Anti-spam man Chris Fortune is an e-mail administrator, and he doesn't like spammers much. Using open-source software, he blocks them every day, and he should know how to, after all he used to be a spammer ...

Nelzine: So what turned you away from the Dark Side, Luke?

Fortune: I'm sorry I told you I worked for a spammer! (laughs) I only did it for a couple of months to spy on them. I wanted to be able to say : "I know what dirty tricks spammers use to deliver mail, and I know what barriers are effective to stop them". I've been fighting spam for three years now. "The Force is with me". Many of the tricks I learned from them, I converted to their opposite, and now I use against them! I have a lot of knowledge now, and I'm using it to fight to help save the e-mail system before the spammers destroy it.

Nelzine: "Destroy" e-mail? Is it really that bad?

Fortune: It's worse. Spammers don't seem to care how many e-mails they send, they'll clog the system with one million to make a single sale, it's all in a days work, but they aren't paying for it, it's the taxpayer who pays the bills. Right now, about 70% of all email is spam, scams, and viruses, but that's not the big problem, the networks can handle the load for now. The bigger problem is the destruction of necessary functions of the SMTP mail protocol. For instance, at one time you could relay mail for other computers if they were busy or down, but now it is suicide to run an open relay because spammers will use it to send spams from your domain. There are also some very useful SMTP commands to verify a user name or obtain the content of a mailing list. This is done with the VRFY and EXPN commands, but once again, it is totally insane for a mail administrator to leave these turned on. I could go on...

Nelzine: Yes, go ahead.... Do you think e-mail is doomed?

Fortune: Well, if I thought that, then I wouldn't spend so much time writing anti-spam software. There is a great, classic essay by William R. James to his daughter called Thanks, Spammers that really outlines the horrible abuse that these idiots have done to the mail system, worth reading if you want to truly understand the problem, how much has been destroyed so far. Email looks like it's already well on it's way to doom, but there's hope, it's being fixed from several directions. Virus security holes in the Outlook mail client were a big problem, and the subsequent use of people's home machines as "zombie" machines that spit out viruses and spam to everyone in their address book, but that is getting a lot of attention, and they're doing a pretty good job of fixing those holes, even though they made them out of carelessness in some cases. The Internet Engineering Task Force is working on changes to the e-mail protocol that will allow for tighter security, which is going to provide a path for email to evolve, and will improve the situation quite a bit. Now I'd like to point out an insidious threat that is not being addressed because it is developing so incrementally. What actually threatens to damage e-mail - as a system - is deceptive system alerts.

Nelzine: You mean those messages from the "Mailer Daemon"? Who is that guy anyways?

Fortune: He's a magic dwarf with a taste for destruction . No. It's really an important part of SMTP, it tells you when your message can't reach its intended recipient, like the telephone company's message that says: "this number is no longer available". If spammers make this function unreliable, they break the entire e-mail system because it unravels people's trust in the system itself. Now spammers have been using this fake bounce (a type of "Joe Job") to deliver their spam & viruses: they send out a message from the "Mailer-Daemon@yourDomain.com" that looks very authentic, so of course you click on it and - boom! - the payload has been delivered. If you are lucky, it wasn't a virus.

Nelzine: What about those Daemon messages that say "Your computer may have a virus"?

Fortune: Thanks for asking, I wish the mail administrators that send those things out would give their heads a shake and realize that they only cause more congestion. Think about it: Viruses produce e-mails that have false return addresses... Hello?! The warning is going to the wrong person! This is also true of "fake bounce" anti-spam techniques that attempt to send apparant bounces to spammers. They don't work, they're totally ignored. Spammers post them on their bulletin boards to laugh at, they aren't effective at all. First, they don't do anything to the spammer. Second, they are delivered to the wrong person usually. Third, they clog up the network with more noise. Fourth, they reduce people's confidence in the system.

Nelzine: But you could block the mailer-daemon. Oh, I see, that's the problem...

Fortune: Yes, exactly. The bounce messages aren't supposed to be blocked, so mail admins must be very careful how we treat these messages. The SMTP specs say you MUST allow them! It's like diplomatic immunity, but we have to filter them anyways, and we inevitably deliver a few bad ones and lose a few good ones in the process. If users lose confidence in these system messages or learn to never open them, then it will interfere with message delivery, people won't know if their message was rejected, it will lead to lost messages, and that may push people away from using e-mail at all.

Nelzine: Are you finding people who are saying: "Oh forget it, it's too much trouble". They just want to abandon e-mail completely?

Fortune: Yes, every day I talk with people who are really afraid to check their e-mail! I mean, imagine how you would feel if you checked your phone messages one day and it wiped out your family photo albums, or your credit card got stolen! It's really just like that with viruses. People are getting really angry about their e-mail, and afraid too. They have every right to be, I mean, I ask you, would you accept a creepy porno salesman approaching you at your local library? No, of course not, it's unacceptable behaviour, you would call the cops, but on the Internet there are no cops, just system admins. E-mail is just being totally abused by con-men and sleazy people. A lot of folks find it really distasteful, and would rather revert to fax machines and phones. Instant message software like MSN and Yahoo IM is getting more popular every day. It would be a shame if we lost our public postal system to private companies!

Nelzine: What effect has the new Federal Anti-spam Laws had on spam?

Fortune: We were hoping that the CAN-SPAM ACT was going to provide legal recourse, but it makes spamming legal as "free speech", as long as it's labelled as an "Advertisement" and there is an "Unsubscribe" link at the bottom. Well we all know what happens when you click on that link, they send you another 500 legally sanctioned advertisements (laughs). Where it really helps alot is that it makes it illegal to falsify identity and to use other people's computers to deliver spam without their consent. This is a good tool for taking down the really big spam gangs who produce the most number of mails per second. They have deep pockets, and they hire advanced programmers to hack into servers, write zombie viruses, rape relays and all that. These are the real criminals and it's not hard to prove what they are doing in a court of law, so lawyers will have a lot of cash incentive to go after them for damages. The problem is that they can still do all of these things in other countries where CAN-SPAM can't touch them. Lately there have been some major busts by the FBI, and we've actually seen American spammers get, like, 9 YEARS locked up! I think that's a bit extreme, but the message is definately going out.

Nelzine: Is that the sort of work you used to do when you worked for those spammers?

Fortune: Oh no! I would never crack systems, it's challenging but just bad karma! I could end up in jail doing that. I did mail delivery: I was in charge of keeping the mail servers humming, handling return values to clean the mailing lists, things like that. I also worked on strategy, how to deliver the goods to the victim's inbox. It was very instructive to get inside the spammer's head, to think of the chess game from the other side. After a while it started to feel like ... uh, gross.

Nelzine: What do you think is the future of spam?

Fortune: It's a lot like the future of cockroaches. (laughs) There are a few new developments that will ensure their place in the food chain for a long time to come. The big bosses are now selling CD's of spam-ware for $50, and silly people (suckers, I should say) buy them. They have the intention to "Make Money from Home While You Sleep", but it's just another con job. Still, the fools produce spam by the billions. This is like a few big cockroaches giving birth to a thousand little ones. Mobile phones and Instant Messageing are a rich new area for exploitation, which is like cockroaches moving into a new apartment building. What else? The most advanced spammers are now increasing spam's mutation rate using automation to produce new variants of spam that content filters cannot recognize. This is like cockroaches who have built up a resistance to pesticides. I think that because of the development of such a variety of anti-spam products, you're going to see much more usage of cracking techniques. The spammers aren't going to give up, they're just going to move more and more into the realm of illegal resource theft.

Nelzine: What do you think is the future of anti-spam?

Fortune: Similar to roach killers, I guess; constant work unless the spam becomes extinct... or SMTP becomes extinct. Basically, email has to evolve or die. The SMTP protocol is missing one key item that would fix this whole mess: user authentication for senders. Right now anybody can instantly send you an e-mail, and that's a bit of a problem. Challenge / Response techniques actually do succeed to fix the e-mail system because they force the sender to pay a small fee of his personal attention in order to deliver his mail. This works really well to defeat spammers who simply can't afford to manually deliver a million e-mails. Unfortunately, this technique has met with resistance. C/R really works well, especially in Europe and Latin America where folks are raised to be more courteous and don't mind the extra greeting step. The weird thing is that American people are OK with the C/R in Instant Messageing, but they hate it in email! I guess it's all what you're used to.

Filters will continue to evolve, and we should look especially to statistical filters because they seek patterns dynamically, so they adapt quickly to new spammer techniques. I lean heavily on open-source software because it can be developed so rapidly.

If somebody can figure out how to identify the sender accurately then that will end the spam wars right there. BUT ... the sender must be identified without breaking his privacy! Not an easy job, but very interesting. DNS identity lookups like SPF looks promising, now we have to see if the mail administrators of the world will wake up and start co-operating with eachother. Every big mail company wants to have its own standard. Microsoft has SenderID, Yahoo has DomainKeys, and AOL has SPF . It's a battle for supremacy, but nobody wins unless we can all agree on a single standard, a free, open standard. SPF is free and open, and has the backing of the IETF. Microsoft vowed to support it too.

Nelzine: Do you think the e-mail system can be fixed by replacing it entirely?

Fortune: Of course, that's not a bad idea, if you could somehow gather the political energy to get everybody to switch all at once ... and use the same protocol! It needs to be emphasized that private corporations should not control it. For example, Microsoft wants to replace e-mail with it's own Metered Messaging postage stamp service. Do you want Microsoft to be the Post Office? I know I don't, so the floor is still open for "E-MAIL Version 2". There have been various attempts already, like AMTP, which uses a DNS reverse lookup scheme + secure authentication servers. I think it's moving in the right direction because it keeps everything publicly owned and distributed. There are also already existing secure cryptographic email protocols. S/MIME is a good example, you can be absolutely sure of who the sender is. Unfortunately, it is encumbered by patents, and everyone is required to purchase a Secure Certificate from RSA Inc. The certificate company does a check on you to verify your identity. A publicly owned secure MIME protocol would be a better choice, like OpenPGP for instance, and I would encourage its use because it relies on a distributed network of keyservers, so there is no single point of ownership. It will take a while for crypto solutions to get rolling though, especially since Microsoft is pushing an SPF solution that has a patented crypto component tagged onto it. The best solution I've seen so far comes from the "classic" SPF people, Weng Meng and pobox.com, who are pushing forward a suite of public owned technologies. They want to actually alter the SMTP protocol, but their plan is better than a wholesale replacement because it can be phased in gradually, and there are benefits at each stage.

Nelzine: Is that the solution? Is that how we end spam?

Fortune: Well, there's no one right way to do it, in fact there's a lot of advantage to having a wide variety of filters, because spammers can't get around all of them. Whatever the anti-spam technique, the manufacturers of SMTP software have to agree on a new security layer and insert it right at the SMTP transaction point, the MTA (Mail Transfer Agent). SMTP manufacturers should include better support for easily including filters at SMTP time, within the MTA, so mail can be rejected as early as possible in the email transaction. Those same guys need to allow for filtering on outgoing mail too, and rate limiting capabilities, made easy to configure.

As for specific techniques, I think the big solution that hasn't been deployed yet is rate limiting, that is, we need to keep track of how many mails per minute are coming from a single source, and erect barriers to the greediest users. Ideally this would happen at the source, the data centers where the email is originating from, but a distributed scheme in recipient servers is also good, because you can block the mail at very first contact, before it's sent. Greylisting is an important technique that could be used in this regard. The way it works is to make the greediest senders wait longer than everyone else, tying up their resources. It would be most effective if it were built into a lot of recipient MTA's. I think DCC's distributed server-server architecture is really on the right track here, and also their incredibly efficient data sharing mechanism (it's a binary data string right inside the http ACK packet. cool!). Realtime Black Lists (RBL's) will continue to evolve and become more intelligent, so that the world networks can know within minutes the biggest sources of spam. Also, if the most popular SMTP programs shipped with SPF already installed, then the recipient could ask it "did this e-mail really come from you?", and there could be a decisive yes or no. So the SMTP software manufacturers should install checksum and distributed checksum capabilities, greylisting, and SPF by default. Once a mail admin knows with high confidence which IP addresses are sending the spam, he can slow them down or block them.

Nelzine: Will this totally block spam? Will it really end it once and for all?

Fortune: Well, no. Not as long as the sender doesn't have to pay anything. People will always figure out ways to bypass the barriers to advertisement. The crap will be sent, then there will be a rapid world-wide decision to block them... or not. My personal goal, my ideal, is to stop the abusive wholesale broadcasting, but still allow people to broadcast messages to groups that it will have meaning for. What we have here with e-mail is a free communication technology, but it can't be used like Andy Warhol said, that "in the future everybody will have 15 minutes of fame", so he's asking you "what would you say?". If you knew you had the world's attention for a few minutes, what would you say? I think people should be allowed those few minutes, that they shouldn't be locked out of using e-mail to push forward a public statement that's important. What's important? It should be up to the users to decide, but... 10 million Viagra emails?? No, no, no, not right. That's not making a statement, that's just abusing the system to sell some drugs. You have to choose who your audience is then send them the right message. If a sender is too stupid, greedy or abusive to provide a well thought out statement to a select group of recipients, then he should be kicked off the grid.

Nelzine: Didn't you just say people will find ways around the barriers? If that's the case, then email will always be an advertising venue.

Fortune: Yes, maybe e-mail will have to evolve and become very stringent, and rate limit every sender. It's easy to make the case that "email is a personal messageing medium, and that's it", no broadcasting at all, no public messages, only private messages. If it comes to that, then why not just shift over to Instant Messageing and leave SMTP behind? Use SMTP for mailing lists and IM for personal chats. Actually, if they build email-like deferred messaging into IM, then it could replace SMTP, because it has user authentication built into it already. Challenge/Response would do the same thing for email, but for some reason nobody likes it, so IM is the next available thing, it could just replace email while nobody is noticing. You can be sure Microsoft has taken notice, but do you really want them in charge of worldwide messaging? I know I don't. Now we're back to an advertising problem, except this time it's all from one Corporation! We really need to patch up the email system, and quick.

Nelzine: What final words do you have for the readers?

Fortune: I would say to any spammers reading this: "Get over your denial, what you are selling is not superior to anybody else's, you're wrecking the system by sending TOO MANY E-MAILS!". To programmers and system admins I would say: "Get over your denial, put spam blocking in place, rate limit your outgoing email, and start sharing information with other admins. Use collaborative filters, use SPF." To lawyers I would say: "Sue the biggest spammers! Get their money!" To The Rulership I would say: "Decide on publicly owned user-authentication standards and pass PUBLIC patents and laws to mandate them." To everybody else I would say: "For heaven's sake, don't buy anything from a spam e-mail. Use a spam blocker program, or make sure your ISP does, and insist on collaborative filters so that information can be shared". If we all do our little bit we can save the mail system.

Tuesday, 20-Feb-2007 17:15:47 EST