Tech vendors have made headway in the war on spam, yet spammers are returning volley with sheer numbers. Perhaps it’s time for more drastic measures?
These are the rumblings from InfoWorld Test Center analysts, who reviewed anti-spam e-mail appliances and released their findings last week.
“The biggest reason we’re not winning the war on spam has little to do with the anti-spam vendors,” says Logan Harbaugh, a Test Center analyst. “It’s more about the ever-increasing volume of spam.”
Anti-spam e-mail appliances work anonymously on the frontlines of IT security, blocking millions of pieces of spam (or unwanted e-mail) every day. Because spam is often the vehicle used to deliver malware, viruses, and other nasty stuff, anti-spam is considered one of the most important defenses in IT security.
And anti-spam vendors are doing a decent job: According to the Test Center, e-mail appliances today catch an average of 96.1 percent of spam, up from 95 percent two years ago.
While a single percentage-point gain might not seem like a great achievement, catching spam is more difficult than you might think.
“Anti-spam is like an arms race,” says Doug Dineley, who heads up the Test Center. “Spammers buy filters and test them to find weak spots. Then filter vendors plug the holes with new rules.”
But vendor advancements pale in comparison to the swelling ranks of spammers.
A Symantec report released this month shows that spam is on the rise. In March, more than 80 percent of all e-mail was spam, up from 78.5 percent in January and February. Overall, spam volume is up 20 percent compared to last year. The report also warns of a popular spammer trick called backscattering, which is the practice of bouncing e-mails around the globe until they’re received.
As overall e-mail volume rises, so does the amount of spam. In order to keep up with these increases, as well as the latest spam tactics, companies must upgrade their anti-spam solutions every year, thus taxing IT resources and budgets. “Spam has become an operations problem, not a technology one,” says Chenxi Wang, an analyst at Forrester Research.
To wit, the Test Center reviewed e-mail appliances on five fronts, including four “operational” ones: manageability, scalability, ease of setup, value for the money, and effectiveness at catching spam. C
Changing battlefieldsSo far, there have been two significant battlefields in the war on spam.
The first is the content of the e-mail message itself, followed by the IP address of the system that sent it.
With messages, e-mail appliances analyze message content for spam characteristics, such as misspelled words, weird patterns, and popular spam terms, such as “Viagra.” Each message is then rated on a scorecard that determines whether or not the message will make it to the inbox. While this heuristic approach for ferreting out spam is still used today, anti-spam vendors have taken the battle a step further.
Only a few years ago, vendors added sender-reputation services to their arsenal — that is, analyzing the message’s origins, building databases of good and bad IP addresses, blocking all messages from IP addresses of known spammers, and limiting the number of connections or messages per minute from suspicious senders.
In the case of an unknown mail server, some e-mail appliances force the server to make a second connection request.
This technique relies on the notion that mail servers at legitimate businesses are configured to resend and that spammers won’t bother making a second request and just move on to another target.
Another mechanism for handling unknown or suspicious senders, called connection throttling, emerged two years ago.
Here’s how it works: An e-mail appliance with connection-throttling will allow a single message from an unknown mail server to go through. [Is there another step in between here? Does the admin or the end-user have to do something to prove the message is not spam?] Depending on whether the message turns out to be spam, the appliance may let more messages from the server to pass or shut off the pipeline.
More and more rules have led to the dreaded false positive or real e-mail incorrectly blocked as spam.
“If users aren’t getting things that they expect to get, that’s a disaster,” Dineley says. Most of the appliances reviewed by the Test Center did a good job of avoiding false positives. In fact, Cisco IronPort, Symantec Mail Security, and Tumbleweed MailGate registered few, if any, false positives, making them superior products.
Others simply blocked anything that looked like spam, resulting in a lot of false positives. This put the onus on admins and end-users to fix the problem via whitelisting. “Some of the vendors justified this approach to me, saying that the bulk messages they blocked are ones that don’t comply with the CAN-SPAM Act,” says Harbaugh. “However, the facts of life are that many users want these messages, whether they comply or not, and the whitelist is a pain [to build] for the first couple of weeks.”
Revenge of the e-mail tax
Holding back the spam tide may require shaking up the world of e-mail.
Harbaugh calls for striking at the heart of how spammers ply their trade; currently, spam is blasted to the masses in three ways: via registered e-mail servers, mail servers that allow anonymous forwards, and botnets of subverted computers.
With registered e-mail servers, many ISPs block servers that send messages in violation of the CAN-SPAM Act. But the law only applies within the U.S., and spam is legal in many countries. It’s also difficult for ISPs to preemptively block spam without opening themselves to liability charges. “The only practical way to stop this kind of spam is charging per message,” says Harbaugh. “If ISPs are being charged per message, it gives them a real economic incentive to patrol their networks and stop spammers quickly.”
Charging for messages is a sensitive issue.
It’s likely that junk-mail advertisers will happily pay fees and push out even more spam. And then there’s the thorny idea of taxing the Internet.
“The Internet is free to everyone,” Forrester’s Wang says.
“Besides, spam is not getting worse … the majority of the threat now lies in the Web channel — not e-mail channel — such as fake Web sites and hacked real Web sites.”
Undaunted, Harbaugh also wants to take a hard-line approach to mail servers that allow anonymous forwards. His suggestion: make all mail servers comply with security measures that block anonymous forwarding. By some estimates, a server that doesn’t block anonymous forwarding will be exploited by spammers within minutes. Revised SMTP protocols would make it easier to trace people who are illegally sending spam. And message charges would provide a financial incentive for people with mail servers to follow the new rules.
Last, botnets have hijacked a million computers that send countless spam usually without a computer owner’s knowledge. These compromised computers need a firewall (which is readily available and free) that stops outgoing SMTP. Yet fines for computer owners who don’t install the firewall would be difficult to levy, since many of the compromised computers are home computers.
“There would be political consequences,” admits Harbaugh, as he considers a potential newspaper headline: “82-year-old grandmother charged [US]$21,000 for having a virus!” But ISPs could block outgoing SMTP for their residential customers, he says, especially if spam sent from compromised computers is costing ISPs money in the form of message charges.
While a message charge is futuristic fodder, it’s this kind of thinking that will ultimately undo spam — not necessarily a more effective e-mail appliance.
And there’s no question that IT security risks and budget burdens caused by the spam boom have forced companies to make spam reduction a priority. Companies are now willing to try new things even at the risk of upsetting users. For instance, some companies block all incoming messages from EarthLink, MSN, and other providers that host spammers, even if it means they block legitimate e-mails, too.
“There’s definitely still room for innovation,” says Harbaugh. “Anything that the anti-spam vendors use is generally bypassed by the spammers in relatively short order. So it might be more accurate to say that innovation is critical and ongoing.”
Comment: [email protected]