Windows & .NET Magazine Security UPDATE--July 9, 2003

1. In Focus: Antispam Movement: Going in Opposite Directions

by Mark Joseph Edwards, News Editor, mark@ntsecurity.net

As you know, spam is causing an uproar, and many are mounting a considerable effort to put a damper on it. That effort recently delivered a significant blow, when the British Broadcasting Corporation (BBC) revealed that it had uncovered what it believes to be the source of tens of millions of spam items sent out each day.

During a special journalistic investigation, the BBC found evidence that the computers of thousands of companies around the world are being hijacked to deliver spam and to host questionable Web sites. Obviously, spammers use hijacked computers to help cover their tracks. One of the hijacked companies was British Airways, whose network attackers used to host a Web site for mail-order brides.

By further tracking clues such as IP addresses and domain-registry information, the BBC followed the trail first to South America, then to the Netherlands. In the Netherlands, the BBC discovered that Dutch ISP MegaProvider is connected to a known group of spammers. The BBC investigation team confronted the operator of MegaProvider, and you can read the details in a news story \[http://news.bbc.co.uk/1/hi/technology/3036092.stm\] at the BBC News Web site.

The fallout against MegaProvider is significant so far: The company lost peering contracts and customers, and other ISPs entirely blocked its networks. The complete outcome remains to be seen. The BBC story points out that we can prevent spam by nipping it in the bud.

As you know, corporate giants have taken a more public stance against spammers. Some of their endeavors have gained the spotlight in various US publications. You might be surprised to learn what's been reported.

The "Washington Post" reports that Missouri Attorney General Jay Nixon has accused Microsoft of trying to run a protection racket through which Microsoft would earn money from companies that want to send bulk mail. In addition, The "Washington Post" reports \[http://www.bayarea.com/mld/cctimes/news/6244003.htm\] that Microsoft opposes a do-not-spam registry because such registries might be attacked to reveal millions of email addresses.

The "Washington Times" also reports \[http://washingtontimes.com/business/20030629-103835-5128r.htm\] that Microsoft opposes a do-not-spam registry--because it would be technologically impractical and unenforceable. But if a registry works to curb telemarketers, why can't it work to curb spammers too?

ZDNet UK and CNET report \[http://news.zdnet.co.uk/story/0,,t269-s2136652,00.html\] that critics of Microsoft's push against spam say the company's stated opposition to spam is hypocritical--and that the company should "get its own house in order" first. Microsoft has defended itself against the criticism, which cites MSN and Hotmail as contributors to the spam problem. "The Sacramento Bee" reports \[http://www.sacbee.com/content/politics/story/6960914p-7910017c.html\] that Microsoft "has fought legislation in Missouri, Michigan, and California that would make it illegal to send commercial email to anyone who doesn't want it. Microsoft instead has supported laws that allow companies to send unsolicited email, provided that they do not use deceptive or fraudulent practices and offer consumers the chance to opt out of future solicitations."

The bottom line is that spam is a huge money-maker for companies that deliver it (whether the spam is legitimate advertising or not), companies that advertise through spam, and companies that sell products that help filter spam. At the same time, spam costs businesses a lot of money because they have to buy and administer filtering products--and bear the expense of the associated bandwidth.

Spam represents the opportunity to make big money fast--for software and service companies and for entities involved in advertising. Even so, people are for the most part tired of unwanted email messages. I think the most cost-effective ways to curb unwanted email involve a combination of efforts that include a law that requires people to opt-in to receive advertising, do-not-spam lists, and filtering technologies. (I realize that I might be shortsighted about this matter. Email me your ideas.) We might even see significant changes to the underlying technology of email itself, such as digital postage or mandatory identity management to ensure that email messages arrive at their destination.

Laws do help curb spam (large companies are successfully suing spammers), but they don't always address the challenges that international spammers present. Digital postage might help, but it won't be well received. Identity management seems like the most potentially effective course. In any case, I think we'll all probably spend more time and more money on technology to keep unwanted email at bay in the future. Keep an eye on the spam debates because you might have to adjust your budgets and network topology accordingly.