February 9, 2004
Spam: Is there any hope?
By Tim Stephens
The volume of spam clogging the nation's In boxes crossed a threshold
of sorts last year, prompting action on several fronts to thwart the
onslaught of unsolicited commercial e-mail.
on countering spam from Communications and Technology Services
Martín Abadi, professor of computer science at UCSC,
said he is "somewhat optimistic" about controlling spam.
Photo: Tim Stephens
Major Internet and software companies, such as Yahoo and Microsoft,
are mounting campaigns against spam, and the first federal anti-spam
legislation--the "Can-Spam Act"--took effect January 1.
But most experts do not expect to see any decline this year in the
number of e-mail promotions for generic Viagra, bogus investment schemes,
and the like.
Although UCSC computer scientists are hopeful about the prospects for
eventually bringing the plague of spam under control, they say relief
is likely to come slowly.
"Eliminating spam is difficult, not least because it is hard to
define spam precisely. But I am somewhat optimistic on controlling spam,"
said Martín Abadi, professor of computer science at UCSC and
an expert on computer security issues.
"As in other security issues, spam prevention deals with an adversary
that does not necessarily play by the rules. But some of the concepts
and techniques developed in the area of computer security over the years
may be quite helpful," Abadi said.
Spam filters are currently the main weapon in the war on spam. But
the effectiveness of spam filters is limited by the ability of spammers
to counter the filtering technology, said Raymie Stata, an assistant
professor of computer science.
"It is too easy for the spammers to adapt to the filters, so there
is reason to be somewhat pessimistic that filters by themselves will
solve the problem," Stata said.
Stata is cofounder of Stata Labs, which offers a top-rated spam filter
based on the open-source Spam Assassin technology. Consumer Reports
magazine last year rated the company's free SAproxy spam filter as the
most effective at blocking spam while still letting legitimate e-mail
get through. SAproxy basically puts the Spam Assassin technology in
a more user-friendly package.
Spam Assassin is also used by UCSC's Communications and Technology
Services (CATS) on the campus mail server to scan incoming mail. CATS
doesn't block messages identified as spam, but marks them so that individual
users can easily block them using the filters in e-mail programs such
as Eudora. (See sidebar story: "What
Can You Do?")
According to Stata, filtering at different levels of the network will
always be necessary, but other approaches, both legal and technological,
will also be needed to win the war on spam.
The "Can-Spam Act" (officially the Controlling the Assault
of Non-Solicited Pornography and Marketing Act) was approved by Congress
and signed into law by President Bush in December. Among other things,
it makes it illegal to send falsified e-mail headers and requires spammers
to let recipients unsubscribe from their lists. But enforcement of such
provisions remains a significant challenge.
Prototype registry developed at UCSC
The act also paves the way for a national "opt-out" registry
for spam similar to the do-not-call list recently established for telemarketers.
UCSC computer scientists have already developed the technology to run
such a registry.
"An opt-out registry by itself won't get rid of spam, but it gives
people another tool to use against the bulk e-mailers," said Arthur
Keller, a visiting associate professor of computer science at UCSC,
who led the team that designed a protoype system for an opt-out registry.
Four UCSC students worked with Keller to design the opt-out registry:
Thomas Belote, Lee Holloway, and John Rodrigues all earned B.S. degrees
in computer science, and Dat Nguyen is a graduate student in computer
engineering. They designed the prototype with a variety of features
to ensure its reliability and security. In January, the technology was
licensed to a Chicago-based consulting firm, Unspam.
But the idea of an opt-out registry has its critics. Some consumer
advocates would prefer an "opt-in" registry, whereby companies
could only send marketing offers to people who have requested them.
An opt-in registry would face legal challenges, however, based on the
consitutional free-speech rights of advertisers, Keller said.
"After all, it isn't constitutional to ban solicitors going to
all houses, but you can post a 'no solicitors' sign in front of your
own house," he said.
The opt-out registry is patterned after the highly popular do-not-call
list. But the Federal Trade Commission (FTC), which is charged with
developing a plan for the registry under the Can-Spam Act, has expressed
concern about the security of the addresses registered on the list and
the reliability of the registry.
The prototype opt-out registry developed by Keller and his students
addresses these problems. Although some experts remain skeptical of
the opt-out concept, Keller argues that an opt-out registry can provide
the basis for effective legal actions against renegade spammers if it
is backed up by sufficient funding for enforcement.
"I'm hoping that our prototype system can serve as a model for
a reliable and secure registry," he said.
Change in Internet email protocols proposed
Another approach proposed by some experts would involve making a minor
change in the Internet protocols used to distribute e-mail. The aim
would be to make it more difficult for spammers to cover their tracks
by falsifying their electronic identities. Even a small change could
greatly enhance the effectiveness of both spam filters and an opt-out
"What is needed is some form of authentication or accountability
in the sending of e-mail," Stata said. "My hope is that a
small change in the relay protocols will introduce enough accountability
to allow these other solutions to work better."
Implementing such a change throughout the Internet infrastructure,
however, is no simple task. The Internet is made up of many interconnected
networks that are owned and operated by different companies. The companies
would have to agree to support the new protocol, and it would take time
to roll it out, Abadi said.
Yet another proposal, most recently advocated by Microsoft chairman
Bill Gates, would involve charging senders of e-mail a small fee or
tax. The fee would be so small as to be insignificant for regular e-mail
users, but would add up to substantial amounts for the spammers who
send millions of e-mails daily. A variation on this theme would give
recipients the option to decide which senders to charge and how much,
depending on how annoying the e-mail is.
Multifaceted approach supported
Keller said he favors the multifaceted approach advocated in an article
in Business Week magazine last year (August 11, 2003). The article
called for a combination of a centralized opt-out registry; stepped-up
enforcement of anti-spam laws, along with a "right of private action"
allowing individuals to sue spammers (something specifically denied
by the Can-Spam Act); international cooperation; new Internet e-mail
protocols; and more effective filtering technologies.
"It is clear that no one approach alone will solve the problem
of spam," Keller said.
At stake is the usability of e-mail itself. In a recent national survey,
25 percent of e-mail users said the ever-increasing volume of spam has
reduced their overall use of e-mail, and 60 percent of that group said
spam has reduced their e-mail use in a big way.
According to Stata, however, the war on spam is just getting started.
"I think we will see a fierce battle, and at first it may look
like the spammers are winning, but eventually I believe a combination
of legislation, infrastructure changes, and filtering at multiple levels
will come together to solve the problem," he said.
Return to Front Page