 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
Spam demands tough response
This column originally ran in ComputorEdge on August 30, 2002
(Issue 2035, Toys — Toddlers to Grannies)
It's only been a few months since we last visited the topic of spam in this column. And yet, just since May, the problem of unsolicited junk e-mail has grown exponentially worse.
I'm now getting dozens of spam messages a day, sometimes more. I have DSL service at home, so the time lost to downloading them isn't a factor – but for folks on dial-up, downloading all these unrequested, unwanted advertisements is not only a hassle, but a real expense.
Of course, the larger costs of spam are to be felt in the toll it takes on the entire Internet system – all the server resources wasted on shuttling spam to folks who don't want it, the resources committed to blocking spam, the bandwidth sucked up by spam.
The problem of spam is starting to reach critical mass – it's getting to the point where if something isn't done, the Internet will stop growing and become stagnant.
Fighting back
While in my last column addressing spam I provided links to some good anti-spam web sites, it turns out that I may have missed the best one: Spamhaus.
The folks at Spamhaus maintain a database of IP addresses of known spammers; Internet service providers can use this database to simply block any and all e-mail from those servers in order to protect their subscribers. (If you're getting a lot of spam, you might want to let your ISP know about the Spamhaus list.)
You can also see if your ISP hosts any spammers – useful as a gauge against which to judge your ISP's advertised anti-spam protections.
ISPs that are serious about protecting their customers from spam have increasingly powerful options from which to choose. Brightmail offers a suite of products designed to block spam – and while they are one of the largest, there are others.
Heavy-handed?
Civil libertarians are not all that keen on spam blacklists, though. They argue, with some justification, that innocent folks can get caught up in these spam lists – either through human error, or an inadvertent guilt through association in which your ISP also hosts spammers.
There are many in the civil liberties crowd who argue that spam is the price we must pay for a free and open Internet.
On the other hand, if spam is able to bring down parts of the Internet, denying its use to everyone else, then does the argument still hold?
A more radical change
As spammers have grown ever more successful at evading the various filters and blacklists, it might be time to ponder a more basic change to the entire e-mail system.
E-mail was invented, after all, before the Internet, when only users on a single computer could send each other messaegs. And even when Ray Tomlinson sent the world's first Internet e-mail in 1971, no one envisioned the development of the World Wide Web or the corporate explosion online.
Three decades later, Tomlinson's technology has become – quite simply – outdated by events. Not to take away from the pure brilliance of the cross-platform e-mail solution Tomlinson developed, but the rise in spam makes clear that simply banning it or trying to block it are not going to work.
Perhaps it is time for a new e-mail protocol that would be built around a key-activated permission code. In other words, only those with a copy of your personal key could send you e-mail.
I'm thinking of an e-mail system built along the lines of like Phil Zimmerman's old encrypting software Pretty Good Privacy. Zimmerman developed a key-encryption system in which no one could open your locked files unless they had your key – and you had authorized theirs.
The feds hated it because they couldn't open any files of yours they'd seized unless you gave them the encryption key. But PGP worked – still does, too.
By having a key-encrypted e-mail authorization system, we could prevent almost all spam. Of course, there would be a trade-off – there always is in life. It would be harder to set up new e-mail relationships with folks – you'd have to give them your key as well as your e-mail address. Businesses could still use forms on their Web sites to allow customers to e-mail them without the key – although I'm sure myriad other challenges would await.
And how do we know that the spammers wouldn't just buy keys along with e-mail addresses?
If I'm remembering correctly, simply having a key wasn't enough to open a PGP-encrypted file – your key had to also have been added to the mix by the person who originally saved the file. So if you didn't have the right set of two keys, the file remained locked.
This way, even if your e-mail key was stolen, as long as you didn't authorize any unknown keys to your account, nobody could send you unsolicited e-mail.
I'm not suggesting such a system would be easy to develop or propagate across the 'Net. But it does seem technically feasible – and if the spam keeps getting worse, the inconvenience of the system might not seem too bad in comparison.