Modernizing Authentication — What It Takes to Transform Secure Access
By now, my faithful readers, you've likely read Jacqueline Emigh's excellent series on spam. Her series covers all manner of different spam-fighting strategies and products, from self-management to using hosting services. In this two-part series, we are going to look at fighting spam from a different perspective -- cutting it off at the source.
All the Bayesian filters, Perl scripts, blocklists, and hosting services do nothing to actually stop spam from proliferating; they merely prevent some of it from reaching your inbox. It's also an ever-escalating battle, as spammers expend considerable ingenuity and resources into foiling filters and blocklists. As soon as one avenue is blocked, they find another.
Why Spam Is Bad
Let's review what makes spam so evil. Yes, I mean evil, and I do not use the word lightly. The primary concept to understand is theft of services. Every Internet user subsidizes spammers. There is already precedent for allowing this cost-shifting of marketing costs from the seller to the recipient -- our private postal mailboxes, telephones, and fax machines have long been considered merely marketing tools for any idiot who wants to sell stuff. It's too bad we let them get away with it, because with email the problem is a million times worse. With postal mail and telemarketing there are built-in cost limitations. Cost constraints are considerably lessened with fax spams -- robo-dialers and low connection charges make it inexpensive to fax-spam huge numbers of people -- which has led to the creation of laws prohibiting this misuse of faxing.
But even with cost constraints and laws, the recipient (note that I do not say "customer" or "consumer") is still subsidizing the mass-marketer. We are not compensated for a spammer's use of our private personal property. We do not share in their profits from selling and re-selling our personal data. These days, the most valuable asset a company has is its customer database. That's why grocery stores use "membership" cards, and it's also the sole purpose of contests. Almost any large company you do business with relies on the selling of customer data as a major profit center.
Email spam elevates this cost-shifting, this theft of services, to new and astounding heights. It is so inexpensive to spew forth a million emails that there is zero incentive to exercise any restraints whatsoever. My main public email address, firstname.lastname@example.org, is so polluted it is nearly unusable. It receives over 150 spams per day. The majority of them are unreadable: HTML formatted, foreign languages, and the most laughable of all, attachments in .eml format, which is for Outlook Express. The latest greatest spam assault tactic is multiple sends of the same message -- as if seeing ten copies of the exact same message is going to make you more inclined to buy into what the spam is selling!
Cheap = Fraud
The lower the cost, the greater the fraud. I receive the least amount of fraudulent spam in my postal mail. Running second is telemarketing, while the undisputed world champion is, of course, email spam. In the last two weeks, I have received maybe a half-dozen offers for real products. Unless you count porn, which I do not, that's over 2100+ fraudulent ads.
Even when the spam is pushing legitimate offers, it is still wrong. I did not consent to receive any of the messages in my inbox. Consent is the key principle here; it is my private property. I am paying for my bandwidth, storage, and labor to manage this flood of trespassing spew, while the senders are getting a free ride.
"It's No Big Deal; Just Hit Delete"
If this is your philosophy, you haven't been paying attention. Go back and start over. William R. James wrote a wonderful essay called "Thank The Spammers". It is a must-read. My personal favorite quote is:
"They found that they could abuse the relays and cost others hundreds or even thousands of dollars, but it prevented them from losing the $10 dialup account or free NetZero account. It's like a thief who steals a $1000 wedding ring with priceless sentimental value just to sell it for a $20 cocaine fix."
Spammers are vandals and parasites. Some estimates put the annual industry cost of being forced to deal with spam at $10 billion. AOL estimates spammers cost them $5 per account. Just think, if it wasn't for spam, AOL customers could be paying $17 per month instead of $22.
What to Do
First you must protect yourself. The most important things you can do are: 1) Do not use Outlook or Outlook Express, and 2) Turn off everything in your mail client that a spammer can exploit:
- Disable automatic 'read' and 'reply' confirmations
- Disable HTML -- read mail in plain text only. Spammers use an astounding assortment of web bugs and scripts that collect and send data, download images and Web pages, and automatically sign you up for yet more spam
- Block your email client from port 80
- Never ever respond to a spam message -- do not purchase any product and do not reply
- Do not use any "remove" links, as all they do is confirm a live address and get you more spam (trust me on this one)
If you must use Outlook, disable everything: scripting, preview pane, HTML, auto-replies, the works. There's a reason spammers and virus authors target Outlook -- it's very accommodating of misuse.
Use whatever filtering and blocking it takes to save your sanity, and maintain the usability of your inbox. The next step is to actively combat spam. The spam war is fought on two major fronts: technical and legislative. Most spam legislation is along the lines of requiring honest headers and contact information; legislators still don't understand the "theft of service" aspect, and so they continue the precedent that our private, personal property is fair prey for mass-marketers. As Mitch Wagner said in his excellent article, "There's No Such Thing As Legitimate Spam": "If the dirty-raincoat-and-five-o'clock-shadow crowd are cleared away from spam, the problem of volume won't get any better. Indeed, it'll get WORSE when multibillion-dollar consumer corporations get into it."
Whatever your feelings on the subject are, there's a great deal of legislative activity happening at the state and federal levels, so if you wish to get involved, you need to get moving.
On the technical front, there is a bewildering array of activist groups and resources. There are two that I use extensively: Spamcop and NANAE/NANAS. Spamcop is an automated spam-reporting service that digs through all the deceits and obfuscations to find the true origins of spams and then sends out abuse reports. Spamcop offers other services as well, including filtered email accounts and an excellent DNS-based blocklist (DNSRBL). Spamcop adds entries to its DNSRBL based on spam reports, so false positives and collateral damage are kept low.
NANAE is the Usenet group news.admin.net-abuse.email. It's a great place to get educated on spammers and their tactics, how to collect evidence, and how to make abuse complaints. NANAS (news.admin.net-abuse.sightings) is a companion group to NANAE. Post spams there to create a public record. NANAS is extremely useful for penetrating spammers' lies and for documenting how huge the spam problem truly is.
In Part 2 we'll look at specific ways to cut off spam at the source.
Stomping Out Spam: The Spam Series, Part 1
Picking Your Anti-Spam Poison: The Spam Series, Part 2
In the Year 2005, Will Your Anti-Spam Arsenal Be the Same? The Spam Series, Part 3
Realtime Black-hole Lists: Heroic Spam Fighters or Crazed Vigilantes?
Spam's Cost To Business Escalates
Thank The Spammers
There's No Such Thing As Legitimate Spam