Features

net.wars: Spam-sensitive sunglasses

Douglas Adams invented "hazard-sensitive sunglasses" which protected the user from seeing unpleasant (that is, dangerous) sights. Of course, it also rendered them blind, and liable to walk straight under the bus which constituted the hazard. Something like spam filters perhaps?

A few weeks back I spent three days locked up in a room full of Internet experts, pioneers, and thinkers to contemplate the question of how to prevent what the conference's convenors grandly called the "Internet meltdown". I was hoping for a particularly graphic T-shirt to commemorate this event, but I gather all I'm going to get is this Wiki.

It's very depressing how almost every conversation about the Internet devolves into a discussion of how to combat spam.

It's even more depressing how much worse spam keeps getting. And more depressing again still that despite the many technical conferences currently being conducted on the subject, how ineffective most current strategies seem to be.

This week, LINX - the London Internet eXchange, through which about 90 percent of the UK's Internet traffic passes - announced that its members had voted in a new code of practice that called for ISPs to take down sites that use spam to advertise their services/wares/warez, as well as sites that sell spamming tools such as CDs carrying millions of addresses.

Malcolm Hutty, LINX's policy director and founder of the Campaign Against Censorship of the Internet in Britain, admits that in terms of Britain alone the move may not make much difference. Figures are, as he says, "inexact", but best guesses are that only between 1 and 5 percent of spam comes from within the UK and relatively few UK sites are "spamvertised", as they're calling it these days. In fact, the UK isn't even on the Spamhaus Project's list of ten worst spamming countries for July 2004.

"But," he says, "BCP [Best Code of Practice] is a political statement as well. The original BCP was taken up by RIPE, so we hope it will reach beyond just the UK." RIPE, which stands for "Réseaux IP Européens", is a collaborative forum that provides technical coordination of Internet functions in Europe.

This seems like a positive development for the most part. Hutty, like a lot of us, is cognizant of the possibility that an unscrupulous company could seek to take out one of its competitors by spamvertising its site. Much less probable is the scenario suggested on Slashdot that spammers could defeat the proposal by spamvertising all sorts of sites at random, just to poison the process. Surely the real promotion targets would be obvious statistically, if no other way.

Lauren Weinstein, the main convenor of the meltdown conferences, thinks the LINX proposal probably won't fly in the US. He says by email, "Arbitrarily shutting down sites selling legal products (as far as I know it is legal to sell spamming tools, even when it is illegal to spam - and remember the tools may have limited legit uses also) can be problematic. Even shutting down sites that are advertised in spam (even assuming a Joe Job is not in progress unless a true nexus can be demonstrated can result in lawsuits. So, especially in a litigious environment it can all get pretty tricky."

In the EU, unlike the US, selling CDs full of millions of email addresses collected without their owners' permission is illegal under the data protection laws. Other types of spam tools may well be legal, although Scott Chasin of MXLogic argues that there are many tools that have no uses except in aiding spammers. It's very likely, however, that most of the things that are publicly available from Web sites are not the tools that the biggest professional spammers use. If you believe the Spamhaus Project's figures, more than 90 percent of spam comes from 200 known operations, the vast majority based in the US.

The general feeling has been that anti-spam laws don't work; they certainly haven't worked in the US, where most of them seem to concentrate on labelling. The problem there is that the direct marketing culture is so endemic that the simple thing of implementing an opt-in requirement is legislatively impossible. The Spamhaus Project is currently applauding Australia's anti-spam laws, which do require opt-in, and which the Project says are pushing spammers out of that country. Of course, we all hope that every move that makes the Net more hostile to spam will have some effect, but moving spam sources from one country to another doesn't seem like enough progress. Especially with spam invading blogs and other previously free locations.

At the meltdown conference, it became clear that "meltdown" is in the eye of the beholder. Mine this week is the number of friends and colleagues I can no longer email because the volume of spam in their in-boxes means they no longer read it. My best suggestion there is for every geek to set up their own mail server and spam filtering and give ten friends email addresses to replace their old unusable ones.

That's one of my proposals: community email. The second is that these sites are only ever able to take money because they have credit card authorisations. They aren't going to have 200 of those, one for each site. They're going to have one of those and use it for everything; merchant authorisations aren't that easy to get. Do some traditional policing. Go after them that way.