Endless War on Spam

The war on spam threatens to be as endless and futile as the war on terror. A recent CNN/Reuters report claims that 9 out of 10 email messages are spam. I’ve recently been forced to fortify my own defenses, both on this site and on my email server, so I guess it’s a good time for a combination of ranting and geekspeak about the issue.

Like any website that provides opportunity for the outside world to add content, this site is constantly hammered by spammers attempting to use the comment and trackback functions to add links to their sites. Because of the nature of trackbacks, the bogus ones are easy to trap and block. Comments are a tougher issue.

Trackback is a system to allow inter-site discussion. If someone is so fascinated by something here that he mentions it on his own site, and provides a link to here, he can use the trackback option here to point back to his site, so people can see what he had to say. Spammers love this option; they have scripts that repeatedly add “trackback” entries linking to their sites. But, since the purpose of trackback is to identify a site which links back to this one, and the spam sites don’t do that, it’s easy to automatically check their link to see if it’s a legitimate trackback. I was having a small problem with trackback spam, but after implementing that safeguard it has dropped to zero.

Comment spam is a little harder to detect programmatically. Since there is no requirement for comments to contain anything specific, it’s harder to tell what is not appropriate. There are some simple filters here that check for some of the most common spam, but they’re easy to fool. The strongest defense against comment spam is the requirement that users must be registered to comment. That’s a little inconvenient, because it discourages the casual surfers who wander in and would like to comment on something, but without the restriction, the flood of spam comments would be unmanageable.

Until recently, the registration requirement was doing a good job of eliminating spam, since the spammers weren’t going to register. Unfortunately, they’ve gotten creative and developed a system that automatically registers and picks up the emailed password. Within the last couple of weeks, I’ve had at least a dozen new “users” register, most of them purveyors of pornography. Fortunately, their spam attacks after registering were fairly conservative, and most of them were caught by the filters. I’ve only had a few comments I had to delete, but it was obviously just a matter of time before they drove a bulldozer through the loophole. So I had to plug it.

I’ve had to add the extra barrier of requiring new user registrations to be approved before they’re effective. That’s one more discouragement to spontaneous participation, but unfortunately it’s a necessary step until I can implement a better solution for stopping spam registrations. Much like real war, nobody really wins. I’ve suffered a loss, but the spammers haven’t gained anything. Their crap is still being blocked, but I’ve had to sacrifice some function to stop it. They need to die.

Things are a little better on the email front. I’ve been forced to increase defenses there too, but fortunately that can be done with little sacrifice, other than my own time.

A while ago, I wrote about the superiority of IP blacklisting over filtering. Blacklisting is still better, for all the reasons I mentioned, but it’s no longer good enough. I’m stopping over 500 spam messages per day with the blacklists, but a few were starting to slip through. The spammers are doing a good job of hijacking new machines and staying one step ahead of the blacklists. So I finally had to admit that filtering is necessary too, and I installed SpamAssassin.

After some time experimenting with it, it’s doing a very good job of catching the spam that slips through the blacklists. On average, it’s blocking about 10 messages per day that the blacklists missed; and on a couple of days, it’s caught more than 50 messages that would have otherwise ended up in my mailbox. And it’s implemented at the SMTP transaction level, so the message can be immediately rejected, eliminating the bounce or trash quandary.

I’ve determined that one frequently recommended solution, “protecting” your email address, is absolutely impossible. For a long time, net security experts have recommended using “disposable” addresses for purposes that might attract spam, such as public mailing lists or questionable vendors. If such an address fell into the hands of a spammer, you could quit using it with little or no inconvenience, while your “good” address remained safe.

The only way to keep an email address from getting spammed is to not use it at all. For a long time, I used the “different addresses for different purposes” approach. I’ve got dozens of addresses scattered all over the place. That just gives the spammers more targets, so that I would get multiple copies of the same crap at multiple addresses until I got them all turned off. And meanwhile, an address that I use only for communicating with a small elite group of friends is receiving spam. Somehow, one of the Pack has unknowingly let my address slip into the hands of a spammer.

Most likely, I sent something that someone found amusing enough to forward it to a bunch of friends, who may have forwarded it on, etc. There’s probably nobody who hasn’t gotten at least one of those messages with pages of addresses because it has been forwarded dozens of times by people who don’t realize the consequences of sending all their friends’ addresses out into the great unknown. I always thought that would be great spam-bait, and it looks like I was right.

There are lots of double entendres about safe email, but it’s really a lot tougher than safe sex. You don’t just have to worry about all your partner’s prior indiscretions. You can actually be infected as a result of someone else’s unsafe practices long after your own encounter. There is no such thing as safe email. Total abstinence is the only prevention, so a good cure is essential.

I still think shooting spammers would be a good solution. The Reuters article ends on a rather pessimistic note:

Some believe laws and filters will not defeat spam. It will only end when people stop buying diet pills, herbal highs and sexual performance enhancers, said Dave Rand, of Internet security firm Trend Micro.

“The products they are selling by spam are exactly the same products that they sold in the Middle Ages,” he said. “This really is a human problem, not a computer problem.”

It will only end when people stop buying the crap, but people have been buying it since the Middle Ages. So it’s not likely to end. I agree that the sale of snake oil is nothing new, and the crooks are going to use any technology they can to peddle it. But I don’t think we necessarily have to accept the idea that we’re doomed to be flooded with their ads to the point that a wonderful tool becomes unusable.

I think a combination of legislation and technology can work. Tools such as DomainKeys can help verify whether or not mail is from a trusted source. When that concept becomes more widely used, it will be much easier to determine whether email is from a legitimate source, making spam easier to detect. But I still think the bastards need to be shot, which requires laws to make it easier to follow the money. The spammers are very good about obscuring the source of their spam, but if they want your money, they have to tell you where to send it. And it should be possible to track who’s getting the money, and hold them accountable for all the fraudulent email.

And apparently, it can work, because it does elsewhere. Interestingly, another recent Reuters story about spam in Europe paints a more optimistic picture. While acknowledging that most of Europe has a long way to go, they point out the success of Finland and the Netherlands. The Netherlands throws spammers in jail, and has seen an 85% reduction in spam since 2003. I’d
love to see the raw numbers behind that statistic. Since most of the world has seen an enormous increase in spam, I would think an 85% reduction from 2003 numbers would be even more impressive compared to today’s numbers.

One Reply to “Endless War on Spam”

  1. Don’t worry Matt . . . I’ll never spam you with porn . . . unless you ask nicely! *LoL* Seriously though, spam sucks. And as long as they pay people money to send spam, spam will be sent. And as long as (stupid) people buy it, they’ll sell it. Kind of like gas for $5 a gallon. As long as people buy it in droves (and stockpile it when it drops from $5 to $3.50), they’ll sell it for $5 a gallon. Inelastic demand sucks.

Leave a Reply

Your email address will not be published. Required fields are marked *