Sep 6, 2005 5:00 AM PT
Stopping spam is essential for preserving e-mail access for legitimate personal and business purposes. Spam threatens to cripple e-mail services, particularly those without effective spam controls.
If spam is found to be coming from an IP address, then it may be placed on lists of IP addresses that Internet service providers (ISPs) keep. All e-mail coming from IPs on these lists get blocked before they reach your inbox. An IP address is a series of four sets of numbers, e.g., 18.104.22.168.
For information on how blocking occurs, see What to Do if Your E-Mail Is Blocked, followed by How to Unblock Your E-Mail. Spotting, Swatting Sources of Spam provides statistics on the countries and ISPs that have been found to be most vulnerable to serving as spam sources.
Here we consider approaches to stopping spam, beginning with an increasingly popular technology for authenticating the source of e-mails. We conclude with a summary of what senders can do to make sure that they are not contributing to the problem.
Spam is often sent from invalid or spoofed e-mail addresses. To detect invalid or spoofed e-mail addresses, competing e-mail authentication systems are being developed and deployed. Sender Policy Framework (usually called SPF) is the most widely adopted.
SPF is being promoted by Microsoft, which has incorporated it into the company's authentication standard called Sender ID. SPF was developed in part by Meng Weng Wong at spf.PoBox.com, whose Web site states: "SPF fights return-path address forgery and makes it easier to identify spoofs."
How does SPF work? According to PoBox:
"SPF lets domains say what computers are allowed to send mail as that domain. If your domain uses SPF, and someone tries to send mail as you in Timbuktu (assuming, of course, your ISP is not in Timbuktu), your correspondent's ISP can reject the message, or just flag it for discarding. The best part? You don't have to worry about it! Your ISP sets up the acceptable senders. Your correspondent's ISP does the checking. To users, SPF is a seamless process, protecting your e-mail address without causing you headaches."
The ISP Adhost has SPF records for outgoing e-mail but is not using SPF to screen inbound e-mail because the technology has not been accepted widely enough by other ISPs. As of June 2005, according to Microsoft, approximately 1 million domains were publishing SPF records, which leaves more than 70 million domains names outside that technology. Not all registered domain names are being used for e-mail, leading some analysts to estimate that as much as 30 percent of all e-mail incorporates Microsoft Sender ID information.
Other e-mail authentication systems include Cisco's Identified Internet Mail system, Yahoo's Domain Keys, and IBM's Fair Use of Unsolicited Commercial E-mail, or FairUCE. Although foreign ISPs have been slow to adopt e-mail authentication systems, spammers have not.
Robb Wilson of Lyris Technologies in Berkeley, Calif., told TechNewsWorld recently that the most enthusiastic adopters of SPF have been spammers. Hotmail is one of the first e-mail services to route incoming e-mail that is not authenticated into bulk mail folders. But if most users of SPF are spammers, Wilson said, then "your bulk mail folder is going to become your inbox."
Competition among different e-mail authentication systems is expected to continue. In the fall of 2004, the Internet Engineering Task Force dissolved a working group on the subject, reporting that consensus could not be reached on key implementation issues.
Advertising that they provide spam-free e-mail service, permission-based e-mail services such as Bluebottle and Breakthru are seeking to gain market traction. The permission process begins with a 'challenge,' according to Breakthru:
"When you receive e-mail from an unknown party, an automated 'challenge' e-mail goes to the sender asking them to 'manually' verify themselves. To prove that they are a real person, they have to type in a number shown in an image on the BreakThru.com site. (Bulk spam programs cannot verify themselves, so your account stays free from spam.)"
Bluebottle asks recipients to verify senders. Permission-based filtering is also available as a free option in Hotmail, which allows users to receive e-mail only from addresses already entered into recipients' address books.
MySpace.com and some other online networking sites only allow messages to be received from senders that have already been recognized and approved by recipients. According to Alexa, MySpace is the 11th most-visited site on the Web.
On a side note, according to Alexa, the top three most-visited sites on the Web, with the percentage of page views on each site that pertain to e-mail, are Yahoo (43 percent), MSN (68 percent), and Google (6 percent -- although Google's e-mail system is still in beta). On MySpace, Alexa finds that e-mail makes up 13 percent of the site's use, compared to 17 percent for viewing photos.
Whereas permission-based e-mail may be appropriate for some individuals, it can quickly become impractical in business environments where individuals need to receive e-mail from a rapidly changing variety of sources, many of whom will see the permission process as unprofessional and a hurdle that they decline to cross.
In the Indian call center outsourcing industry, some of the early adopters of Bluebottle used it to send out spam, after their other e-mail venues were blocked. There was no mechanism for that spam-protected e-mail service to quickly avoid becoming a major spam source itself, thereby damaging its brand image and alienating potential users.
How to Stop Spam
The best way for individual users to stop spam and protect their ability to receive legitimate e-mails is to ensure that their own computers are protected against viruses and trojan horses, thereby forestalling those machines from being used as spam relays. Next, use an ISP that protects your IP addresses from being placed on block lists.
According to Richard Stockton at Adhost, there are four methods that ISPs should employ to limit spam from being sent out and from their IP addresses from being blocked:
- Prohibit open relays: Open relays enable e-mail to be received and sent to any source. In closed systems, only e-mails from password-protected customer accounts are allowed to be sent out.
- Limit outbound traffic: Limits can be placed on the number of e-mails sent out every 15 minutes. Limits can also be placed on the number of recipients per e-mail, to 99, for example. Your bulk mailings can be conducted by firms that specialize in bulk e-mail services and electronic newsletters.
- Maintain system for responding to complaints: If you need to protect your e-mail service from interruption, only use an ISP that goes out of its way to respond properly to complaints. Responses to cases of abuse can begin with warnings, and then lead to termination of service or, in extreme cases, to referrals to law enforcement agencies. Lack of responsive complaint system provides an ISP with fast-track opportunities to have its IP addresses placed on block lists. For more information on the complaint process, see How to Unblock Your E-Mail.
- Monitor outbound traffic: Monitoring outbound traffic can provide real time indications of outbound spamming activity or a computer within an ISP's network that has been breached and is being used to attack other machines or send out spam. A popular monitoring system is Observer from Network Instruments.
If your ISP is not doing a good job with each of the four items above, then you are at increased risk of having your e-mail blocked because it shares an IP address that can be used by spammers. And remember, while it is easy to blame foreign sources for much of the spam that arrives in the U.S. inboxes, the top six ISPs currently providing connectivity and hosting to known spammers are all based in the United States.
Anthony Mitchell , an E-Commerce Times columnist, has been involved with the Indian IT industry since 1987, specializing through InternationalStaff.net in offshore process migration, call center program management, turnkey software development and help desk management.