Phillip Hallam-Baker, VeriSign Inc.
The problem of unwanted and irrelevant mass mailings, commonly known as spam is starting to seriously degrade the usefulness of email. In this paper we provide a survey of the principal approaches currently being applied to spam control and propose a strategy by which these mechanisms may be combined to provide a comprehensive solution to the spam menace.
Unwanted and irrelevant mass mailings, commonly known as spam are becoming a serious nuisance that if left unchecked may soon be regarded as a Denial of Service Attack against the email infrastructure of the Internet itself.
The term spam is derived from a Monty Python sketch set in a cafeteria in which the principal protagonists have difficulty making them heard above a group of Vikings singing, “spam”. Although there has been a move, due in part to trademark concerns to use terms such as ‘Unsolicited Commercial Email’ we prefer the colloquial term as being both more familiar and more appropriate. The defining quality of spam is that it is sent indiscriminately in the knowledge that it will be unwanted by the vast majority of recipients. Unsolicited email is frequently desirable, and in fact it is the problem of distinguishing wanted unsolicited messages from unwanted unsolicited messages that makes the problem of mitigating or eliminating spam so hard. Certain types of commercial email are also desirable, in particular communications regarding invoices and account balances, newsletters and in many cases certain types of advertisements relevant to the recipient. Calls for Papers and Calls for Participation at academic conferences circulated on computer networks for many years without complaint and in most cases still do.
An ideal spam control system would have the following properties:
No perfect spam control solution has been found so far. Filtering approaches are compatible with a broad range of email uses and infrastructure but no filter perfectly identifies even a fraction of unwanted emails without eliminating at least some wanted emails. Furthermore the more widely a filter is used the greater the incentive becomes for the spam senders to test against it to ensure that their spam gets through.
Lightweight authentication approaches based on callback loops are similarly compatible with most email infrastructure and require no intervention on the part of the receiver. Unfortunately the intervention required by the sender is significant and would soon become unacceptable were the solution widely adopted.
Strong authentication techniques based on cryptography offer an approach that can ensure that no wanted email that originates from an authenticated source is eliminated but provides no guide otherwise.
In this paper we consider a plan for spam elimination based on multiple controls. We consider spam to be a security problem; in particular it is an access control problem that requires consideration of both authentication and authorization techniques.
Another objection to the ‘Unsolicited Commercial Email moniker is that in many cases the subject matter of the spam is outright fraudulent and not commercial in the normal sense. This is demonstrated by the results of a short survey of 89 spam messages received by the author over a 60-hour period (Table 1).
Table 1: Classification of spam received by author 19-21 Jan 2002
|
Proportion |
Category |
Description |
|
35% |
Foreign |
Mostly Korean, Chinese and Japanese |
|
21% |
Section 411 Fraud |
Invitations to assist in the illegal transfer of large sums of money from Nigeria[1]. |
|
7% |
Pornography |
|
|
6% |
Multi-Level Marketing |
Multi Level Marketing |
|
6% |
Quack Medicines |
Herbal Viagra, Breast, Penis Enlargement |
|
3% |
Bounces |
Resulting from account hijacking. |
|
2% |
Credit Repair |
|
|
1% |
Gambling |
|
|
1% |
Diploma |
|
|
18% |
Other |
|
The largest single category of spam consisted of messages in foreign languages the author is unable to read and thus categorize further. 29% of the messages corresponded to activities that were outright frauds (Section 411 Fraud, Multi-Level Marketing, Credit Repair). A further 7% corresponded to commercial activities that are at best disreputable and in many instances correspond to actual fraud (Quack Medicines, and Diploma Mills). 8% corresponded to businesses which while not illegal are typically prohibited from sending unsolicited solicitations (Pornography, Gambling). 3% of the unwanted messages were ‘bounces’ resulting from a party attempting to send out spam that purported to come from my email address. This tactic is frequently employed as a means to bypass certain filtering techniques.
The remaining category of ‘Other’ consisted in the main of offers to buy an eclectic range of merchandise including anti virus software, ISO 9000 consulting, information on government grants, sales leads, services to send out spam and small manufacturing plants for the production of small nails, mufflers and hemostatic [sic] clamps. This category consisting of less than a fifth of the total (18%) contained the only offers that would be corresponded to mainstream commercial business offers.
In addition the sample contained 20 messages where a virus infection had been detected. These are excluded from the survey as any meaningful comparison of the volume of viruses and spam would require a much longer study period as virus infection episodes occur intermittently. Furthermore the fact the attempted infections had been detected indicates that the virus notification could also be suppressed.
While an ad-hoc survey of this type cannot be considered definitive the process is nevertheless instructive in suggesting hypotheses, which might be tested in a broader survey covering a larger number of users and a longer time interval. In particular the following observations were made:
90% of the
emails did not have a valid sender address.
These emails could be excluded if there were some mechanism that allowed
validation of sender addresses.
1/3rd
of the emails were not correctly addressed to the recipient.
These messages could be excluded by simply enforcing the RFC822 message
standard that requires every message to have a valid To: CC: or BCC: field
identifying the recipient, making adjustment where necessary to account for
messages relayed through mailing lists.
1/3rd
of the emails were in a foreign language.
These messages could be excluded by simply detecting the language or even the
character set in which the message was written and excluding messages in
languages the recipient could not read.
1/5th of the spam will be hard to classify on content alone.
At least 1/3rd
of the spam is being sent by organized crime.
However a significant proportion of spam is generated by businesses that at
least meet the semblance of respect for the law.
There is a
considerable range of expertise demonstrated by the spam senders.
In many cases the senders actions defy common sense, what is the point of
sending the same person 19 proposals involving 6 different dubious financial
schemes in a 60-hour period? Surely even the dimmest mark is going to suspect
something.
Forged email address headers are being used to attempt to bypass existing whitelist techniques.
Again further study is necessary before firm conclusions are drawn. It is in any case necessary to treat such survey results with some care however since as the sample itself demonstrates the spam senders are constantly adapting their techniques to blunt the effectiveness of countermeasures.
While 33% of spam messages that are currently sent do not meet the minimal requirement of a valid recipient address we cannot infer from this fact alone that blocking all messages of this type would reduce spam volumes would remain effective at blocking 33% of spam. But we should not conclude from this that all such mechanisms are intrinsically hopeless, it is unlikely that Korean spam senders attempting to sell goods to a Korean audience would switch to English in response to widespread deployment of filters to block foreign language spam.
The lack of sophistication demonstrated by many of the spam senders suggests it is likely that even naïve mechanisms such as filtering to eliminate messages that do not meet the requirements of RFC822 would retain a certain degree of effectiveness for a considerable time. In many cases the spam senders use off the shelf packages that send bulk email whose internal workings they do not understand.
The degree of linkage between spam and organized crime is debatable. While messages touting section 411 frauds and multi-level marketing schemes are clearly frauds run by organized crime on a significant scale it is impossible to determine from the other messages whether the party sending it is dishonest or merely disreputable. Anecdotal evidence suggests that many offers of goods for sale are fronts for various types of credit card fraud.
A large number of spam messages defy easy explanation. Many messages purport to advertise goods for sale but provide no means of contacting the vendor. A possible explanation for these messages is that they are attempts by providers of spam software and services to demonstrate that ‘spam marketing really works, or why else would they do it’. Another possible explanation is that an organization providing spam services, accepting payment from offshore entities with dubious credentials is precisely the type of enterprise commonly used to facilitate money laundering.
The cost of spam is not limited to the direct costs of delivery and wasted time. In addition the indirect costs of ad-hoc spam ‘solutions must also be considered. These include:
The most immediate second order problem due to spam felt by the user is when email is lost either by being overlooked in the sheer influx of spam or by being incorrectly identified as spam by a spam filter. As a result of this type of attrition few enterprises have confidence in email as a transport mechanism for ‘must deliver’ messages such as invoices and accounts.
Another serious second order problem is the processing of mail bounce messages that result when a spam sender attempts to send a message to an address that is invalid. It appears that this mechanism has been used in some cases to mount a ‘Denial of Service’ attack against the mail servers of an ISP. The attacker sends a large number of messages with a forged email address to a large ISP with the intention of swamping the mail servers of a smaller ISP.
Vigilante actions range from passive mechanisms such as blacklists to direct interventions such as mail bombardments. For the purposes of this article we deem any mechanism that lacks accountability to be a vigilante action.
Vigilante actions dilute the rule of law; the individual is held accountable to the mob with no recourse. They are also ineffective since they frequently miss the intended target. Vigilante action in the form of mail bombardments in response to spam did not result in a reduction in the volume of spam, it merely led to the senders using false addresses so that the mail bombardments would hit someone else.
Another form of vigilante action is the so-called ‘teergrubbing’ attack in which an email server that believes a message being sent is spam will respond by slowing down responses in an attempt to consume the spam sender’s resources. Such techniques are unlikely to be effective since the ability to quickly identify and terminate slow connections is an obvious requirement for any bulk email system.
While there is general agreement that active vigilante mechanisms that attempt to attack the user should be generally discouraged no similar consensus has yet emerged concerning passive ‘blacklists’.
Blacklists emerged as a means of coercing ISPs to terminate accounts of users who were ‘known spammers’. Blacklists of IP addresses of alleged spam senders were circulated and ISPs were encouraged to block email originating from the blacklists. As spam senders were forced to develop new ways to disguise the origin of their posts new blacklists began to appear claiming to list open relays, email servers that will forward messages indiscriminately from any sender.
Proponents of blacklists have argued that the mechanism is consensual since the choice to filter on the basis of the blacklist lies with the ISPs that subscribe to them. While the blacklist maintainers appear to take great care to avoid criticism by referring to coercive techniques through code words such as ‘education’, it is instructive to examine the language used by maintainers of blacklists to describe each other; here the code words are dropped. SPEWS describes MAPS as “Great for putting pressure on an ISP”[i].
Blacklists can only work as long as the Internet community generally can have confidence in the way they are run. Unfortunately the majority of blacklist operators appear to consider themselves beyond accountability. None of the blacklist maintainers describe a dispute resolution procedure; most do not even provide a contact address. Clear-cut cases of abuse by blacklist operators exist. In one recent incident one of the blacklists listed the entire nation of China. Another blacklist listed UUNET, one of the largest ISPs in the US including all its customers in an attempt to force UUNET to shut down a Website run by a UUNET customer. These are the actions of self-appointed censors, not guardians of the public interest.
The email infrastructure in use today has evolved over a thirty-year period. Although the vast majority of mail is now sent using the SMTP protocol (more than 99%) legacy systems such as X.400 and UUCP still exist. Evidence that these systems are still in use is provided by the fact that attempts to remove support for these systems results in strident complaints from individuals claiming that they are still necessary serve a significant constituency that is apparently technically sophisticated enough to use email but not sophisticated enough to use 1980s technology.
SMTP is one of the oldest and most widely used Internet protocols. Consequently SMTP deployments vary considerably according to the precise vintage of the protocol implemented. For example the originating machine may send a machine in (at least) the following ways:
This variation results in frequent objections being made to spam control schemes that assume that a particular SMTP deployment is adopted. Such objections clearly have weight in cases where the spam control scheme assumes that all users have adopted a particular scheme but have less weight when it is asserted that a scheme should be rejected since a user with an obscure email configuration could not use it.
A mailing list receives a message from one recipient and forwards it to a list of recipients. Mailing lists thus serve as amplifiers for email messages. A spam sender can send a single message to a mailing list and reach an audience of hundreds or thousands.
Despite the widespread use of mailing lists the SMTP protocol does not provide an explicit architecture for their use. As a direct result (in my personal opinion), the issues raised by interactions between mailing lists and the SMTP protocol are so numerous that a comprehensive treatment would require a book length treatment at the very least. Some assert that the SMTP protocol is designed to interact with mailing lists and that these problems are the sole fault of implementations. There must however come a point where such faults are considered the responsibility of the specification authors.
Unwanted mailing list subscriptions can in themselves be a form of spam. One of the earliest problems that arose from the use of mailing lists was the ‘mail bombing’ attack where an attacker would mount a denial of service attack by subscribing the victim to a large number of mailing lists. The mailing lists could also be subscribed to each other so that a single post sent to one mailing list would result in tens of thousands of messages being sent to the victim.
As a result of this and similar attacks mechanisms were developed that performed authentication of the subscriber in subscription requests and restricted mailing privileges to mailing list subscribers.
Mailing lists are also used as spam relays. One of the principal problems with mailing lists with respect to spam is that an email from a mailing list comes from a source that the subscriber has chosen to receive email from. As a result such messages are more likely to be read than messages from anonymous sources.
In response to rising levels of abuse, many mailing lists are now moderated purely for the purpose of preventing spam abuse. This is generally considered undesirable as it creates a time consuming task for the moderator and introduces a delay in posting to the list. It no longer suffices for posting privileges to be restricted to mailing list subscribers since spam senders will frequently subscribe to the list to gain posting privileges. Alternatively the spam senders sometimes forge email headers so that a message appears to come from an authorized poster.
Another class of email infrastructure that must be considered is email gateways that provide an email interface to other protocols such as the Usenet NNTP protocol and legacy email protocols such as X.400.
Many spam control proposals start from the proposition that the email infrastructure is fixed and unchangeable. A brief survey of the numerous changes in the email infrastructure over the last ten and the last twenty years shows that on the contrary such changes are constantly taking place.
Certain types of change are easier to establish than others, however. In particular infrastructure changes that require widespread adoption by clients before they can be deployed at servers are particularly hard to achieve. Infrastructure changes that can be unilaterally deployed by either servers or clients and provide an immediate value to the party deploying them are achieved considerably faster.
As we have shown in the previous section, there are many types of spam and it is likely therefore that any realistic program to eliminate spam will have to address the problem in multiple ways. In particular we should not reject a mechanism out of hand simply because it fails to deal with a particular type of spam sender. For example it is highly unlikely that spam senders engaged in organized crime will respect opt-out lists or legislative approaches. We should not however, conclude from the fact that a mechanism fails in certain circumstances that it fails completely in all circumstances.
The only mechanisms that we rule out of hand are those based on vigilante actions that attempt to gain compliance by coercion.
Opt-out lists have proven to be of value in controlling the volume of unsolicited mail and unsolicited telephone calls from legitimate businesses. We note that a significant proportion of spam is sent on behalf of legitimate businesses that may be considered likely to respect such matters. Certainly a mechanism of this type widely deployed would deprive spam senders of the claim that they respect opt-out requests.
A more powerful argument against opt-out lists is that it is likely that spam senders would routinely abuse lists of opted-out email addresses as a source of email addresses. This objection may be addressed by appropriate use of cryptography in which the entries in the list are obscured using a one-way message digest function such as SHA-1. The opt-out list consists of a sequence of message digests of the opted-out email addresses sorted by the message digest value to permit rapid lookup by binary search or similar means[2]. A spam sender may use the list to determine whether an address has been opted-out but cannot use the opt-out list as a source of target email addresses.
One objection made to the scheme above is that spam senders might use the list to validate email addresses to determine whether they are valid or not. This objection ignores the fact that the costs of using invalid addresses are not borne by the spam sender alone and result in the ‘bounce storm’ problems mentioned earlier.
Aspirin will not cure a cold but it will relieve the symptoms and make the cold more tolerable. Content inspection has a similar effect on spam. The symptoms of spam are relieved to a considerable degree, but the patient is still under attack from the infection.
Content inspection is a form of spam filtering that uses the content of the messages as the basis for the decision to filter. One of the principal difficulties with content inspection mechanisms is the ease of evasion by spam senders. If the spam sender knows the criteria applied by the content inspection technique she can construct her messages so that they are not caught.
There are many forms of content inspection, each of which has advantages and disadvantages:
Naïve Keyword
Inspection
Messages are scanned for the presence of words or phrases that occur frequently
in spam messages such as penis, HGH or multi-level marketing. Keyword
inspection alone is simple to implement but tends to have very high rates of
false positives. A recent attempt to deploy a keyword inspection based
mechanism at the UK House of Commons resulted in many emails concerning the
Sexual Offenses Bill to be rejected as obscene.
Naïve
Language Inspection
The Internet is an international medium and spam is sent in many languages. As
a result a large number of spam messages are completely incomprehensible to the
reader. While fully understanding the meaning of a mail message is a complex
problem that is AI complete, that is it requires a solution of the artificial
intelligence problem, detecting the language that the email is written in is
considerably easier. In many cases the character set in which the email is sent
may be used as a proxy for language, although this technique can result in
false positives as a Japanese user may send all their messages in a Japanese
character set, using the ASCII subset for messages in English. Another problem
with language inspection is that large software vendors would face a
considerable from foreign users of their product if they introduced language
sensitive filters in their products.
Keyword
Inspection with Statistical Techniques
The effectiveness of keyword inspection can be substantially improved if
combined with statistical techniques that assess the probability of a message
being spam based on the presence of multiple keywords. Various techniques may
be used for this including Bayesian inference and least squares approaches.
While such schemes can show impressive results in tests the practical
effectiveness of these techniques in widespread tends to be much more limited
due to countermeasures employed by the spam senders.
Keyword
Inspection with User Feedback
There has been considerable recent interest in content inspection mechanisms
that employ user feedback, in most cases in combination with some form of
Bayesian inference. This approach provides some resistance to spam sender
counter measures since the individual users maintain separate databases of
desirable and undesirable messages. The drawback to this approach is that it
requires user intervention on a per message basis which experience demonstrates
limits the effectiveness of the scheme severely.
Keyword
Inspection with Dynamic Update
Another approach to improving the effectiveness of keyword inspection is the
combination of statistical techniques with an online source that provides
regular updates. This approach is frequently combined with the template
approach described below.
Dynamic
Template Response
Dynamic template response (also known as fuzzy matching) uses templates or
‘fingerprints’ of known spam messages to identify spam messages. The templates
are constructed using spam messages sent to ‘honey-pot’ email addresses, either
by hand or using some form of automated tool. While this technique can be very
effective it is also costly to maintain, particularly since the spam sender may
employ countermeasures that cause each spam message to be slightly varied.
Content inspection techniques that are successful on a small scale frequently fail when applied on a large scale due to the countermeasures taken by the spam senders. Microsoft Outlook provides a simple content inspection mechanism based on keyword identification. For a content inspection technique to be effective on a large scale it must adapt to the evasion strategies of the spam senders. Instead of providing an aspirin, effective content inspection techniques tend to provide the equivalent of long term palliative care, the symptoms are eased but only with continuous effort and the underlying disease is never cured.
Practically all spam messages sent today attempt to evade anti-spam measures by use of false header information. None of the spam messages that were examined in the writing of this paper carried a genuine sender address. Most of the messages contained from addresses that were obviously fake. In some cases the addresses were not even valid. Some contained no sender address at all. This suggests that a robust method of detecting false sender addresses would provide an effective means of eliminating spam.
Detecting false sender addresses would be a simple task but for the fact that the SMTP protocol allows a sender to forge a message that purports to come from any sender. The security risks of this failing were demonstrated in 1993 when Adelyn Lee, an executive assistant at Oracle filled a sexual harassment lawsuit against Larry Ellison alleging that Ellison had threatened to fire her if she did not have sex with him. Ms Lee initially won an out of court settlement of $100,000 after producing an incriminating email that purported to come from Ellison. A few months later however evidence was discovered that proved that the Ellison letter was a forgery. Ms Lee was convicted of perjury, falsifying evidence and breaking into a computer system and sentenced to a year in jail.
The use of forged email addresses is currently rare but becoming more common. A particularly insidious spam sender trick borrowed from the Klez computer virus is to harvest email addresses from mailing lists archived on the Web and send large numbers of emails purporting to come from one member of the list to the other members of the list.
The use of forged email addresses is likely to become very common if the use of anti-spam filters that detect missing or obviously false from addresses becomes common. To address this problem, some form of authentication scheme is required that provide an unequivocal proof that the sender address is valid.
A spam sender might attempt to circumvent an authentication scheme by sending messages with a legitimate, authenticated sender address. We find this objection to be a weak one since it is clear that spam senders have a considerable motivation to conceal their identity. If every email carried an authenticated sender address spam senders would be forced to obtain new DNS addresses frequently to conceal their identity, increasing costs significantly.
Authentication techniques are broadly divided into two types, network based and cryptographically based.
Network Level – IP based
If a mail server knows the set of all possible IP addresses from which an email
with a particular sender address is known the IP address may be used to provide
a lightweight means of authenticating the email sender. This mechanism is not
completely reliable since an IP address can be spoofed albeit with somewhat
more difficulty than spoofing a sender address.
The principal difficulty with using IP based authentication is discovering whether an IP address is a valid source for a particular sender address. Some mail servers use the reverse DNS, which maps IP addresses to domain names for this purpose. This approach only works if the email is sent via a mail relay that is configured with reverse DNS entries for the domain of the sender address.
Callback loop
When an email is received a message requesting confirmation is sent to the
purported sender address. If the confirmation message is received the sender
address is considered to be authentic. The callback loop mechanism is unusual
in that it is an active authentication mechanism that is applied at the request
of the receiver rather than being applied passively to every message by the
sender.
Cryptographic
– SSL
An extension to the SMTP protocol allows the use of the Secure Socket Layer
(SSL) via the STARTTLS operation. SSL allows authentication of both the sending
and receiving email servers using X.509 digital certificates. Although SSL
allows the email relay to use any IP address without the need for configuration
of a reverse DNS address the sender must send their outgoing mail via a relay.
Cryptographic
– S/MIME
S/MIME provides end-to-end authentication of the sender address and message
body. The sender need not send their message through any specific email relay.
For a passive authentication mechanism to be useful as a means of detecting forged sender addresses it is necessary to know whether a purported sender has a policy of using authentication. Otherwise the recipient is unable to distinguish a message from a user who does not use the authentication mechanism from a forged message purporting to come from a user who always uses an authentication mechanism.
The Internet architecture does not include a mechanism designed for the purpose of communicating security policies. Fortunately the DNS architecture provides the necessary functionality and may be readily adapted to the purpose without putting an undue load on the DNS.
The principal disadvantage of using the DNS as a means of communicating security policies is that the DNS itself is insecure. DNS Security promises a mechanism that will provide security for the DNS if the working group developing it ever arrives at a deployable version of the protocol. Fortunately the security weaknesses of the DNS do not lend themselves to exploitation on the scale necessary to make exploitation of these weaknesses a viable means of defeating an authentication based anti-spam measure.
Callback loop schemes if widely deployed may rapidly become as great a nuisance as the spam they are meant to control. In effect the user of the callback loop reduces the amount of spam they receive by creating spam for everyone else that attempts to send them a message. If every message resulted in a callback loop, half the email received by every email callback spam.
Most callback loop mechanisms support some form of whitelist that causes messages sent by that person to be accepted without further callback authentication. Unfortunately many users of callback loops appear to consider putting correspondents on such whitelists to be a rare privilege rather than a common courtesy.
Another problem with some callback loop schemes is that they are indiscriminate. If a spam sender uses a forged email address as the source of a spam message a callback loop will query the forged address causing the owner of the forged address to be mail bombed.
While many consider the indiscriminate use of callback loop schemes to be anti-social, their use as a last resort when a message would otherwise be dropped is generally considered acceptable. The unintended side effects of callback loops may be avoided by means of protocol markings identifying callback requests as such and by resorting to callback loop authentication only when no other means of authentication is available.
Spam is a resource allocation problem. When email was first invented computer communications were slow and access was limited to a small number of users. The only limit on the number of messages a spam sender can generate is the cost of bandwidth.
Operating systems control access to resources by means of access control mechanisms. Traditional access control mechanisms consist of two parts, an authentication mechanism that determines who is making the request (e.g. the username and password used to log in) and an authorization mechanism that determines what they are allowed to do.
Implicit
In certain circumstances the authorization is implicit in being willing to
perform the tasks necessary for authentication. For example providing a
response to an email callback loop indicates that the sender is unlikely to be
an automated process.
Blacklists /
Whitelists
A whitelist is the opposite of a blacklist. Instead of specifying the parties
who are not allowed to send messages a whitelist specifies the parties who are
allowed to send messages.
Revocable
Credentials
Cryptographic authentication schemes such as S/MIME or SSL use X.509 digital
certificates as credentials. The X.509 specification allows for certificates to
be revoked. If the criteria for revoking the credential include sending spam
the possession of a valid credential is equivalent to membership of a
whitelist.
Sender charges, in which the sender of an email pays some fee for doing so represent another form of authentication and authorization. The authentication is provided by the payment collection mechanism showing that the payment is good. The authorization is presumed from the fact they are willing to pay.
Spam effectively transfers the cost of advertising from the sender to the recipient. Many have argued that the way to eliminate spam is to change the economics of email so that the sender bears the costs of sending a message. It is argued that a change as low as a small fraction of a cent would make spam uneconomic and drive spam senders out of business.
The chief practical difficulty with any such proposal is that the solution presupposes the deployment of an Internet infrastructure to support the charging system and a business incentive that would drive the ISPs who would end up being net contributors to adopt it.
While such infrastructures exist and are used for purposes such as inter-bank settlements the cost of deploying and maintaining such systems is ranked in the hundreds of millions. Even if a charge of a small fraction of a cent would be sufficient to eliminate spam it is unlikely that such an amount would be sufficient to pay for the infrastructure required to collect it. It is likely therefore that all ISPs would end up being net contributors.
It is highly unlikely that such a low charge would be sufficient to stop spam however. Costs ranging from $.50 to $5.00 appear to do little to discourage the indiscriminate sending of junk mail and unwanted telephone solicitations.
The purpose of criminal legislation in a democratic is to deter persons from engaging in the prohibited conduct. While it is unlikely that criminal legislation alone would eliminate spam such legislation would certainly create a deterrent for both the spam senders and the advertisers seeking their services.
The legislative process is very slow and time consuming. Legislatures are reluctant to pass any legislation until they are confident the implications are fully understood. Legislators will have to be convinced that any new legislation to address the problem of spam will bring benefits that significantly outweigh both the cost of enforcement and the political cost of committing the scarce resource of legislative time to the problem of spam rather than to other pressing problems.
As previously noted a substantial proportion of spam is illegal under existing law. The scams operated by the senders of ‘Nigerian letters’ are illegal under existing fraud law. Sending images of hard-core pornography to 7 year olds is illegal under existing law. Many of the quack medicines are offered in ways that violate state and federal laws.
Spam senders also violate the law in their methods. Use of a false sender address is an attempt to gain access to a computer system by fraud. A false sender address that impersonates another party is a form of identity theft and may also be actionable as defamation.
To date the majority of actions against spam senders have been civil. AOL has successfully brought cases against a number of spam senders including a $7 million judgment against CN Productions. Verizon has won unspecified damages and a permanent injunction against spam sender Alan Ralsky.
Although criminal actions are rare, they are not unknown. A New York court recently issued an injunction against the New York spam sender at the request of the New York Attorney General.
Spam has spawned two separate types of litigation, cases brought by ISPs and individuals who object to the use of their resources to send spam and cases brought by spam senders to prevent ISPs cutting off resources when spam senders have violated terms of use.
In June and September 1997 Cyber Promotions applied for and was granted preliminary injunctions against WorldCom and AGIS to prevent termination of Cyber Promotions’ service. Neither case progressed beyond the preliminary injunction whose principal purpose was simply to allow Cyber Promotions time to find an alternative means of access to the Internet. In both cases Cyber Promotions had obtained a written statement from the ISP stating that they were aware that Cyber Promotions was in the business of sending spam. As a result the ISPs could hardly claim that Cyber Promotions were in breach of their terms of service.
A relatively large number of civil cases have been brought against spam senders. These include:
In Re:
Laurence A. Canter (1997, Tennessee Disciplinary Court)
Complaint: That a spam sent by Canter’s law firm Canter and Segal was sent
contrary to various requirements of bar conduct.
Result: Canter was disbarred. It was found that the manner of sending the
advertisement brought the legal profession into disrepute.
Bigfoot
Partners v. Cyber Promotions (1997, New York Federal Court)
Claim: Bigfoot Partners claimed $1 million in damages and a permanent
injunction preventing Cyber Promotions using Bigfoot to send spam.
Result: Permanent injunction issued under a consent order prohibiting
the practices listed in the complaint with damages of $10,000 per day for non-compliance.
CompuServe v. Cyber Promotions (1997, Ohio
Federal Court)
Claim: Cyber Promotions used forged mail headers in messages sent to
CompuServe users causing CompuServe mail servers to become overloaded through
attempts to deliver undeliverable mail.
Result: Permanent injunction issued under a consent order prohibiting
the practices listed in the complaint.
Concentric Networks v. Cyber Promotions (1996,
California Federal Court)
Claim: Cyber Promotions used forged mail headers with a Concentric Networks
(CNC) return address, causing CNC mail servers to be overloaded with complaints
about the spam.
Result: Permanent injunction issued by the court prohibiting the
practices listed in the complaint.
New York v. Woodside Literary Agency (1997, New
York Federal Court)
Civil Claim: That the defendant ran a phony literary agency that charged
writers fees for services that were not rendered.
Result: The result of the civil case was that the agency was ordered to
stop its Internet publishing scheme, provide restitution to consumers, pay
penalties and costs to the state and post a $100,000 bond to protect consumers
in future business dealings.
Criminal Case: following the civil case the US Postal Inspector brought
a criminal case in 1999. James Leonard and Ursula Sprachmann, the proprietors
of the agency plead guilty to conspiracy to commit mail fraud and perjury.
Leonard was sentenced to 8 months jail and 3 years probation. Sprachmann was
sentenced to 3 years probation on grounds of ill health.
Parker v. C.N. Enterprises (1997, Texas)
Claim: Plaintiff alleged that the defendant sent spam that contained the
plaintiff’s email address. As a result the plaintiff received over 5000 irate
complaints from the recipients of the spam.
Result: Permanent injunction issued by the court prohibiting the
practices listed in the complaint, damages of $13,910 and attorney's fees of $5,000.
Seidl v. Greentree Mortgage (1997, Colorado)
Claim: Greentree Mortgage commissioned a spam to be sent by an
independent contractor, Mark Van Keuren.
Counterclaim: The defendant attempted to bring a counterclaim against
the plaintiff and his attorney alleging libel, interference with a business
relationship and that the suit was an attempt to extort money from innocent
advertisers who use the Internet.
Result: The Plaintiffs complaint was dismissed on the grounds that the
spam had been sent by an independent contractor hired by Greentree and that
Greentree was not liable for its actions. The counterclaim was also dismissed.
AOL v. CN Productions, Inc. (1998, 2001)
Claim: That CN Productions ‘bombarded’ AOL members with unsolicited
advertisements contrary to AOL acceptable use policy.
Result 1: Damages of $1,819,863 and attorney’s fees of $126,104 awarded and an injunction
issued.
Result 2: Further award of $6,904,712 in respect of breach of the
injunction.
AOL v. Cyber Promotions (1996)
Claim: Cyber Promotions claimed that it had a first amendment right to
send spam to AOL members and that AOL enjoyed an effective monopoly such that
AOL was bound to accept spam from Cyber Promotions under anti-trust laws.
Result: Court disagreed.
AOL v. Web Communications, Inc., et al.
Claim: That Web Communications sent AOL subscribers numerous pieces of
unsolicited and unwelcome spam.
Result: Default judgment
in favor of AOL, damages of $1,578,175 and issue of an injunction.
Other AOL cases
AOL currently lists a further 13 cases that are either pending or concluded
with similar results.
The experience of litigation against spam senders is encouraging insofar as courts have demonstrated that they are willing to award large sums in damages against spam senders in the right circumstances. In particular AOL succeeded in several of its claims because the spam senders either knew or should have known that their activities were contrary to AOL’s terms of service.
While Seidl v. Greentree did not establish any liability on the part of advertisers who employ spam senders the precedent set by other cases suggest that a suit against the spam sender itself might well have succeeded. Furthermore the Siedl case was an early decision under a state law that occurred before later judgments established that sending spam could constitute trespass and before the fact that many spam senders use illegal means to send their messages became common knowledge. It is possible and perhaps likely that future courts will revisit the finding under Siedl that a spam sender is an independent contractor and instead recognize that the advertiser and spam sender are co-conspirators.
Review of these cases suggests that the following measures may be taken to ensure that litigation against spam senders has a satisfactory result:
In May 2002 the European Union issued a directive that directs member nations to introduce legislation that prohibits sending of unsolicited marketing messages unless the recipients ‘opt-in’.
A number of Anti-spam measures have been proposed in the US Congress that seek to regulate spam by requiring spam senders to respect ‘opt-out’ requests and prohibiting the use of forged sender addresses. Most proposals are based on existing legislation concerning junk faxes and telemarketing calls that have already been tested with constitutional challenges.
The chief objection to the ‘opt-out’ measures is that a recipient of a spam has no way to know the origin of a spam. It is therefore impossible for a spam recipient to know if opt-out requests are being respected or not.
While email spam senders have negligible support in Congress, the Direct Mail Association (DMA) that represents senders of junk mail and telemarketers has demonstrated a considerable degree of influence opposing ‘opt-in’ requirements to protect privacy. The spam senders compete with the DMA members and so the DMA is opposed to spam but will oppose any measure requiring opt-in which might set a precedent that may later be applied to its members.
One possible resolution of this problem would be to require spam senders to respect a one-way encrypted opt-out list of the type described earlier. Such a list would meet the need for verification without threatening the interests of the DMA and its members.
Another possible argument in favor of the opt-in approach in the US is that it is more likely to survive judicial review as being constitutional. In Nixon v. American Blast Fax the court found a blanket ban on junk fax advertisements to be unconstitutional. While this judgment contradicts the opinions of other courts and is currently under appeal, US jurisprudence has traditionally considered first amendment issues with considerable care. There can be no guarantee that the lower court’s finding that the government could have realized its objective without an outright ban by means of an opt-out database will not be sustained. It is therefore prudent as well as expedient for anti-spam legislation to take this course.
An objection made against proposals for anti-spam legislation is that the Internet is not a single jurisdiction and that no one country can therefore hope to control the Internet through legislation. When examined closely however the argument for ‘regulatory arbitrage’ appears to be a conviction born of commitment to ideology rather than objective analysis. Nation states have demonstrated a considerable capacity to control certain socially undesirable uses of the Internet through conventional police methods and close international co-operation. A significant number of prosecutions have been brought in a wide range of jurisdictions against writers of viruses, online casinos and pedophiles.
While spam senders might attempt to evade legislation by transferring their operations to accommodating jurisdictions such evasion is far from costless to the spam sender. Jurisdictions that provide flags of convenience for businesses engaged in dubious practices do so out of self-interest and not in the pursuit of a libertarian ideology. A spam sender that transfers operations to such a jurisdiction is certain to find their operations subject to a large number of service fees, local employment costs and in many cases bribes to ensure the continued compliance of officials. Spam is sent indiscriminately because the incremental cost of sending messages is low. Forcing spam senders to use jurisdictions of convenience would increase the cost of sending spam and introduce significant barriers to entry to new market entrants.
It is highly unlikely in any event that jurisdictions offering traditional offshore services such as tax havens, financial services or shipping would allow these already lucrative offerings to be threatened by the unwelcome attention that acting as a clearing house for spam would inevitably attract. Nor is it likely that the individuals attempting to profit from the business of spending spam would be anxious to take up actual residence in such jurisdictions. The only jurisdictions likely to tolerate spam sender operations on a large scale are countries such as Nigeria, Congo and Afghanistan where the entire apparatus of civil government has effectively collapsed. Endemic corruption and unstable government does not provide a fertile ground for any form of commerce requiring expensive high technology infrastructure.
As this paper shows, no proposal yet made provides a magic bullet that kills spam. Content inspection based approaches can be readily deployed but tend to lose their effectiveness as widespread adoption encourages spam senders to employ countermeasures. Legislative approaches can increase the costs of spam senders by forcing them to employ costly countermeasures such as moving offshore but are unlikely to eliminate spam altogether. Authentication based approaches provide a robust means of identifying messages that are not spam but are of limited utility unless widely adopted.
This analysis suggests that content inspection, legislation and authentication are complimentary approaches. Content inspection provides short-term mitigation of the effects of spam. Authentication provides a robust long-term solution. Legislation provides a means of slowing the rate of growth of spam so that the content inspection based approaches maintain their effectiveness long enough for the long-term authentication based solutions to be effective.
As the Internet grows larger the difficulty of making changes to the infrastructure of the Internet increases. Contrary to the media myth, Internet time runs at the same pace as normal time.
One of the principal reasons for the success of the Internet is that it is built using genuinely open, freely available standards. Although many standards bodies define Internet related protocols, the Internet Engineering Task Force (IETF) defines the principal email protocols. A programmer who feels they can write a better Web browser can find the specifications that define the relevant protocols on the IETF web site. If the programmer feels that the protocols can be improved they can join an IETF Working Group and suggest improvements.
While the IETF has many virtues, its principal vice is that the pace of its deliberations is geared to the more leisurely pace of academia rather then the needs of Internet users. Major protocol revisions take decades rather than months or years.
The original SMTP protocol was defined in 1982. Some changes were made in 1986 and extensions were defined in 1995. The first major revision of the original protocol took place in 2001, almost two decades after the first proposal.
While there are currently plans to begin a research group in the IETF sister organization, the Internet Research Task Force (IRTF) there are no current plans for any IETF working group to examine revision of the mail infrastructure. It is unlikely that such a group could be started in less than a year and it is likely that any standardization work would take at least two years once started. Commercial implementation of the resulting standards would take a minimum of a year. The shortest time in which any standards effort may reasonably be expected to complete is thus four years.
Fortunately the IETF has a rather different role to most standards bodies. While most standards bodies develop a specification before the code to implement it is written the IETF favors the reverse approach. Instead of leading the development of the Internet the IETF documents it.
The previous sections have identified the need for mechanisms are that allow:
The definition of a standard Application Program Interface (API) for filtering modules would greatly simplify deployment and allow development of spam filtering mechanisms to take place independently of email client development.
While a number of spam control frameworks exist these tend to be ad hoc mechanisms tied to a specific platform or infrastructure.
We identify a need for the following
As previously stated, support for mailing list software in SMTP is less than satisfactory. We propose the following set of protocol changes to remedy this situation.
There are many techniques that address a part of the spam problem. No currently known technique provides a complete solution and it is unlikely that any technique will be found in the future that provides a complete and costless solution.
Even so, there are many techniques that in combination can provide an effective strategy for addressing the spam problem.
Spam is a security problem. It is the lack of authentication and authorization in the email system that allows it to be abused for any purpose. The volumes of spam are rising at a rate that threatens the usefulness of email. Spam is therefore more than simply a problem for individuals or an opportunity for businesses that provide solutions, spam is a community problem and it is the Internet community as a whole that must find, implement and deploy solutions.
[1] Section 411 Fraud, otherwise known as ‘Nigerian Letters’ is a modern incarnation of a classic fraud in which the ‘mark’ (victim) is invited to engage in an activity sure to realize an enormous profit. The mark is subsequently induced to make various payments to the fraudsters to cover ‘fees’ and unexpected incidental expenses that are purported to occur. In some cases the mark is persuaded to travel to another country where they are kidnapped and either held for ransom or in some cases murdered.
[2] In fact lookup efficiency considerably better than binary search may be achieved since a good message digest function should result in an even distribution of digest values regardless of the data set digested.