|
|
email spam - will we ever get rid of it?
In my opinion, probably not.
The trouble is that whatever method we come up with to deal with spam,
the people doing the spamming will continue to devise ways to circumvent the new ideas.
The big problem is that the Internet is built on standards that tend to have the
effect of making things rather 'open'. For example when Internet e-mail first started,
the SMTP standard evolved (Simple Mail Transport Protocol). SMTP servers were configured
to receive mail and send it on to the intended recipients.
The trouble there was that the spammers soon saw that most SMTP servers were set up to
accept mail from absolutely anywhere, so spamming trick No. #1 was to exploit some
sucker's open SMTP relay to send out torrents of spam which was (a) difficult to trace
back to the original spammer and (b) saved the spammer a fortune as the (expensive)
cost of the Internet bandwidth required to send it was borne by the owner of the SMTP
server, not the spammer.
Don't underestimate the skill of the spammers; many of them are highly technically
competent and shrewd businessmen. (Don't get me wrong, I'm certainly not condoning
them, just pointing out that some of them are very smart).
The spammer's concept is just to play a different numbers game from the rest of us.
Let me explain ...
in marketing, most businesses will calculate a ratio of prospects targeted to new
customers converted. This ratio may be in the region of 1%.
The spammers work to different numbers, converting at a much, much lower ratio; say
50 per million. No problem to the spammers – they just increase the number of prospects
they target, and send out quite literally millions of e-mails each time they do a run
of their mail-outs.
The bad news of course is that anyone on the receiving end of these floods of junk has
to deal with the annoyance of blocking or deleting all the unwanted messages.
So why don't the anti-spam measures work?
Here are five anti-spam techniques and their drawbacks ...
- Blacklisting – the spammers spoof the 'from' address so the good guys get blacklisted,
not the bad guys.
- Whitelisting (where you don't accept mail from anyone unless you've made a prior
agreement with them that you'll accept their mail) – suffers from a low take-up as
we don't want to go through to aggro of whitelisting senders (especially in the
commercial context where we may be trying to attract new business by having our
prospects e-mail us).
And, the spammers can still spoof whitelisted 'from' addresses.
- Filtering on certain keywords – the spammers will use all the tricks in the book
to get round this e.g. obfuscating the words in question or even sending entire
e-mails as images which are very easy for humans to read, but very difficult for
anti-spam software to read.
- 'Trained' anti-spam software (gives a message a weight reflecting the probability
that it's good or bad) – the spammers add in a few (or many) bogus words or phrases
to confound the trained software.
- SPF (Sender Policy Framework) which attempts to legitimise the sent e-mail by
getting the receiving mail server to compare where the e-mail claims to have come
from against where it actually has come from). – unfortunately it's too easy for a
spammer to hijack any one of hundreds of thousands of PCs on the Internet that have
inadequate protection and use them to send out spam that conforms to the SPF anyway.
'fraid this list could go on and on.
So what do we do about it?
Well, the best approach is to combine most of the available defence methods,
which I reckon can zap about 95% of incoming spam completely automatically and
silently.
For the rest we have to educate the World on how to keep your e-mail addresses
off the spammers' lists, and how to avoid getting suckered into accidentally
reading the spam at all.
Sorry, but the Internet's a bit like a war zone at the moment – so keep your
heads down and keep your firewalls up!
mole
|
|
|
