Obviously someone somewhere made a decision to block this stuff. Whether they decided correctly is a moot point. The scary thing is the environment that is prompting them to make these decisions. Perhaps 90% of all email is now spam. A large amount of this spam contains malware (evil software), hence, I imagine, the aggressive content filters that gave me so much grief last week.
Facebook was Invented to Stop Spam?
It did lead me to wonder whether these are the dying moments in email interoperation. For all of it’s benefits, email has over the last ten years or so become more and more trouble, and it may become more trouble than it is worth. People are clearly moving to other mediums for their online communication. One of the reasons for the growth in popularity of web forums is that they avoid the grief of handling email (if you can manage to receive the email with the link to confirm your registration of course).
A number of people have told me they use Facebook to communicate with each other because their work email systems think their friend’s emails are spam. Facebook as a spam protection mechanism – just how unwieldy is that.
Of Course, Email is Hard
Internet email has always been more difficult than it looks. The Internet is a complex ecosystem, full of software from different vendors that, although they theoretically follow the same standards, actually have a huge range of behaviours. The Internet worked originally because people were “Tolerant in what they accept” (Postel’s Law), and even in that environment getting a mail server running was non-trivial. These days you would be well advised to make your mailserver as intolerant as you possibly can – only other mailservers that strictly follow the specification should be allowed, in the hope that the worst written are the ones run by spammers.
Furthermore, lots of additional checks are being imposed, from greylisting to multiline banners to pre-greet delays. All of these stretch the specifications a bit, to try to avoid cheaply written ratware. This is a progressing arms race however – as more servers implement these checks the spammers will improve their software to get around it.
The Technical Solutions and Why They Suck
A number of technical means are in progress that attempt to prevent forgery: Domain Keys, SPF, SenderID and DKIM to name but four. A lot of their proponents have claimed these will be an “end to spam”. Unfortunately they will do no good whatsoever. I’m going to quote Rich Kulawiec here, who puts it far better than I.
Problem number one: the bad guys own everyone already
The problem is that we are currently faced with a network environment in which at least 100M systems have been compromised (and some folks, e.g., Vint Cerf, think there are more — his number is 250M)…
Any email access or credentials present on a compromised system are now fully available to its new owner(s). If it has mail privileges by virtue of its network address, they now own those. If it has mail privileges because the user has accounts at (let’s say) their workplace, AOL, and a freemail service, they now own those too. The new owners can send email using the access privileges or credentials at will — either from that system (in the case of network-based privileges, that seems likely) or from another system (username/password pairs) *including* other compromised systems. Note as well that if the compromised system happens to be a mail server, then a large number of credentials may become available to its new owners very rapidly.
And all this email will be passed by any conceivable “anti-forgery” system: it’s coming from “the right” network address range, or it’s using “the right” username/password pair, etc.
– Rich Kulawiec, mailop mailing list, 12.12.2007
Problem number 2: what we do with them when we’ve caught them
Let me try to answer your question this way. Suppose that tomorrow we had in our possession the MAFT (Magical Anti-Forgery Technology) and that it was deployed globally. What happens next?
Well, one thing that happens is that now we have a way to figure out who’s responsible for sending spam (and phishes and whatnot). Okay, so let’s say that we do that, and as a result of that, we identify example.net as a major culprit in, oh, let’s say, mortgage spam. Torrents of it, nonstop, for months on end.
Now what? I’m not being flip, I mean exactly what do we do next?
Some people would say “get them prosecuted” but that’s a non-starter: what they’re doing may not be illegal in some jurisdictions, it’s not considered worthy of much attention, it might take forever, and even then it might not make the spam stop. Other people would say “litigate”, but unless you have very very deep pockets and are prepared to conduct trans-national litigation, forget it. And again, it might not make the spam stop. And so on, down the list of possibilities until we get to: “blacklist them”. Okay, *that* will make the spam stop, and it works immediately. Moreover, nobody’s sanction is necessary for it — we’re all free to stop offering services to anyone at any time for any reason (or none at all). The only people we’re obligated to provide services for are those with a contract for them.
And now we get to the killer problem with this whole line of reasoning, and it’s contained in what I said above:
Well, one thing that happens is that now we have a way to figure out who’s responsible for sending spam (and phishes and whatnot).
*We can do this today.*
We don’t need the MAFT, because we already know who’s responsible for spam — we’ve known for years. It’s whoever’s systems/network are sending it — i.e. this is part of the principle that if it comes from YOUR system/network on YOUR watch then it’s YOURS. This applies whether you run a /32 or a /8.
The problem is not identifying those responsible. Nor is it figuring out who they really are — Spamhaus, SPEWS, Spam-l, NANAE, and numerous other resources have documented this to an amazing level.
The problem is taking effective action once that information is in hand. And the biggest reason the spam problem is as bad as it is today — and will continue to get worse — is that we, collectively, have failed to take effective action. And the only effective action I’ve seen — ever — is blacklisting. Blacklisting is effective because it forces the consequences of the problem back onto the people causing it. Nothing else does that, and of course that’s why everything else — while it might temporarily stop spam — does *nothing* to stop spammers.
– Rich Kulawiec, mailop mailing list, 13.12.2007
This is a recurring problem on the Internet. If you look at fraud, identify theft, credit card theft and all sorts of computer crime the guilty parties are actually well known. If you ask any Internet security researcher they can provide chapter and verse on individuals and organisations who participate in these criminal activities.
Finding the bad guys is not the problem.
The problem is catastrophic failure of law enforcement. Even when Internet crime actually falls within their jurisdiction (unusual) and they have the will to do something about it (virtually unheard of) they are (understandably) woefully clueless about what to actually do about it.
I’ve blogged previously about the Storm Worm and this precise issue, and it applies equally with spam. Rich says that the only thing that works is blacklisting. Unfortunately for blacklisting to really end spam requires a huge number of people to work together, and their actions have unintended consequences – false positives may be acceptable in the wider scheme of things, but they are definitely unacceptable in those specific instances.
A real law enforcement response has to be the ideal solution. It is a very small number of organisations generating this vast quantity of spam – throw a few of them in prison and the quantities would drop rapidly. Catch and punish enough of them and the problem, as it stands now, will end.
I have my doubts about whether this will ever happen though. Email may become a historical oddity as new private forms of communication are adopted that allow people to hide from the
spammers, or that price them out of the market by adding cost. What a shame that would be.