By Karel Rode
Spam continues to be a major problem for all internet users, so why has no solution been found yet?
‘Weird Al' Yankovic entertained us in 1989 with a song called Spam, which parodies Stand by REM. Weird Al was singing about ham in a can, and not electronic spam, but there are parallels between the two much maligned products:
Spam continues to be a major problem for everyone, says CA Security Solutions Strategist Karel Rode, but why hasn't it been stopped yet?
"Spam in the place where I live (have some more); Think about addiction, wonder if I'm a junkie now (let's eat); Spam in the place where I work (you're obsessed); Think about the way it's processed, wonder if it's some kind of meat."
Spam exists at the place where I live and work and when Weird Al says "Think about the way it's processed" he suggests that this is important to identifying and removing it from sight.
According to Messagelabs spam accounted for 73.9% of all emails they processed in December 2007 and phishing attacks accounted for one in 156 emails. It is small consolation that spam levels are lower than in July 2004, when they peaked at 94.5%, while phishing is averaging at its baseline.
Overall, IT departments and users have had to contend with spam, phishing, viruses, trojans, spyware, pop-up ads, oversized emails and messages with inappropriate content for a very long time. Only 15% of all email messages are categorized as required or not classified as some form of malicious junk.
Spam is so prevalent that SpamRejection.com has updated its definition: "SPAM is "unethical email", usually "unethical mass email". Within this definition of SPAM, unethical email are emails which violate the standards of the majority of users of the internet .
Sending a postcard, letter or parcel via the postal services costs the sender some money, but sending an email is not a significant cost to the sender. Neither is sending bulk email, which is why SpamRejection.com's definition is particularly useful, as it focuses on the ethics of the matter.
So why is spam not disappearing? Part of the answer to this is that computing resources are cheap, very accessible and most often only protected with very low levels of access control. This gives miscreants the opportunity to infiltrate these systems and mobilize them for nefarious purposes - spam being a popular one and distributed denial of service another. They achieve this through the infection of computing devices with remote access Trojans that allow them to command their minions to perform a variety of tasks, including sending bulk emails, distributed denial of services and web site hijacking to name a few.
Unethical email costs the recipient time, money and effort to process and remove. Moreover, some of it is highly offensive. So should we fight back? I would say no, as responding with a "not interested" message will either prompt an ‘email recipient not known' message or serve to confirm that yours is a valid email address with a human responding to email - thereby increasing the value of your email address. These address lists are traded and those with more valid content attract better prices for their owners. This is why Sender Policy Framework (SPF), Sender Rewriting Scheme (SRS) and Sender Signing Policy (SSP) are now attracting the attention of email system administrators.
With SPF the owner of an Internet domain uses a special format of DNS TXT records to specify which machines within their organisations are authorised to transmit email for that domain. This list of authorised machines is then published and recipient machines that also subscribe to SPF can lookup the source host to see if it is one of those known and allowed to send email.
A more personal alternative would be to make use of an application that will white list known senders and initially grey list all other senders for you. This way you can build a database of known or good email users and all that are not known by the system will be marked for your interaction, allowing you to either white list or blacklist all future emails from these senders or even sender domains.
The above examples are only two of many implementations that strive to achieve a reduction in, and ultimately, removal of, spam. These will all only work effectively when more email system administrators embrace such solutions or there is a worldwide recognition of the scourge of spam that is accompanied by a concerted effort to rid us of the problem. Until then we will continue hitting the Delete button.
Karel Rode is security solutions strategist at CA Africa.