ADSL provides a new pool of insecure computers which can be used as unsuspecting host for spam forwarding. It will take a combination of better legislation and tighter computer configurations to make spam a thing of the past.

(First published 15 June 2000)