|
by Adam C. Engst ace@tidbits.com
The spam pandemic has grown to epic proportions. In 2002, I received
over 23,000 spam messages (about 35 percent of my mail), and that's
even after employing the Mail Abuse Prevention System RBL+ realtime
blackhole list and a handful of other conservative server-side spam
filters on our primary mail server.
There's no question that my address is both older (it hasn't changed
since I switched away from the UUCP style ace@tidbits.uucp)
and more widely published than most, but my exposure generally means
I'm just ahead of the curve. If you're not getting a lot of spam now,
you're both lucky and living on borrowed time.
http://mail-abuse.org/rbl/
http://www.eudora.co.nz/eimsfilters.html
Think Positive
Nevertheless, although I don't see the amount of spam dropping for
a while yet, I think we've turned the corner in developing the basic
concepts that will eliminate most spam from our lives - at least when
those concepts are intelligently combined and implemented. These concepts
include so-called Bayesian filtering, which attempts to predict the
likelihood that a message is spam by the frequencies with which certain
words occur; whitelists, which allow mail through only when it comes
from people from whom you've received legitimate mail in the past; and
challenge/response systems, which require that new senders authenticate
themselves before their mail reaches you. Also potentially useful deterrents
are the various U.S. state anti-spam laws and the lawsuits against spammers
they make possible; well-run blackhole lists that let mail servers refuse
to accept connections from other mail servers that have been compromised
by spammers; and the combination of proper default settings and network
administrator education that has cut down on the number of open relays
for spammers to exploit.
http://www.paulgraham.com/spam.html
http://www-106.ibm.com/developerworks/linux/library/l-spamf.html
Note that I explicitly do not include arbitrary server-side content
filtering in that list of potentially useful approaches to controlling
spam. Creating server-side filters that reject mail based on the inclusion
of a word or two merely because the administrator has seen those words
in spam is more damaging to the overall utility of email than spam itself.
http://db.tidbits.com/getbits.acgi?tbart=06866
http://db.tidbits.com/getbits.acgi?tbart=06869
http://www.nytimes.com/2002/07/15/technology/15SPAM.html
Our efforts at educating the public to the dangers of arbitrary content
filters certainly don't hurt, but the problem continues. Our recent
gift issue was rejected by one mail server (which will undoubtedly do
so again with this issue) because the word "cows" appeared
in the text. (Ironically, it wasn't even in relation to the worthy Heifer
Project charity, but to a comment about the game Tropico.) In an effort
to avoid losing subscribers when these content filter rejections trigger
our bounce automation, we've taken to trying to switch impacted subscribers
to the announcement version of TidBITS, which is much more likely to
slip past content filters purely on the basis of containing many fewer
words.
Cue Habeas
There's one more new tool that we've just started to employ. A new company
called Habeas, started by TidBITS author Dan Kohn, has come up with
"sender warranted email." The idea is that, with the addition
of nine specific header lines to your messages, you can warrant that
your outgoing email is not spam. ISPs, email providers, spam filters,
and even individual recipients can then trust that any incoming message
that contains Habeas headers is legitimate.
http://www.habeas.com/
Here's what the Habeas headers look like.
X-Habeas-SWE-1: winter into spring
X-Habeas-SWE-2: brightly anticipated
X-Habeas-SWE-3: like Habeas SWE (tm)
X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted
Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange
for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants
that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not
spam. Please report use of this X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report/>.
"But but but...," I can hear you saying. "What prevents
spammers from simply adding the Habeas headers to spam as well?"
Nothing. Well, except for the thousandweight of lawyers that Habeas
plans to drop on anyone who does so, basing such lawsuits on both copyright
and trademark law. Habeas can do this because the Habeas headers include
a copyrighted three-line haiku and several trademarks. In addition,
Habeas will add any infringers to a DNS-based blacklist that doesn't
suffer from some of the legal problems that have plagued other blacklists.
I'm waiting with bated breath to see how Habeas handles the first infringers.
My experience with suing a spammer under the Washington State anti-spam
law wasn't great because I couldn't expend the money, time, and effort
to carry the suit through to the most satisfactory conclusion. In contrast,
Habeas has venture capital and significant incentive to make examples
of infringers, so they're likely to have a better chance of running
the spammers to ground and extracting financial penalties from them.
By basing the protection on copyright and trademark law, Habeas avoids
the many variations on state anti-spam laws and doesn't have to wait
for federal legislation that may be too little and is already too late.
Plus, international copyright law offers similar protections everywhere
but Afghanistan, Bhutan, Ethiopia, Iran, Iraq, Nepal, Oman, San Marino,
Tonga, and Yemen. On the collection side, Habeas plans to turn spammers
over to the collection agency Dun & Bradstreet for maximum extraction.
http://db.tidbits.com/getbits.acgi?tbser=1167
Although there are some high-profile spammers who are making very real
money at spam (but are stupid enough to give their real names in interviews,
opening themselves up to real world harassment from furious spam victims),
I doubt Habeas will end up making significant money from successful
lawsuits. Most spammers simply don't have deep pockets. However, Habeas
does earn money from licensing the Habeas headers to businesses. Licenses
are free for individuals and ISPs that warrant that all their email
is not spam; other companies pay $200 per year for a license unless
their business revolves around sending verified opt-in commercial email,
at which point the license is based on the number of recipients.
http://www.habeas.com/services/swe.htm
Practical Habeas
From a user's standpoint, you need to know two things about Habeas:
how to add Habeas headers to your email messages (remember, it's free
for individuals) and how to filter Habeas warranted messages. The details
vary significantly with the software you use for email, but Habeas has
developed instructions and plug-ins for many common pieces of email
software (it's just a matter of dropping a plug-in into the appropriate
folder with Eudora, for instance), and they're happy to post user-submitted
instructions for additional programs. Also, many email programs hide
unusual headers by default, and for those programs that don't, Habeas
also offers instructions for hiding the Habeas headers so you don't
have to look at them in every message.
http://www.habeas.com/support/install.htm
What are we hoping to get out of adding Habeas headers to our mailing
lists? Quite simply, less damage due to errant spam filters. Habeas
is working with many of the vendors of server- side spam filters to
encourage them to whitelist Habeas compliant messages, and we hope that
anyone who has gone to the effort of rolling their own spam filters
will do the same to reduce the incidence of false positive spam identification.
I encourage everyone who's concerned about spam to sign up for a free
individual Habeas license, and for anyone working on anti-spam tools,
make sure your tools whitelist Habeas compliant messages as well.
There's no question that the use of Habeas headers will not eliminate
the spam problem overnight, but when combined with the other tools and
techniques that have started to appear, it should make a difference.
Reprinted with permission from TidBITS. TidBITS has offered more than
ten years of thoughtful commentary on Macintosh and Internet topics.
For free email subscriptions and access to the entire TidBITS archive,
visit www.tidbits.com.
|
|