Below is the winning letter from the "What Should We Do About Spammers?" contest in Bob Evans' Dec. 6 column, Business Technology: Ends Don't Justify Means, Despite Appeal.

Back To Basics

Bob,

The solution to spammers starts with the basics. But first, let's see what has been tried.

1. Keyword Filters
This does not work since spammers are pretty creative in finding a million ways to spell V I@Gra.

2. Spam IP Database Block Lists
This was a good idea at first, when many companies were unknowingly running open relays. However, this doesn't pose much of a threat for spammers. They just move on once an IP is identified. Even worse, many mail servers get tagged as a spam sender even though they didn't send any spam. Their only crime was having an IP address in the same block as a spammer.

3. Blacklists
Blocking spam by address is virtually useless. Any spammer can spoof the [send from:] without any problem.

4. White Lists
Only allowing E-mail from known senders is a little drastic. E-mail is supposed to make communication easier, not more difficult. Let's not throw the baby out with the bath water.

5. Bayesian Filters
This started as a great concept. Training a filter to identify spam is a great idea. However, it will not cut down on the amount of spam received by our mail servers. It also takes user maintenance to constantly "train" the filter to understand how spam is evolving. Additionally, many companies are hesitant to aggressively sort spam since they are afraid of losing that one big important E-mail.

6. Legislation
Congress tried to legislate spam out of existence. It appears that these efforts have been in vain. Spam is a technological problem that requires a technological solution.

So we need a technological fix--but not at the client level. E-mail protocols need to be rewritten. IMAP, POP3, SMTP, and HTTP need to be made more secure. Any E-mail protocol should not allow anonymous senders or spoofing. It should be easy to interpret exactly where the E-mail message came from. This will come at the cost of ending a completely open E-mail system; however, it is this open and trusting environment that has created this spam mess.

What then should we do until the future? At my company, we have been using greylisting. You can read more about it here.

From the project Web site:

"Greylisting is a new method of blocking significant amounts of spam at the mail-server level, but without resorting to heavyweight statistical analysis or other heuristical (and error-prone) approaches. Consequently, implementations are fairly lightweight, and may even decrease network traffic and processor load on your mail server.

Greylisting relies on the fact that most spam sources do not behave in the same way as "normal" mail systems. Although it is currently very effective by itself, it will perform best when it is used in conjunction with other forms of spam prevention."

By implementing greylisting support for all incoming E-mail, we have been able to reduce spam by 95% in our corporate environment. That works out to about five spam messages per client per day. This is not a great solution, but unfortunately it is about the best that there is currently available.

Current E-mail protocols are broken. We're still embracing the same standards that existed 35 years ago. It is time to take a fresh look at E-mail standards and limit the damage that spammers can do.

Thanks
Benjamin Vogel

Return to the story: Business Technology: Ends Don't Justify Means, Despite Appeal

Continue to the other letters: Readers Get Creative About Stamping Out Spam