• E-mail this page
• |  Print this page
• | 
• | 
• | 

What Is The Next Step In The War On Spam?

We all know that spammers will do whatever it takes to find a way to send their advertisements and scams to potential victims. Spammers are circumventing methods services like Gmail, HotMail, and Yahoo use to stop automated spam to the point that even legitimate users of these services are unwitting victims of anti-spam.

Larry Seltzer at eWeek posted a blog Spammers Sidestep SMTP about what happens when spammers start using free Web-based services such as Gmail, HotMail, and Yahoo mail systems to send spam. Seltzer suggests new tests need to be developed to check for "humanness" -- or perhaps a change in how e-mail is sent and received are potential solutions.

I got a call on Sunday from an InformationWeek visitor about a problem he is experiencing with forwarding spam e-mail to spam@uce.gov, the Federal Trade Commission's e-mail account for reporting spam and phishing. Ironically, he also was blocked by TechWeb's anti-spam gateway for a bad reputation, hence the phone call. I asked him to forward me the e-mail to my Web account and guess where it ended up? If you guessed my spam folder, you would be right.

There are a couple of things going on that makes sending and receiving legitimate e-mail bothersome. Public mail services such as Gmail, Yahoo, and Hotmail to filter outbound e-mail for potential spam sent from bogus accounts. That is a reasonable and a responsible action to take. But as we know with any anti-spam system, sometimes legitimate e-mail gets caught in the mix; even e-mail that is being sent to an authorized spam reporting drop box like spam@uce.gov.

Then there is the problem with reputation filtering. Based on activity of your mail servers, or even your originating IP address, a mail server between you and your recipient gives a network or mail server a bad reputation based on the actions of spammers using the network you are on. This is reputation filtering. Reputation filtering is problematic simply because it's easy to get on a bad reputation list, hard to get off the bad reputation list, and, in many cases, the recipient doesn't even know their mail server has a bad reputation until someone calls and complains, like my caller this weekend.

Maintainers of reputation lists do try to ensure the accuracy of their bad reputation lists, but still, some good apples get on there. Worse, some anti-spam gateways will flag an e-mail as coming from a bad reputation source if the IP address is anywhere in the e-mail header fields. Since spammers use zombies on broadband connections, you can bet that your broadband network is on a bad reputation list. If your ISP's mail gateway records your IP address in an e-mail header, you could be given a bad reputation.

Anti-spam gateways should have a configuration option to not check IP addresses in full headers for bad reputation. But it's not always set correctly. If you receive e-mail from the Internet, then it should be disabled.

Of course, Web mail providers, knowing they can be abused by spammers, are trying more methods to ensure that a human is behind the keyboard and not a spam-bot. The best weapon so far has been Captcha systems, that squiggly text you are supposed to type into a form field to prove you are a human -- they are falling faster than snowflakes.

Measuring an account holders' reputation may or may not be a good idea. It certainly seems plausible on the surface. Given the economics of spam and the potential payoff for very little outlay, the spammers will continue to find ways to combat anti-spam measures.

I don't know what the next step is on the path to combat spam, but given the rising amount of spam vs. legitimate e-mail and the well-meaning attempts to stem the tide, reaching out and touching someone by the telly may make a comeback.

« Google's Gmail Gets To-Do List | Main | Gilbane CMS Conference Highlights »