Spam Explodes, but You Can Fight Back
We're having a spam wave--more like a tsunami. After a lull in growth rates in late 2005, the volume of junk mail on the Internet at large began skyrocketing in 2006. IronPort, a leading antispam-technology company, says that 63 billion spam messages were sent in October 2006, more than double the number of messages dispatched in October 2005.
Experts attribute the global upswing in spam to technological innovations in the way the junk mail is sent. Spam-fighting software is good at rejecting mail from servers that are known to disseminate spam, but spammers are getting better at setting up botnets--networks composed of broadband-connected PCs that, unbeknownst to their owners, are used to send spam. PCs that are directly connected to a cable modem or a DSL modem are particularly at risk of being commandeered.
How do you keep your PC from being shanghaied into a botnet? Make sure you have a good firewall and a secure browser (Internet Explorer users should upgrade to IE 7, which has better defenses, or try an alternative browser like Firefox--see this month's Privacy Watch for more on browser security). If you're on a home network, your router should be protecting you from intruders; check your documentation to confirm that you're taking advantage of the firewall features included with most home routers these days.
Botnets aren't new, but spammers have become more adept at distributing and concealing them. The latest botnet software, which you can run afoul of simply by visiting a rigged Web page or by clicking on a spam message itself, remains inconspicuous by transmitting only a small volume of spam at any one time. Spam-filtering software has trouble distinguishing bot-generated mail from legitimate messages sent by the same computer.
As maddening as the situation may sound, there is some good news to report. Major ISPs and mail portals are improving spam filters almost as quickly as spammers can introduce new techniques. "Generally speaking, the experience of end users continues to improve," reports Richi Jennings, an e-mail security analyst working for Ferris Research.
Unfortunately, some other ambitious antispam efforts haven't proved to be terribly effective. Federal authorities have prosecuted a handful of businesses under the three-year-old CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act. But that law has no jurisdiction over spammers overseas, and its provisions are increasingly being ignored. In analyzing 10,000 randomly selected commercial e-mail messages, MX Logic found that less than 1 percent met the law's requirements that such messages include the sender's real street address and a way to opt out of subsequent mailings.
The jury is still out on whether sender-authentication technologies such as Microsoft's Sender ID and Yahoo's DomainKeys will succeed in fighting spam. Sender authentication works this way: Your bank registers the IP addresses of its mail servers. If you get an e-mail that purports to come from your bank but doesn't come from one of the registered addresses, the mail service will delete the message or will at least alert you.
By the end of 2006, according to Craig Spiezle, Microsoft's director of online safety strategy and planning, roughly 40 percent of all legitimate mail received by Hotmail users was being authenticated using Sender ID. But the system works only if major phishing-target sites participate. Another weakness of sender authentication is that some of the sites registering their addresses are actually phishing sites. For example, a phishing site with a domain name that's a misspelled version of a bank's name could publish its mail server information, and Sender ID would authenticate mail from the malicious site. You can see for yourself how well sender authentication works by forwarding your mail to a Hotmail account (to test Sender ID) or to a Yahoo mail account (to test DomainKeys).
AOL and Yahoo users, meanwhile, are getting some help in identifying mail that isn't spam through each company's partnership with a firm called GoodMail, which offers "legitimate" bulk e-mailers a service it calls "certified e-mail."
GoodMail chief executive Richard Gingras says that the company accepts only customers that have no history of sending spam. Mailings from GoodMail customers are routed through GoodMail's servers, which insert a unique cryptographic token into each message. Partner e-mail services recognize the token when they receive the message, and the mail appears in the user's inbox with a special icon and words like AOL Certified Mail. Gingras says the service addresses one side effect of phishing: Fearful of identity theft, people simply delete all mail claiming to come from any financial institution.
GoodMail charges its customers 0.25 cent per message and shares that revenue with its partner e-mail services. Critics say that the scheme simply affords wealthy bulk e-mailers easy access to the inboxes of people whose mail services use (and profit from) GoodMail. Gingras, however, says that GoodMail turns down three out of every four prospective customers because their record on spam isn't clean enough to satisfy his firm's standards.
If you haven't noticed much extra spam in your mailbox lately, you likely have your e-mail service to thank for it. Ferris Research's Jennings says that if more than 10 percent of mail in your inbox is illegitimate, you can probably do better.
I did, by setting up automatic forwarding of all my personal e-mail to Google's Gmail. Fortunately, my hosting company makes mail forwarding easy through its Web-based e-mail management tools. Most ISPs that offer e-mail based on POP3 or IMAP will have similar tools--I found EarthLink's tools, for example, by searching its Help for "e-mail forwarding."
Gmail cleaned an additional 30 messages per day from the forwarded mail, leaving only a handful of stragglers each day; in a week I found only one false positive in its spam folder. (If you do switch services, be extra diligent about checking the new service's spam folder for false positives in the first couple of weeks.)
I haven't tested other major e-mail services, but Jennings says they are all being very aggressive about keeping consumer inboxes clean--and are better equipped for the job than any desktop software. "It makes very little sense for consumers to be running software on their desktop that filters spam," Jennings notes, "[because] you still have to download the spam." Nevertheless, for users who are wedded to Outlook but want spam-filtering help, we have recommended Cloudmark Desktop and Sunbelt Software's IHateSpam in the past.
In the midst of the current spam wave, the usual caveats for reading e-mail safely still apply. When in doubt, don't open an e-mail message--especially if it includes an attachment. Don't click on links that promise to send you to a site where you have an account--type in the institution's URL in the address field of your browser. And consider using a free e-mail account for your e-commerce transactions.
Engaging in safe e-mail practices offers you the best hope of safe shelter from the worst fallout of the spam storm.