Opinion
Computing Applications Inside risks

Spam Wars

Posted
  1. Article
  2. Author

In the June 1997 edition of this column, Peter Neumann and I asked if you were being "flooded" with spam. At the time, spam was already annoying, but as it turns out the real torrent hadn’t even begun! Fast-forward to 2003, and spam now threatens the Internet’s stability and reliability—not only of email systems, but potentially of the network infrastructure itself. Spam is quite probably a greater actual threat to the stability of the Internet today than the theoretical risk of Net-based terrorism. Estimates are that typical Internet users’ inbound email may now be about 50% spam. Highly visible email addresses are pounded even harder. A couple of years ago spam likely accounted for something less than 10% of overall email received. The trend-line is alarming to say the least.

We will drown in spam unless solutions can be found. Organizations ranging from the Federal Trade Commission (which belatedly wants more anti-spam powers) to the American Marketing Association (which worries that its members’ email marketing messages are "misconstrued" as spam), as well as other public and private organizations, tend to propose generally simplistic spam-cure patent medicines.

Yet, most of the hodgepodge of "quick fix" spam control ideas seem unlikely to significantly stem spam’s flow, and in many cases may do more harm than good. Legislation to explicitly outlaw spamming is certainly necessary, but tends to be of limited usefulness except against big and obvious spammers, an issue further complicated by spam’s global and easily obfuscated reach. Poorly written anti-spam laws might actually have the perverse effect of legitimizing gigantic amounts of "unsolicited bulk email"—that is, spam! The crooks using spam to hawk fake bodily enhancement products, illegal cable TV boxes, and Nigerian free-money frauds (to name but a few) are unlikely to be concerned about legal strictures against spam.

Common spam filtering programs are usually of the "dirt under the rug" variety. They categorize and/or delete spam messages after they’ve been received by systems, but by then much of the bandwidth and processing costs of the spam have already been wasted. The false-positive rate with such programs is also a major problem—important non-spam email is frequently misidentified as spam and relegated unseen to the bit-bucket.

Other ad hoc technical measures against spam can have negative consequences of their own. ISPs increasingly engage in severe restrictions (such as preventing subscribers from running their own secure mail servers) that hobble users, don’t significantly affect the overall spam flow, and can also inflict collateral damage to innocent sites.

Technical anti-spam fads such as "challenge-response" threaten to tangle users’ email and legitimate Internet mailing lists into knots, while actually increasing the flow of spam-related traffic due to bounced and misdirected spam challenges. Today’s Internet email systems (basically defined more than two decades ago) are inadequate to deal with the email environment we now face, in terms of spam and other critical problems such as security, reliability, and authentication. It is time for fundamental change, rather than Band-Aid, piecemeal-reactive approaches.

There are various possible evolutionary routes toward practical, sustainable, and significantly fundamental structural changes to Internet email that could be implemented in phased approaches to avoid unreasonable disruption of existing email systems during a transition period. Peter and I have proposed one such path for discussion, which we’ve dubbed "Tripoli" (for Triple-E, Enhanced Email Environment). Tripoli focuses on vesting email control decisions with users (especially the recipients of email), rather than ISPs or governments.

Tripoli postulates a token-based authentication system to provide for flexible spam controls, along with intrinsic encryption and other security functions, while still providing the option of permission-based "anonymous" email communications. Importantly, we believe the Tripoli framework deals appropriately with the free-speech and other concerns we expressed in our earlier column regarding anti-spam policy issues. We hope Tripoli will provide a useful and continuing contribution to the ongoing debates over email futures. (Please see www.pfir.org/tripoli-announce for details.)

Unless we get started now on the onerous but necessary task of fundamentally redesigning Internet email in a sustainable manner, we will find that our electronic mail nightmare has just begun.

Back to Top

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More