Features

net.wars: Spam coming soon to a mobile phone near you

"Anything worth having is worth cheating for," the Australian writer and broadcaster Derryn Hinch observed in his book on the best techniques and strategies for playing Scrabble. I think of this comment often when observing the amount of effort spammers put into lying and deceiving to get around the filters and blocks put in place to keep them out.

It also reminds me of living with that ultimate bureaucrat, a six-year-old child. "You said not to sit in your seat or put my feet on it. You didn't say I couldn't steal the cushion."

I'm going to start by proposing that we need three categories of email. 1) Wanted mail: everyone's list of what's wanted is different, but we can all agree that includes friends, relatives, and people we do business with. 2) Unwanted mail: everyone's list is different here, too, but it probably includes mailing lists you didn't ask to be on, follow-up marketing email from companies you've bought from, forwarded jokes from net.newbies, and so on. 3) Mail, however bulk-sent and unwanted, that comes from legitimate businesses.

And then there's spam, and despite the "one man's spam is another man's ham" stance of anti-spam vendors eager to seem to be all things to all people, there is actually a pretty good consensus on what spam is. It's mail nobody wants. It's the penis extensions, the porn sites, the financial scams, the illegal Viagra sales, the cable descramblers and warez offerings. The average person has no trouble whatsoever distinguishing spam on sight.

The Direct Marketing Association would probably like this tripartite view, because they can feel they are not spammers. Though if they really want to sell this belief, I recommend they stop opposing the FTC's do-not-call list. Direct marketers always say they do not want to send their material to people who do not want to receive it. But when the FTC creates a list to stop the scourge of telemarketing calls, and 50 million Americans signed up, the telemarketers sued to block the FTC from putting the list into operation next week. If you are not spammers, do not behave like them.

Although: true spammers would not sue. They would move off-shore. Or they would set up a fake charity to front all their calls (charities are exempt from the list). Or they would make a decoy wrong-number call to your phone, during which they would secretly download a self-installing worm that would turn your phone into a robot telemarketer that would make calls from your line and read a script, forwarding the call to the spammer if the recipient keyed a number. The telespammer would get the live responses, and you would get the disconnected phone service and the angry calls back from enraged eaters, but what does he care?

The last week has seen the loss of two of the real-time black lists that administrators use to check the source of incoming mail against a list of known spam sources. Two such services-monkeys.com and compu.net-were pulled after massive, crippling DDoS attacks. A few weeks ago, Osirus also bit the dust. RBLS have their faults, but they were significant tools and they've been targeted for removal.

I knew all this; but I had not realised until this week's Mobile Anti-Abuse conference, run by Openwave, quite how fiendishly sophisticated spamware tools have become. Besides the sites that test mailservers for open relays legitimately, for example, there are "dark side" sites that build lists of open relays from such tests and sell them as a subscription service.

Scott Chasin CTO of MX Logic is an expert on spammer tools. HTML messages look identical to the human eye and foil filters by embedding tokens in a font the same colour as the background. Sophisticated understanding of how the heuristics and scoring in filters like SpamAssassin work means the spamware loads up the message with elements designed to produce a negative score. When some messages are previews, Web bugs embedded in the HTML retrieve images from remote sites, simultaneously validating your email address. Software to automate all of this is readily available to anyone on the Net who cares to download it, despite its being illegal in eight US states.

The general consensus at this conference is that if there is a solution it will be multi-pronged. Technology (filtering, adding authentication and security to Internet protocols, enforcement, legislation, changing the economics, and consumer education are all necessary. The panic here is mobile phones: as mobile networks move to Internet Protocol (GPRS, UMTS, CDMA), they open to the flood. JPhone, Japan's number three mobile provider, says that 80 percent of multimedia messages are spam or unwanted harassment. Expensive for everyone.

My own view is that: 1) spam is going to get linearly worse as broadband rolls out, and more inexperienced people set up their own mailservers; 2) that the merger of spam and viruses is going to get exponentially worse; 3) really sophisticated methods for stopping spam will bite us in other ways. Can we find a solution that functions without, as Lawrence Lessig says, "breaking the kneecaps of the Internet"?