The Future of Spam

In the Beginning

Spam has plagued inboxes since the dawn of Internet time. The the problem, succinctly stated, is that people that we don’t know are sending us crap that we don’t want.

Why? Economics. Spammers can realize unimaginable economies. They can send millions of messages every day. All they need is a computer and an Internet connection (“Why, you have those sitting in front of you now!”). Even if only 0.001% of their victims are stupid enough to open, read, and act on the spam, that translates into thousands of hits for their websites.

Conversely, that means that 99.999% of people are just annoyed. With a sufficiently high volume of messages and sufficiently raunchy subject lines, those people might even be outraged. Thus, our battle with spammers is as old as the messages themselves.

Spam Countermeasures

Maybe our real enemy is our own naive optimism. Every time we put a counter-measure in place, we think that we have finally found a solution to spam. In all likelihood, there is no solution. We are doomed to an eternal game of cat and mouse so long as the economic motivation for spam exists.
The Interet’s first reaction to spam was simple enough: find words that spammers use and delete those messages that contain them. You can come up with a list off the top of your head pretty quickly (I would not advise trying to do so out loud).

In retrospect, the spammers’ reaction was just as simple. The first time someone spelled viagra “v1agra”, we were back to square one.

A whole host of attempts followed:

• Spammers use insecure servers? Block all known insecure servers.
• Spammers use different words all the time? Use statistical analysis to learn spam words.
• Spammers are annoying people? Make spam illegal.
• Spammers moved offshore? Block foreign addresses.
• Spammers use home dial-up accounts? Block dial-up addresses.

Heuristic filtering. Bayesian filtering. RBLs. Netblocks. Open relays. The list of impressive sounding names goes on. The point is that all these solutions have something in common. Besides that they all have a certain element of over-inclusiveness and under-inclusiveness, they are reactive, not proactive.

Why Isn’t Anything Working?

SMTP (the Internet protocol for sending mail) was invented around the time DARPA invented the Internet. If you were expecting this to be a long and wearisome history of SMTP, you’re out of luck. Basically, that’s the end of the story.

It worked as follows then and now:

User, a 15-year-old punk short on cash, connects to Mail Server to send a message.

Mail Server: “Hi, I’m Mail Server. Who are you?”

User: “Hi, I’m Bill Gates.”

Mail Server: “Nice to meet you Mr. Gates. I can see that you are connecting from 10.1.1.22, wherever that is.”

User: “I want to send email from billgates@microsoft.com”

Mail Server: “Sure! Who should I send it to?”

User: “How about stupidscamvictim@yahoo.com?”

Mail Server: “OK, what’s the message?”

User: “I am giving away my fortune to a random person on the Internet. You win. Send me your bank account information.”

Mail Server: “OK, thanks!”

Does anyone else see a problem here? I mean, who would actually register “stupidscamvictim@yahoo.com”. They’re almost asking for it! No, seriously; the point is that the method for sending email is about the same as the day some hacker in the basement of the Pentagon wrote a program to send a message to his buddy across the hall. No security, no verification, and, in some cases, no thought at all. I picture mail servers as mental patients loaded with lithium and placed at a receptionist desk (“Sir, there are 73 Bill Gateses here to see you about your bank account and 128 russian transsexual lesbians. Shall I send them in?”). I’m pretty sure that such a secretary would be fired rather quickly. Not on the Internet though!

What Have We Learned?

Spam is highly profitable and ridiculously easy to send. In light of all of this, it is no wonder that spamming, scamming, and phishing has developed into a closet industry, and a highly manueverable one at that.

Is There Any Hope?

With that in mind, we can revisit the succinct statement of the problem: people that we don’t know are sending us crap that we don’t want.

Element One: “People…”

This is probably oversimplified. “People” are not the only ones involved. They have employed a cadre of robots to cram your inbox full of porn.

Harvest Bots scour the internet looking for text that resembles “something@something.something”. They also take the form of “Someone you know has a crush on you! Type in all the email addresses you know and we’ll tell you if you got any right!” Obfuscators work tirelessly to come up with human readable variants of “v1agra” to slip past dumb rulesets. Hacked-up mail delivery software moves email at blinding speed so the spammers can disconnect before the bounces flood in. Robots scour the internet, testing for vulnerable mail servers that will send any messages, no questions asked.

When it gets to your mail server however, it doesn’t really matter how it got there, just that it was sent. What matters is that it’s only a matter of time before it will get there, unless you never actually use your email address.
Element Two: “…that we don’t know…”

Of course, sometimes we want email from people that we don’t know (or at least that our computers don’t know we know). If someone wants to legitimately offer a job or got a business card and wants to talk, they shouldn’t be immediately rejected.

Element Three: “…are sending us crap that we don’t want.”

How can a computer ever discriminate between the following?

• I found your resume on my desk and I’d like to set up a job interview.
• I have a great part-time job opportunity for college students selling knives door-to-door.
• I have an opportunity for you to help me move my money from Nigeria to the US.

I’m not sure about you, but I would find only #1 to be acceptable reading material. That is in fact the crux of the problem. If you really need a job, you might be interested in #1 and #2. If you are either lazy and a complete moron or if you are happily employed at the FBI, you would only be interested only in #3. So this problem has two stages.

1. Can a computer even discriminate between those options when the nuances could conceivably be difficult for humans to discern?
2. Even if they could discriminate, how would they understand what it is that we consider to be garbage?

The Future of Spam

Even as you read, people are coming up with new and ingenius measures to block spam. Also as you read, spammers are coming up with ingenious ways of circumventing those measures. Also as you read, false-positives are throwing the baby out with the bath water and false-negatives are horrifying and defrauding less-than-savvy users.

I can see that these elements are already being deconstructed. The spammer, collectively, is morphing into greedy cyborg – a robot that invents random email addresses all day long in the hopes of slipping one into a hidden mailbox. At the same time, they are forging return addresses to pretend to be someone we know. Working to their advantage is the impossible task of crafting artificial intelligence to only show us messages we are interested in. We don’t even know what those might be.

My conclusion is that the underlying structure of the email system are fatally flawed. Mail servers rarely ask the relevant questions: most importantly, “who are you really?” As long as we have this system as our foundation, our efforts to stop spam are futile. We either constantly play cat and mouse or we find ourselves in a catch-22 situation where we throw out important messages.

You could probably email the IETF every day as well until they come up with some better standards. I recommend posing as Bill Gates. For now, keep that delete button warmed up!