 |
ISIL Special Report
FIGHTING SPAM . . .
Without Government Involvement
by Stefan Metzeler
Stefan Metzeler is a Software Consultant, the author of the Amadeus-3 Development Framework, and ISIL Rep-Switzerland (www.amadeus-3.com & www.ProLibertate.org)
1.1 – What Is Spam?
Spam designates undesired email messages sent as mass mailings.
Spam is most often used to promote products or services, such as advertisements – but it may
also contain harmful elements.
The annoying thing about spam is that it ends up in people's email
readers and forces them to deal with it, wasting their time with undesired and sometimes offensive
messages. It may also expose children to inappropriate contents and induce them to access web sites
intended for adults.
Viruses transmitted through spam may attack the user's system,
destroying data; may spy on him and transmit data back to the virus creator; may make his system
vulnerable to future intrusion; may access dialup services which can cost hundreds or even thousands
of dollars and may propagate to other systems through the user's own email account, with his address
as message creator.
And last but not least, the huge number of spam messages travelling
through cyberspace use up precious resources – from storage space to bandwidth.>
1.2 – The Motivation Of Spammers
Besides the immature impulses behind the creation of destructive
viruses, the major motivation for spamming is obviously the expectation of material gain. The cost of
spamming is very small. For a few hundred dollars, millions of mostly valid addresses can be purchased. The equipment and communication lines required to generate spam cost a few thousand dollars
and may have multiple uses. There is no specific cost attached to sending email messages. They are
just another form of Internet traffic. Hence it is possible to send millions of messages in a short
time and if only a tiny fraction of all the recipients respond, the income may be substantial.
A recent case (summer 2003) may help in understanding just how
incredibly profitable mass mailings can be. If you have been using email for more than a few weeks,
you have probably received advertisements for penis enlargement pills, herbs, miraculous potions and
tools. You probably thought, while deleting the message, "How could anyone be stupid or desperate
enough to respond to such an ad?" This rhetorical question was answered when the customer list of a
company selling such products was found by a hacker. The owners of the corresponding web site had done
nothing to protect their data. The hacker sent the information to a magazine, where they discovered
that about 6,000 people had ordered 1 to 2 bottles of the miracle medicine at a cost of $50 each over
a period of 4 to 6 weeks!
Considering this kind of income for a very small investment, it
should not be surprising that millions around the world would want to use spam for profit.
Unfortunately, P.T. Barnum was right when he said "A sucker is born
every minute". Even more depressing is the fact that the list of customers included not just uneducated
losers, but people from all possible backgrounds (let's hope no one with an education in the medical
field).
Another famous scheme is the Nigerian (now also South Korean) spam,
where someone pretending to be from some corrupt politician's family promises huge profits to the
person who would help him launder a very large amount of stolen money. He just has only to wire some
money to the spammer. In some cases naïve people actually travelled to Nigeria, where they disappeared, never to be seen again. Others who were scammed, were approached again by the same people, this time masquerading as
officers from Interpol, investigating the fraud (and asking for fees, of course).
Here again, even one success per 100 million messages sent may be
profitable for the spammer. Obviously, it would take a steep increase in the price of sending spam to
reduce this undesired traffic significantly.
1.3 – Government Proposals To Combat Spam
Agents of various governments have begun to come forward with
proposals to reduce spam, and in several countries laws have already been passed – such as in
Italy, where a very heavy fine may be imposed on spammers.
Let's have a look at what government can do and what the probable
effect of such methods would be:
- Prohibit spam by imposing penalties – fines, prison sentences (death? - maybe in China)
- Impose a tax on sending email messages to increase the cost of email
- Force providers to filter out spam messages
All of these methods are based on a bad understanding of how Internet
works. The main point is of course the fact that the Internet operates across borders and any
legislation, to have any significant effect, would have to be applied worldwide.
What good is the Italian law if the spammer is based in Indonesia?
He did not break any laws in his country of residence and hopefully it will not be possible to
prosecute people based on foreign laws. Anyone advocating such a change in legal practice should
consider that by the same reasoning, Iran, China or Nigeria could apply their laws internationally
as well, which does not sound very appealing.
1.3.1 – Spam Prohibition
Even if a world government existed and could impose penalties
world-wide, this would still not preclude spamming, because the authorship of email messages is very
hard to establish. Email is easy to "spoof", so that it becomes impossible to trace.
What about simply prosecuting the beneficiaries of spam (products or
services they promote)? That would open a whole new set of problems. Let's assume you get a spam
advertisement for Nestlé Instant Coffee. You can't locate the sender of the message, so you go after
Nestlé. What a great way for people who don't like Nestlé to attack them! At a minimal cost, anyone
could get a person or a company to be indicted for spamming just by sending out millions of messages
pretending to promote them. Clearly, it would be necessary to establish authorship before any
penalties could be applied or the situation could very quickly get out of hand.
1.4 – An Email Tax
This seems like a feasible solution at first, since it would seem to
impose a cost on spammers that might quickly become prohibitive. It would strike at their very core
motivation: quick profits for minimal investment.
Yet even if it was technically feasible, it would be so unpopular
that I wouldn't give it much of a chance to clear the ramp. A law for email taxation could obviously
restrict the tax to senders of large numbers of email, so that individuals would not be targeted,
which might lower popular resistance to such a tax.
Actually, this proposal demonstrates even more ignorance of the
workings of Internet than the previous one. Where would email be taxed? Through the sender's
provider? What about spammers from foreign countries?
Taxation by servers that transfer email via micro-payments? Highly
complex and impossible to enforce, even within a single country. Might also render systems incompatible
with those found in other countries, hence requiring completely updated Internet protocols.
Taxation based on the sender's email address? That would be impossible
as well, since email addresses can be faked (cf. above).
Assuming for the moment that such a tax could be imposed, it would
not yield any return, since email is just one form of communicating over the Internet – and a
low-bandwidth one at that. It would be very easy to switch to a different protocol to exchange email
or even to some non-traceable channel, such as SSL encryption (cf. neomailbox.com), making it impossible
to recognize email as such. Even a spammer resident in a country taxing email could first send his
messages to a server outside the country in some other form. This extra-territorial server could then
send actual email messages to recipients anywhere in the world, non-taxable.
What about taxing any Internet connections or data transmission based
on volume? While this would certainly yield some income for government, it would not decrease spamming
in the least. Sending out spam is low-volume and again, it can be done from anywhere in the world.
1.41 – Big Brother Filtering Email
Could government read all email messages – or request internet providers to do so – to
filter out spam?
–In the first place, this would be an immense invasion of people's privacy. It would open up the
door for all kinds of other government interferences. It is actually already being done through
Echelon and the FBI's appropriately named Carnivore system, but the US government does not yet
interfere with the flow of information, since these surveillance methods are supposed to be invisible
to the casual user, and to be used only in criminal investigations.
Could a surveillance system coupled with actual filters reduce the
flow of spam? Initially most certainly, yes, which is very likely what the Chinese government does to
reduce the free flow of information. But how would such filters recognize spam? They either have to
already know that a given message is spam or they have to look for specific properties to decide if a
message is spam, which might also produce false positives.
Spammers would probably find counter-measures, making their mail look
more like standard messages, with less uniform contents and hence more difficult to recognize for the
user, who will have to spend more time sorting out desired mail and spam.
A lot of apparent spam is actually legitimate business or private
communication. Hence what might look like spam to an outsider may be a newsletter that someone
actually signed up for. No one but the recipient can know if such and such a message is spam or
desired information. Not to mention the fact that some people actually want to be spammed, since
they may find valuable information, just as we may find valuable products through any other form of
advertisement.
An example of an improper spam block was the temporary lockout of a
company that sends such email publications as "Bizarre News" and "Laugh a Day". Their messages contain
jokes and various fun stories along with some advertising content. People actively sign up to receive
these messages, yet some provider blocked the publisher, because they thought they were sending
millions of spam messages. It took the publisher quite a while – and thousands of support
messages from subscribers – to remove the block.
1.4.2 – No Generic Solution
We'll have to face the sad truth: there is no universal, generic
solution to reduce spam. Every user will have to make an individual choice about how to protect
himself. No matter what government does, it will not help stem the flow of spam and any coercively
enforced "solutions" would have highly undesirable side effects, not to mention inflicting huge
cost on taxpayers.
Government might want to implement some of these "solutions" anyway,
but for reasons not at all related to actually solving the spam problem. They may want to increase tax
revenue through email taxation (in vain, since email as we now know it would quickly morph into
something not as easily taxed). They may want to increase their control over communications (again in
vain, since it is possible to protect all communications against prying eyes) or they may simply wish
to create new bureaucracies for personal gain.
To avoid any such detrimental development, we have to find real
solutions that will allow people to fight spam efficiently and at low cost and low complexity.
1.4.3 – Fighting Spam
Here are a few methods that can be used to reduce spam which can be
applied right away or which could be developed in the future with relatively little effort. None of
them require any kind of government intervention.
- Use filtering tools integrated into your email client, if available. You can either set the
filter to accept messages from only specifically named addresses and / or with specific properties or
to refuse messages based on a range of features, such as a strange source address, header inconsistencies,
[SPAM] identifiers (which some nice spammer insert voluntarily) etc.
- Use commercial spam filters, which recognize a large number of well-known spam messages and
remove them from your in-box before you ever see them. They work like – or in conjunction with –
anti-virus software, which is reasonable, since a lot of spam also contains viruses.
- Subscribe to some Internet service, which performs the above function for you. This has many
advantages: no installation, no maintenance, fully automatic updates, lower bandwidth usage, and it
works with multiple email clients (e.g. local email client, web based client etc.) and hence is not
dependent on using a specific computer. An excellent example of such a service is neomailbox.com,
which provides other benefits as well.
- On company networks: install such a service on the network email server.
- Only accept cryptographically signed messages.
The last point, the ultimate spam protection, requires a little more
elaboration.
1.4.4 – Cryptographic Spam Protection
You may know of PGP or other systems for encrypting and signing
messages. These are wonderful for protecting the contents of your email messages and for establishing
trusted communication links.
neomailbox.com offers an additional layer of protection, by encrypting
the envelope and the contents of your message (the header data that is not encrypted by other
encryption programs) during transit from your computer to the server. If your correspondent uses the
same service, then the entire communication is protected by an SSL encryption channel.
One could extend these concepts to create a system that is either
server or client based or a combination of both, through which only messages with valid cryptographic
signatures would be accepted by your email server. Any message not properly signed would be rejected.
Some crypto-server might contain all valid keys that are to be
accepted. This server might be accessed by local and web-based clients. Keys would be valid even if
your correspondents should change their email address, which happens often enough in real life. Hence
they would not suddenly be cut off from you because they changed jobs or providers.
There would even be a way to allow people to send you messages who
have not previously communicated with you. They could access a web service which would relay their
message to you. The key of such a server (maybe only a specific one) would always be accepted, but it
would require every user to manually log in, requesting answers to questions a so-called robot program
would be unable to answer and hence rendering this path impractical for large volume spammers. On
receipt of such a – clearly labeled – message, the user could decide to add the sender to
his list of authorized correspondents.
Alternatively, any incoming message without a valid key could be sent
an automatic reply, guiding the sender through an identification process which could even be performed
100% by email, hence at minimal cost to both the protected user and the sender desiring to reach him.
There would indeed still be a marginal cost to all involved, but
someone valuing his own time would very likely tolerate this cost and would have no compunction about
asking a small effort of others who would want to talk to him by email. The identification process
would be required only once anyway, any future communication would ensure compliance transparently
to both, the sender and the recipient. Needless to say, the key of any correspondent could also be
removed at any time. Additional mechanisms to make such a system user-friendly could be devised by
actual implementations of such a scheme. This is just a brief sketch of the principles involved.
Such a system would provide the ultimate in user control and
protection and – when coupled with other methods – even anti-virus protection (friends'
computers might send viruses), plus contents and / or envelope encryption, making email comfortable,
safe, untraceable, inviolable, authenticated and much less time consuming, since spam would
be kept out for good.
And all of this could be provided through private companies, without
any kind of government intervention – and at a very reasonable cost in time and money. If a
large number of people decided to move to such a system, spamming would become increasingly unattractive,
since the number of people reachable through spam would decrease rapidly, hence raising the cost per
actual sale. This might even end up reducing the bandwidth consumed by spam, which would be a welcome
side effect.
1 There are various mechanisms in use to do this, e.g. Turing numbers, image recognition and many
more.
|
|
