TECHNOLOGY SPECIAL REPORT
Spam Wars: Fighting the Mass-Mail Onslaught

Spam is stuffing consumer and corporate e-mail inboxes with useless pitches for unwanted products and services. It is also clogging bandwidth and contributing to traffic congestion on the Internet.

Experts estimate that as much as 60 percent of all e-mail that enters inboxes every day is spam, unsolicited commercial e-mail that targets e-mail addresses randomly created or culled from the Internet and mass-marketing lists. The problem grows worse with each passing month. Some security experts worry that, if left unchecked, business e-mail will become far less useful as a marketing and communications tool.

In Part One of our Spam Wars feature [Jack M. Germain, "Spam Wars: The Ongoing Battle Against Junk E-Mail," TechNewsWorld, June 8, 2004], TechNewsWorld explored what security experts fear will be the next generation of spam attacks. Our inboxes will most likely be flooded with more sophisticated junk mail attacks. These attacks will combine the worst of today's network worms with the newest tricks created by virus writers.

In Part Two of the Spam Wars feature, TechNewsWorld takes a look at other issues involving junk e-mail.

Can-Spam Laws Dented

After several years of failed bills to stuff spam into an e-mail can, Congress finally passed a compromise law known as the Can-Spam Act of 2003. Officially dubbed The Controlling the Assault of Non-Solicited Pornography and Marketing Act, the legislation requires unsolicited commercial e-mail messages to be labeled and to include opt-out instructions, plus the sender's physical address.

The federal law, which took effect on January 1, 2004, also outlaws deceptive subject lines and false headers in messages. The federal legislation overrides less comprehensive antispam laws in 35 states. Although not required to do so, the FTC is authorized to establish a "do-not-e-mail" registry. Plans for such a registry are several years away.

Are these Can-Spam rules really stuffing junk e-mail into the can? So far, no. But industry watchers admit that more time is needed for prosecutors to use the teeth congress put into the first-time antispam law. So far, there haven't been any precedent-setting cases against spammers who spawn sexually oriented e-mail or Viagra offers, or anything else for that matter.

Under this new law, state attorneys general, the FTC and ISPs can seek civil enforcement. The law provides criminal penalties for hacking and sender falsifications. But the Can-Spam Act cannot address spam sent from outside the United States where much of the world's busiest spammers are located.

"The Can-Spam Act was never intended as a silver bullet, but it is an important and necessary weapon in a more comprehensive antispam arsenal," Scott Chasin, CTO of MX Logic, told TechNewsWorld. "We firmly believe that continued enforcement of the law, industry cooperation on e-mail authentication, continued technological innovation and end-user education and empowerment will reduce spam."

MX Logic provides subscribers with a managed e-mail defense service. It also offers an e-mail defense gateway service for e-mail service providers. Technology solutions such as the one MX Logic offers will have to work hand-in-hand with any legal assault the Can-Spam Act can muster.

Spammers can easily churn out millions of messages per hour and more than 60 percent of Internet e-mail traffic today is Spam, noted Chasin. In addition, it is costly and difficult to uncover the sender's identity. Spammers are using increasingly sophisticated software that makes them even better at covering their tracks and harder to find, he said.

Education Is the Key

Jeremy Poteet, author of the soon-to-be-released book Canning Spam: You've Got Mail (That You Don't Want) told TechNewsWorld that consumers don't know enough about spam to prevent the problems it causes. Most people get spam and are not aware of the viruses they can contain. "They need to take steps to minimize the damage," he said.

Felix Lin, CEO and cofounder of Qurb, couldn't agree more. His company provides software to protect against spam, spoofing and e-mail fraud. "Most people are far too trusting when it comes to opening e-mail. Spammers take advantage of brand name recognition," he said.

MS Logix's Scott Chasin said it is essential that industry leaders and policymakers help educate consumers on how to protect themselves from unwanted e-mail, viruses and other threats. He offered four rules to handle junk e-mail.

First, never open e-mail from unidentified parties. Second, do not purchase products from companies or individuals with whom they are not familiar. The Pew Foundation recently reported that seven percent of Americans have purchased something from an unsolicited commercial e-mail. "Until spammers no longer have a ready market, they will continue to send their bulk messages," said Chasin.

Rule three is to be wary about giving out e-mail addresses where they can be harvested. The biggest sources of confirmed e-mail are chat rooms, personal Web sites and blogs. The last rule is perhaps the most important one for consumers, who should make sure that their ISP has an effective antispam solution in place to protect them. An effective system will give consumers a way to manage personal spam quarantines. It will also have an easy response mechanism to report any undetected spam and block it immediately.

Beware Hidden Dangers in Spam

MX Logic research has found that nearly half of spam is bugged with malicious scripts. To ensure an address is valid and ripe for future spamming, spammers embed "Web bugs" or "spam beacons" -- pieces of HTML code -- into their spam messages, Chasin told TechNewsWorld.

Spam beacons are a variant of Web bugs. Web marketing companies traditionally use them to measure page views and track Web surfing behavior. Once a user opens or even previews an e-mail containing an embedded spam beacon, it sends its signal back to the spammer, validating the address. Chasin said the spam beacon is a query or script string that can contain an encoded form of the recipient's e-mail address embedded in a Web request.

"Millions of users are unaware that spammers have the ability to track them when they view and open their e-mail. While Web bugs are not a new phenomenon to the Internet, MX Logic's data shows that nearly one out of two spam messages now contains these beacons. This reinforces the fact that spammers are using increasingly deceptive tools to invade end users' privacy and harvest valid e-mail addresses," Chasin said.

Old Internet Needs Makeover

The message is clear, according to security experts. Industry groups must work together to improve the security in e-mail protocols and identity management. Short of rebuilding the Internet protocol and infrastructure, spam and worm or virus attacks will never go away.

Chasin agrees with that view. SMTP is fundamentally insecure. As an open recipient protocol, recipients generally have to accept the e-mail that is sent to them, even when it is malicious or junk.

"So the short answer is 'yes.' Until the messaging protocols of the Internet are made more secure, e-mail and the computers of e-mail users will always be susceptible to a variety of attacks," Chasin said. "In the meantime, assuming that new protocols in the future would be sufficient to prevent these attacks, e-mail security will continue to involve four parts: technology, legislation, end-user education and industry cooperation."