Wednesday, December 06, 2006

Press reports about increasing problems with spam; bonded sender programs; Ironport, Truste




On Dec 6, 2006, there were major press reports about the resurgence of spam, especially from outside of the US where spammers are driven by the CanSpam Act. Brad Stone has a report "Spam Doubles, Finding New Ways to Deliver Itself," in The New York Times, p A1, in which he discusses a new "technique" of spammers called "image spam" which outwits existing filter technology. These criminals also outwit attempts to prevent delivery of multiple copies of the same message. Corporations are spending more do deal with spam, and the Seattle Mariners (major league baseball) switched from a system managed by Computer Associates to Barracuda Networks, with some success. The Washington Times has an article by Kara Rowland, "Clever spammers stay 'one step ahead' of law: Federal act fails to stem the tide." The link is here. The article reviews and lists in table format the CanSpam provisions: requiring (1) legitimate headers (2) a non-misleading subject line (3) an opt-out method, and (4) proper labeling of the message as an ad. Legitimate vendors are harmed by the practice, as they are by phishing, which has become more aggressive (telling Bank of America customers that their electronic access will be terminated). Some schemes have promoted illegal "pump and dump" penny stock trading schemes, even without links to websites. There are suggestions that ISP's quarantine home users whose computers become infected with botnets, which are used by spammers to send spam from zombie machines.

I have been very concerned (as noted above) by email sender spoofing, which email protocols (SMTP) still do not detect, and have suggested that charging for email could be a solution. It is true that the law mentioned above makes spoofing a crime, but I don't think that the law has yet become an effective deterrent. I am concerned about possible downstream liability concerns to spoofing targets if they are perceived as "attractive nuisances." Such concerns, I believe, could eventually lead to requiring domain owners to post potential liability bonds. This one reason why I have supported the idea of a small microcharge for each email sent (not a problem for most users with reasonable use), with the revenue use to develop a more secure "spoof-proof" email protocal (rather than the old SMTP).

One problem is that most ISP's offer a large number of email addresses with shared hosting accounts, and many owners will not use them or even monitor them. ISP's also offer "devlnull" delete mechanisms to delete return mail from spoofed spam automatically. That means that an owner may not know that he/she has been spoofed unless there are direct complaints. But there is a possibility that recent rules (announced Dec 1) about retentionr requirements (as a pre-litigation prevention measure) could mean that such deletions would become illegal, and the spoofing problem could suddenly get much bigger. There is more about this problem at this link on my COPA blog.

Even two years ago (during the CanSpam debates), Electronic Frontier Foundation was become very concerned about the effect of anti-spam measures on non-commercial email lists.[32] EFF discusses the concepted of the bonded sender program, which some ISPs (IronPort and TrustE) have offered, which seems like an ominous move in the direction of someday requiring web self-publishers to be bonded because of the potential downstream liability issues. EFF provides best practices for users and ISPs but it seems to me that unusued email facilities with many domains could present potential targets for hackers to break into a domain and send spam from it.

EFF's bibliographic reference is an article by Cindy Cohn and Annalee Newitz: “Noncommercial Email Lists: Collateral Damage in the Fight Against Spam,” Nov. 2004, at this link.

My own experience at home with AOL is much more comforable now that it was in 2002 and 2003. Most illegitimate messages are blocked, but a few (especially Nigerian scams) get through. A few legitimate emails, like bank deposit notifications, do get mistakenly blocked, and I have to check the spam folder every day for these. AOL, as do other ISPs, gives the ability to label unwanted incoming email and report it as spam. On Dec 6, 2006, AOL conducted a survey, and 92% of users reported receiving more spam recently.

McAfee offers a spam filter in a variety of combinations. On my newer laptop, it was included free by Dell; however, since I use AOL for all my email rather than Microsoft Outlook or similar program, I don't really use it.

The spoofing problem (above) needs to be understood in comparison to "reputation defense", discussed earlier in this blog, here.

(Picture: unrelated, from the Poconos in PA).

No comments: