February 20, 2006
Computer scientist fights spam on two fronts
By Chandra Shekhar
A "do-not-spam" registry developed as a student project at UCSC has now been implemented in two states as part of child protection legislation. Designed to shield minors from e-mails with adult content, the registries established in Utah and Michigan are the first of their kind in the country.
Another recent anti-spam project involving UCSC researchers is designed to thwart the "harvesters" who trawl the Internet for e-mail addresses to add to their spam mailing lists.
"These are big steps in the war against spam," said Arthur Keller, a research associate in the technology and information management program of UCSC's Baskin School of Engineering, who supervised the student project and collaborated on the development of the state registries.
Recently enacted anti-spam legislation in Utah and Michigan paved the way for the child protection registries. The new state laws require companies sending e-mails with adult content to have their mailing lists "scrubbed" of all registered e-mail addresses of minors. For each prohibited message that a company sends to a registered e-mail address, it will face damages of $1,000 in Utah and $5,000 in Michigan.
The registries are based on a prototype do-not-spam registry developed between 2002 and 2003 by a team of UCSC engineering students under the direction of Keller. The students--Lee Holloway, John Rodrigues, Dat Huu Nguyen, and Thomas Belote--have all since graduated with degrees in computer science or computer engineering.
In 2003, UCSC licensed the registry prototype to Unspam, a company that offers anti-spam software and services, after a fortuitous meeting between Keller and Unspam CEO Matthew Prince at a Federal Trade Commission workshop. Keller and Holloway have both continued to work with Unspam on anti-spam strategies.
"I was lucky to find the right partner," Keller said. "We were both on the same track, but Matthew knew a lot more than me about getting the anti-spam legislation adopted."
In the model developed by Unspam, companies pay less than one cent to check each address in their mailing lists against a state registry. The revenue is divided between Unspam and the state. There is no charge to register a minor's e-mail address.
Although the successful implementation of the child protection registry is a promising start in the battle against spam, a nationwide do-not-spam registry faces obstacles. First, the child protection registry itself has come under legal attack. The Free Speech Coalition, a trade association of the adult entertainment industry, has launched a federal lawsuit challenging Utah's anti-spam law on constitutional grounds. If the lawsuit succeeds, the state's registry would have to be dismantled. But Keller predicts the lawsuit will fail.
"The child protection registry is not a violation of first amendment rights," he said. "The spammer's right to send something does not override my child's right to be left alone."
The Federal Trade Commission (FTC) published a report in 2004 skeptical of the do-not-spam registry concept. It said such a registry would fail to reduce the burden of spam, since no reliable mechanism exists to identify violators. Further, it warned that spammers could break into the registry to steal e-mail addresses.
Keller, however, cited several safety features in the Unspam system that addressed the FTC's concerns. "It is absolutely hack-proof," he said.
Keller said the successful implementation of the child protection registries could eventually lead to a nationwide do-not-spam registry that protects both minors and adults from all types of spam.
"The FTC took 10 years to create a do-not-call registry for telemarketers from the time it was authorized," he said. "I won't be surprised if a do-not-spam registry takes equally long."
In the meantime, Keller, Holloway, and Prince have launched another anti-spam initiative, dubbed Project Honey Pot, designed to catch spammers in the act of "harvesting" e-mail addresses from the Internet. E-mail harvesting is illegal in the United States under the CAN-SPAM act of 2003, but until recently no mechanism existed to catch harvesters red-handed, Keller said.
Spammers typically find the e-mail addresses of their victims with automated programs called robots, which ceaselessly scour the billions of web pages on the Internet. Most robot traffic on the Internet is from legitimate companies like Yahoo and Google, but about 5 percent comes from harvesters.
To trap harvesters, Project Honey Pot has salted the Internet with a network of over 250,000 web sites containing bogus "spam trap" e-mail addresses. These "honey pot" sites can be visually identified by a legal disclaimer forbidding the harvesting of the addresses they carry. Accessible only via special links from about 5,000 participating web sites worldwide, the honey pot sites are visible to robots, but not to humans. Each time a robot follows one of the links to a honey pot site, identifying information (such as the robot's IP address) is instantly recorded. If an e-mail address on the honey pot site receives a spam message later, it is easy to identify the culprit, Keller said.
"Gathering these IP addresses is like finding fingerprints at a crime scene," he said. "It provides evidence essential for prosecuting anyone involved in the spam industry."
According to Keller, harvesters come in two flavors: hucksters, who sell an actual product, and fraudsters, who engage in "phishing" and other scams. Hucksters usually take over a month to send their first spam message to a newly harvested address, but then follow it up with many more. Fraudsters, in contrast, typically send a spam message within a day, but rarely send any more.
"Nearly 30 percent of the messages received by Project Honey Pot appear to be related to some sort of phish scheme, advanced fee fraud, or banking scam," Keller said.
Harvesting by fraudsters can usually be blocked by slightly modifying the way e-mail addresses are written on a web page, Keller said. Known as address "munging," this is often done by writing out "at" and "dot" in place of the corresponding symbols in an e-mail address.
Hucksters tend to use more advanced harvesting programs, Keller said, and are not deterred by simple address munging. Their sophistication, however, could become their Achilles heel. Several harvesters of the huckster class have modified their programs to avoid honey pot sites -- even the mention of the words "spam trap" or "honey pot" on a site can deter them. So even regular web sites could include these words to scare harvesters away, Keller said.
The next generation of harvesters may include mechanisms to tell real honey pots from the fakes, but Keller believes Project Honey Pot is a step ahead.
"As spammers adapt to avoid honey pots, we can exploit their adaptations to protect regular web sites," Keller said. "While this is yet another arms race, this time the anti-spam forces are in a position of strength."
Email this story
Return to Front Page