Low Carb Diet

Spam is on the way out

Randy C. Hice

Ah, the good Reverend Thomas Bayes became one with the universe way back in 1761 but that whirring noise you hear is good old Tom’s body slowly spinning in its grave. You see, Reverend Tom was not just a Man of the Cloth, he was a statistician as well, and the foundations of his statistical theory gave birth to Bayesian analysis.

Why should you care?

Because Bayesian analysis lies at the root of the most intelligent spam filters in the world. Millions upon millions of worthless trashy messages get dumped into cyber oblivion before you ever see them, and a great many more are actively filtered into your junk mail repositories after Bayesian analysis determines that the probability that a string of targeted words is more than likely, hubris.

Spam is killing us all, and the true pessimists of the world are claiming that e-mail is doomed because of spam. I don’t agree for a lot of reasons, but I sure as hell do agree that our friends comprising The 108th Congress of the United States of America had a serious lapse of logic when they passed the “CAN-SPAM Act” recently. If you have insomnia, please refer to www.spamlaws.com/federal/108s877.html for a taste of legislative phenobarbital.

When the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003 was passed, the sound of corks popping out of cold bottles of Cristal champagne sounded like Gulf War artillery fire. That would be the sounds of vicious, parasitic spammers celebrating the either the ineptitude of Congress, or the greed. CAN-SPAM was so lame that it cut the legs out of some more stringent anti-spam laws enacted in places like California and Colorado. Among the no-no’s of the CAN-SPAM Act (by the way, Congress uses the term “Multiple Commercial Electronic Mail Messages”):
•gaining unauthorized access to a computer to send spam
•re-transmitting spam with the intent to mislead others about its origin
•sending spam containing materially falsified header information
•registering for five or more e-mail accounts, or two or more domain names under a false identity, and sending spam from any combination of those e-mail accounts and domain names
•sending spam from five or more IP addresses that the sender falsely claims to own.

There are numerous problems with this. The anti-spam militants wanted to include “opt-in” for all spam (meaning you’d have to send mail to a company requesting them to spam you), and the ability for anyone to sue anybody sending spam to you. Congress shot down those provisos for a couple of reasons. One of the most interesting is tied to big business. As you are aware, big business lobbies for certain elements of legislation when it is in their best interest. And companies certainly made it clear that they didn’t want thousands of lawsuits levied against them every time some bit of marketing found itself in the inbox of some person who didn’t want it. Second, big business didn’t want to be prevented from sending spam (excuse me, critical information) to existing customers. You ever read those privacy agreements you so casually click through when setting up accounts or ordering stuff? In many cases, it is the default assumption you agree to be spammed by the company, and anybody the company considers a “partner.”

So Congress buckled like a first year medical student after slicing into his/her cadaver. And, although the logic was faulty, I agree that neither provision would do much in the long term.

The true vermin of the spam world can totally nullify CAN-SPAM within minutes by simply moving their operations offshore, or at least appearing to do so. It’s not like they actually have to buy an office offshore. It’s easy to find (and fund) a willing host. You really think the FBI is going to try to press the issue with a little server housed in a hut in the Maldive Islands? And suing these guys? Please. It’s Darwin’s law; the idiots will get caught, and the survivors will be bigger, smarter spammers. Hey, look, there are people making money writing tools for spammers. Have you been getting a lot of spam with nonsensical words in them?

burmese juliet frazier joystick brendan comprehensible inflict misanthropic bookshelf sing dispelling over ideal polytypy entourage chamber carne argillaceous follicle apostle handmaiden scriptural procrustes

Or how about spelling errors that would shame a pre-schooler?

The two prolducts woyrk great together

These two examples are electronic countermeasures to thwart the aforementioned Bayesian filters by including words that could be legitimate e-mail content, and also disguising the words that are sure fire spam (like “products work”). But the spam filtering companies will soon adjust their algorithms to look for these strings, and thus redline such messages as spam. But don’t sell the spammers short. There’s big money in spam, and counter-counter measures will appear.

So is it hopeless? Cynics are saying that more and more people are going to instant messaging because it’s killing productivity to sort through the spam that gets through. IMs are “white list” tools, meaning that you can rig them easily to only accept messages from people on your “friends” list.

And white lists work, at a price. My wife has McAfee spamkiller on her system. Only people in her e-mail directory can send messages to her. All others are dumped into a spam trash can, and there are thousands every few days. No spam gets through. Once implemented, her spam went from hundreds a day, to zero, in no time at all. Some of these programs use sophisticated challenge algorithms. A person not on your white list is challenged with a JPEG file with, say, a number written in the image, or a picture of a few cats. To be able to send a message, you must correctly answer what the displayed number is, or count the cats. Automated spam tools can’t do this, and the spam is killed. But white lists may not be practical for business users. If you’re running a business, do you really want to make it hard for people to get in touch with you? Will it cost customers? Maybe. Most businesses won’t take the chance.

But there is a fundamental problem with trying to devise tools for killing spam; the spam still occupies bandwidth on the Internet, and CPU time is required to identify and kill it. Most systems require storage to retain some messages so you can occasionally access them to see if good e-mail was killed.

So shall we surrender to the spammers? Is it hopeless? I don’t think so.

Cade Metz and John Clyman wrote in the February 17 issue of PC Magazine that there are a couple of nuclear bombs being considered that could truly kill spam.

The first proposal involves charging everyone sending e-mail a fraction of a cent for each one. For most of us, this would be Chump Change. But for spammers who must send out millions of messages to get the few hits it takes to be profitable, this is a big ticket. Bear in mind this wouldn’t be on the honor system. Everyone would have to make a credit deposit, and the money would be collected by the ISPs before e-mail could be sent. Like a game card at Dave and Buster’s; when you’re out, you’re out. I’m sure the ISPs would love this, as it would float money into their accounts. But no rogue spammer will deposit hundreds of thousands of dollars into an ISPs account.

The more intriguing of the proposals is probably the best; changing the e-mail protocols that are in use to require bulletproof authentication. John Clyman writes that the existing protocols are more than 20 years old, and Cade Metz adds that new ones are being developed based on SMTPi, SMTP over SSI, Reverse MX authentication, and Yahoo’s Domain Keys. What this soup of acronyms boils down to is that it would be simple to identify and prevent spam from being sent through unwitting machines hijacked by spammers (far and away the preferred method), and allow for all sorts of validation and tracking of spammers where they live, if any were to be allowed to exist at all. spam would be killed at the source, and the denizens of this slime ball business would have to revert to purse snatching.

But such solutions, writes Clyman, are years away. But there is hope that our e-mail will be ours once again.

Randy Hice is the president of the Laboratory Expertise Center. He can be reached at editor@ScientificComputing.com.