Originally created 08/06/02

Stopping spam



NEW YORK -- Fed up with a litany of tiresome e-mail pitches, Chris Caputo decided to fight back.

He got himself spam-fighting software that thwarts the mass-mailers by demanding that all his correspondents verify they are not machines.

Now, instead of more than 100 spam messages a day, Caputo gets no more than three.

Such tools are far from perfect, but a growing arsenal is becoming available both for individual users and for the more heavy-duty requirements of corporations and Internet service providers.

With spam becoming an epidemic - registering a more than fivefold increase in the past year, according to anti-spam filtering company Brightmail - people are fighting back aggressively, even at the risk of losing legitimate mail.

There's no shortage of countermeasures.

Brightmail, used by EarthLink, AT&T WorldNet and other service providers, and Mailshell for the desktop are two filtering services long available. McAfee.com's SpamKiller desktop filter came out in May, and several others are in the works.

America Online and Microsoft's MSN, meanwhile, are beefing up their spam filters as part of upcoming software upgrades.

But the defenses are leaky.

"The spy versus spy battle has reduced the amount of spam considerably, but the level of spam is still unacceptably high," said Jason Catlett of the anti-spam advocacy group Junkbusters.

Vincent Schiavone, chief executive of the ePrivacy Group consultancy, said individuals spammers adapt quickly to exploit e-mail's "dumb protocol."

Current e-mail standards were developed in the early 1980s - long before spam was a problem. For starters, they have no built-in mechanisms for authenticating senders, which allows spammers to easily forge headers.

Software filters thus must be programmed to work on assumptions of spammer behavior.

Some cull spam by identifying typical keywords and other hallmarks such as multiple exclamation points. Others are based on "blacklists" of known or suspected spammers - or in a few cases entire countries like China and South Korea because they have poorly configured mail servers though which much of the world's spam passes.

But such techniques toss out the good mail with the bad, mostly newsletters and other bulk mailings that had been requested.

Mailshell estimates that its filters can block 84 percent of spam, while losing three out of every 1,000 legitimate messages. To block 99 percent, prepare to lose 10 times that amount.

To block 100 percent spam means letting through only messages from senders you know.

"If you want to be private and never want to be contacted by people you don't already know, you can solve it in an instant," said David Jameson, chief technology officer of DigiPortal Software, whose Choicemail service came out last month.

Most people want to be reached, so technologists are trying to come up with smarter techniques.

Caputo uses the Tagged Message Delivery Agent, a free software project still in early testing. Mail from people he knows automatically gets through, while first-time senders must reply to an automated message to confirm they are not spam-generating computers. Otherwise, the message goes to a junk mail folder.

Of course, someone possibly "might not understand how to reply," Caputo said. "It could be someone looking for customer support, and their opinion of the company might go down."

So Caputo, president of a Seattle-based Internet company, still checks his junk mail folder regularly - thus, strictly speaking, the software is not shielding him from spam.

Choicemail takes a similar approach except the service costs $39.95 and first-time senders must answer questions on a Web page instead of simply replying to an e-mail.

SpamNet, a product from Cloudmark Inc. still in beta testing, combines traditional filtering with community input. Users vote on what they consider spam, and those items are subsequently blocked.

Brightmail sets up e-mail accounts solely to lure spam and uses those messages to fine-tune its filters.

Other product are designed to permit bulk mailings from trusted sources.

In the future, authentication techniques under development at IBM Corp. and other companies could help verify the legitimacy of e-mail addresses.

Steve Atkins, an anti-spam consultant with SamSpade.org, says existing countermeasures aren't perfect but can reduce spam to a level of "serious annoyance."

Legal bans and restrictions have their flaws, too, so blocking spam entirely may ultimately require a new way of thinking.

Stuart I. Feldman, IBM's vice president for Internet technology, says some questions but first be collectively addressed: Are we prepared to lose legitimate mail? Do we want some central bureaucracy like the post office registering our addresses?

Would it make sense to charge people to send e-mail? Although it runs counter to Internet culture, that would certainly reduce spam.

"The problem is mostly a social one," Feldman said. "We truly haven't decided how big a problem this is and what we are prepared to give up in exchange for solving it."

Tips from the Federal Trade Commission on battling spam:

-Avoid displaying your e-mail address in public, including in newsgroups, chat rooms, Web sites and membership directories of online services.

-Check a Web site's privacy policy before submitting your address. The policy may allow the company to share your address with third parties. Consider opting out of this provision or not submitting your address at all.

-Consider using two e-mail addresses - one for personal messages, one for newsgroups and chat rooms.

-Choose a unique e-mail address. A common name such as "jdoe" may get more spam than something like "jd51x02oe," though the unique address may be more difficult to remember.

-Use an e-mail filter. Many service providers offer free tools to filter out spam or channel it into a bulk e-mail folder. Others are available for purchase.

-Report spam to the Federal Trade Commission by sending the entire message, including the full header, to uce(at)ftc.gov.

-Complain to your Internet service provider's abuse desk and to the sender's ISP.

-Be wary. Don't believe promises from strangers. Be skeptical of moneymaking opportunities.