Fighting spam: Cure worse than the disease?

Fighting spam: Cure worse than the disease?

Sometimes, life imitates art. Spam has become a science-fiction fantasy come to life. Advertising and commercialism have been mainstays of modern cultural commentary and "cyberpunk" science fiction for years, long before spam became an industry-wide concern, but many people probably didn't expect it to be taken as seriously as it is.

Spam itself has also been around for many years, but for much of its early history, it wasn't a big problem. Junk mail had already been common in postal ("snail") mail for generations, and it wasn't thought too much of; people would toss it in the trash, and continue to go about their business. Paper junk mail never became a global concern because it cost the advertisers real money to have to send it, and since the mail only came once a day, you could quickly throw out the trash just once, and not have to worry about it again until tomorrow at the earliest.

Some people speculated, in spam's early days, that it could someday become a more serious problem because e-mail is virtually free to send, and you can send thousands of e-mails much more quickly than you could send a comparable number of paper mails. Many people acknowledged these concerns, but probably didn't suspect that spam would ever live up to those hypotheses. Apparently, once again, humanity underestimated its own propensity to go overboard when money is involved. With the global explosion in Internet-connected people and correspondingly decreasing prices of bandwidth and other network services, spam is now one of the top concerns of most network administrators. For some people, it is a more serious problem than actual security threats such as viruses or theft of information. In 2003, spam passed the half-way point: More than half of all e-mails sent globally are estimated to be spam, and that percentage has since gone even higher. To my mind, it always seems like a dystopian science-fiction future made real.

While spam is a serious problem, it would perhaps be inevitable that in trying to stem the tide of junk mail clogging their networks, administrators would make inappropriate knee-jerk reactions that produced solutions which are, arguably, worse than the original problem.

Most of the controversial solutions to spam are problematic simply because they defeat the purpose of having a computer network in the first place. An early example was "white lists"; essentially, the idea behind this concept was that you would not allow any e-mails into your network unless the sender was on a white list of officially-approved e-mail senders. While this approach may be usable if you only have a distinct set of people who you wish to receive e-mail from, this approach is not usable for most businesses, since a majority of businesses cannot anticipate who their customers will be and cannot possibly compile a list of every person who might e-mail them. The white list method, therefore, is likely to throw away a significant amount of legitimate e-mail. Some people observe that if you really want to block spam this way, you can just as well not have a computer network; that'll keep spam out for sure.

As time wore on and computer people endeavored to "work smarter, not harder", a variety of "intelligent" filters were designed that purported to detect, through what amounted to artificial-intelligence algorithms, what was likely to be a spam e-mail and what was not. Indeed, many e-mail systems now automatically assign a "spam index" to all e-mails, a percentage of probability that the system thinks the message is a spam, based on things like certain keywords, how the words are structured, whether the message has any file attachments, etc. The message can then be automatically thrown away if the spam index is over a certain figure (such as 50%). Although some of these filters are actually surprisingly smart, there have been plenty of lost e-mails which should have been received that got thrown away by such filters. In particular, when people e-mail pictures to each other, this often gets flagged as "spam" since much spam consists mainly (or entirely) of a single picture containing the advertisement. Smart content filters are an interesting solution, but they are certainly not the be-all end-all in spam prevention.

Recently, administrative measures which seem positively draconian have been imposed by some e-mail servers to prevent spam. The Internet is, clearly, not the safe and courteous place it was when it was populated mostly by scientific researchers and government offices, but the latest wave of spam measures have left some people wondering if, just as the United States' "war on terror" has been criticized for eliminating fundamental freedoms and thereby eliminating the purpose of having a society, whether the cure is worse than the disease, leaving no reason to have e-mail service at all.

Indeed, some e-mail "services" do just that: They eliminate actual e-mail service. I have seen e-mail packages which seemed like good deals, but turned out to be receive-only, i.e. you could not send e-mail through them. This was because the company offering the e-mail service did not want to be responsible for a haven of spam-senders. If prompted with the obvious question "How do I send e-mail, then?", their response is to use your ISP's e-mail account. This might be a usable idea were it not for the fact that many ISP connections do not include e-mail accounts at all.

Similarly absurd is the all-too-common practice of wholesale blocking entire IP ranges simply because they are dynamic. One of the reasons it can be difficult to block spammers by their IP address is that their address keeps changing; when you log into your ISP, the ISP typically assigns you an IP address that you then use during the time you're logged in. The next time you log in, you're given a completely different address. Although some ISP accounts have static IP addresses (meaning you actually are assigned that IP address permanently and it should never change), dynamic addresses which are assigned on login are more common. The ISP owns a block of IP addresses which they have bought from the IANA (Internet Assigned Numbers Authority), and is free to assign them to whichever computer they wish. This is done partly to conserve 32-bit IP addresses (which have long been in short supply), and for other reasons as well, but it creates a great opportunity for people who wish to abuse their Internet connection, because they can simply log in with one IP address, abuse their connection however they wish, then log off and re-login with a different IP to do it all over again. Any victim of such shenanigans can only trace the IP address as far back as the ISP; they can identify the ISP where the traffic came from, but not individual users on that ISP, so many e-mail servers respond by completely blocking the ISP. Indeed, some e-mail servers now block all e-mail from dynamic IP addresses, even if they have not yet experienced a spam problem from that ISP. Given that most Internet users have dynamic IP addresses, this has the net effect of effectively shutting all e-mail out of your system, entirely negating any reason to have an e-mail server in the first place. This state of affairs seems ridiculous, yet it is real and considered business-as-usual by too many e-mail providers.

Another absurd policy that has surfaced in recent times is the blocking of "direct-to-MX" e-mails. This is the practice of a user sending an e-mail directly to the destination e-mail server, without using an outgoing e-mail server as an intermediary. As an example, suppose you are sending an e-mail to What ultimately will happen with this e-mail is that it will end up at an e-mail server which is simply called "", which will then check if it knows a user named "john", and if so, notify that user that they have a new e-mail. It might seem like a sensible course of action for you, the e-mail sender, to connect to the e-mail server at, transmit your e-mail message to it, and then close the connection. However, if the e-mail server is blocking direct-to-MX e-mails, your message will be discarded as spam, because you did not use your ISP's outgoing e-mail server to send the message. What good, well-behaved little Internet users are expected to do is to send messages not to their destination, but rather to the outgoing e-mail server which is hopefully provided by their ISP. Your ISP's outgoing e-mail server, in turn, can identify itself as an e-mail server to (and not merely the desktop computer of the person sending the e-mail), which is supposed to satisfy into accepting the message. This might seem like a rather roundabout way of doing things, but it is actually par for the course, for some silly reason; most computer users do not actually send their e-mails directly to their destination, but rather to their Internet provider's e-mail gateway, which then retransmits the message to its destination. Spammers often avoid doing this and send e-mails directly to the target machine, simply because this action does not leave a log of the e-mail being sent through their ISP's mail server, which helps to eliminate some amount of tracking information (although it's usually not difficult to track where the connection that delivered the e-mail message came from anyway). And so, on the basis that some spammers do this, e-mail servers now routinely block e-mails that are not sent to them by other representative e-mail servers. How, exactly, the receiving server detects whether the sender is a server is entirely up in the air; sometimes this is done purely on the basis of brand name, meaning that the receiving server has a list of perhaps a few dozen major Internet providers' e-mail servers, and if the message does not come from any of these places, it gets dumped under the assumption that it was sent directly from a user's desktop computer. This means that if you sign up with a small, local ISP that is not well known, you could find yourself unable to send e-mails to people. And forget about starting up your own e-mail service unless you own a major company. You'd better just sign up with a big-name ISP, send all your e-mails out through them, and hope for the best. Except that big-name ISPs don't allow sending e-mail through them anymore because they don't want to be responsible for what their users send. So users are left with a classic catch-22: Your e-mail won't be accepted unless it comes from a recognized mail sender, but companies that operate such e-mail senders don't want to allow their customers to send e-mail. Truly, spam can be blocked very effectively if you prohibit anyone from sending any e-mail.

And so we find ourselves on a network where people cannot communicate; where messages are blocked because they include a picture, or because they come from someone who does not appear to be a major company. Thank you, administrators, for deciding that you will not allow anything to be transmitted over the Internet. Just as the computer industry was destroyed by people who did not understand computers, the Internet was ruined when it became run by people who did not know what a computer network is for. You can attack the network from the outside, but that wouldn't destroy it; the only way to destroy the network would be to tear it apart from within by people who do not understand the purpose of having the network in the first place. On that count, good job.

Extra bonus misguided e-mail blocking criterion: Most e-mail servers now block encrypted ZIP files. The rationale behind this is that an encrypted ZIP might contain a virus, and since the server cannot perform a virus scan the ZIP (it's encrypted, after all), it will block it as a potential virus threat. The only way to get your e-mail to go through is to leave all your data unencrypted and transfer it as cleartext. Remember the furor over e-mail privacy, and how hard people fought to be able to legally encrypt their e-mail? Well, that fight has now been rendered null and void. Yes, encryption is legal; it just won't go through, because the e-mail server is worried you could be sending a virus, and surely no decent law-abiding person would ever have a reason to encrypt a file. The victory that the Internet gained has been struck down by the very people who run the Internet.

Back to the main page