UN Spam Paper

From Computer Tyme Support Wiki

Revision as of 23:07, 1 August 2006 by Marc (Talk | contribs)
Jump to: navigation, search

Contents

The Problem with Spam on the Internet

As Secretary General Kofi Annan said, “In its short life, the Internet has become an agent of dramatic, even revolutionary change and maybe one of today's greatest instruments of progress. It is a marvelous tool to promote and defend freedom and to give access to information and knowledge. WSIS saw the beginning of a dialogue between two different cultures: the non-governmental Internet community, with its traditions of informal, bottom-up decision-making; and the more formal, structured world of governments and intergovernmental organizations. It is my hope that the IGF will deepen this dialogue and contribute to a better understanding of how we can make full use of the potential the Internet has to offer for all people in the world.”

One of the main components of this revolutionary change is email, giving people of the world free and instant communication. However, junk email is now a serious threat to the newly found communication and threatens to undermine some of the benefits of the Internet. This junk email known as “Spam” is not over 90% of all email traffic. Spam clogs the delivery of legitimate email filling email boxes and saturating communication lines so the legitimate communication is blocked. It is also a means for which people are defrauded and has a significant toll on society. The problem has risen to a level requiring that the United Nations be aware of the issue and to take steps to address the problem.

What is Spam?

Generally spam is unsolicited email where the sender has no relationship with the recipient. Generally the purpose of spam is to market products or to defraud people out of their money. Much of the volume of spam email is associated with criminal activity such as the stealing of personal identity information leading to illegal credit card transactions, stealing of money through bank accounts, impersonating financial institutions, selling of illegal merchandise, to affect stock prices in “pump and dump” scams, illegal online gambling, and other forms of crime. Because the Internet is international it has attracted a criminal element in an environment here laws can not be enforced and criminals can reach all over the world to commit crimes.

Some spam is commercial in nature where the sender is actually selling a legitimate product but is broadcasting their advertising to email lists that were bought from vendors who spider Internet web sites harvesting email addresses from random people. Because the Internet is almost free these commercial vendors can send billions of commercial messages that land in the inbox of millions of people who have no interest at all in the product that is being advertised.

There is also to a much smaller extent political spam which is also free speech. Although most spam is clearly spam there is some spam which is border line and can not be readily classified. Sometimes companies who have a relationship with a customer send those customers email advertising related products from other vendors. The email might be unsolicited or unwanted, it is not the same as if there were absolutely no relationship at all.

Another example might include peace groups who are advocating to the end of a war or occupation but are using email lists that are not targeted and the sender has no relationship to the recipient. There are people who regularly send mass mailing to the press in order to voice their opinions about issues that they consider important. Even though these are also unsolicited emails they can not be as easily classified as spam and it is important to not harm free speech in any way while trying to eradicate junk email. One must not sacrifice our liberties in favor of law enforcement. So for the purpose of this discussion, Spam is those messages of a purely commercial nature where there is no prior relationship or messages whose purpose is illegal.

The Cost of Spam

The cost of spam to society is tremendous from a lot of perspectives. Some costs are obvious, some are not. In the case of illegal activity the costs are obvious. People are tricked into giving up their personal information allowing criminals to steal their money online. I could name dozens of obvious things but I won’t. We all understand fraud.

The less obvious costs have to do with email technology. The costs of storing spam, the costs of transmitting spam, how spam block legitimate email by filling up user’s mailboxes to quota causing email they want to get to bounce. And the time it takes for the users to download spam, identify it, and delete it.

Because of spam all incoming email has to be spam filtered. This spam filtering is done automatically by spam filtering software and by hand where the email account owner has to manually determine what messages are spam and what messages are not. With the Internet email being 90% spam 9 out of 10 messages have to be deleted. This email takes a lot of resources to deal with. These resources vary depending on if the end user is in a developed country or an undeveloped country. Costs include:

  • Time – if a user has no spam filtering they have to spend the time and effort to hand delete 9 out of 10 emails received. This could involve hundreds of messages a day taking a significant amount of time out of the recipients daily life that could be spend doing other things like productive work or family life.
  • Bandwidth – With 90% of email being spam it take 10 times as much bandwidth to transfer email data, or in countries where bandwidth is limited, it takes 10 times as long to download email with spam than if there were no spam.
  • Storage – as spam is delivered into the user’s inbox that inbox fills up. Once the inbox is full then no more email can be added and the recipient is cut off from all new messages whether it be spam or good email. If the email provider allocates enough space to receive all this email then the vendor has to purchase disk drives big enough to hold 10 tomes as much data as would normally be needed. This drives up the costs of providing email and makes it less available to those who can’t pay for it.
  • Spam Filtering Costs – In order to reduce the spam problem all vendors who own the email servers now provide some kind of spam filtering software to reduce the problem. Spam filtering identifies some spam and it blocks some of it reducing the problem somewhat. In some causes it just tags messages as spam and passes them on or diverts suspected spam to a separate folder. Spam Filtering has many problems but is a necessary evil in the fight against unwanted email.
    Spam filtering has an error rate and it often mistakenly blocks email that should go through. This misidentified email is referred to as a false positive. It is always a struggle for email providers to avoid false positives while providing effective and meaningful spam protection. If the filter is too aggressive it bocks good email. If the filter isn’t aggressive enough it allows to much junk email to get through which requires manual spam filtering. Even the systems that divert suspected spam to other folders are flawed in that although good email is stored there, the recipient never has the time or energy to sort through all that junk to find it. And a stored good message that is never found is no better than a deleted message.
    Spam filtering costs money. It takes far more powerful servers to process email to find spam than it does to deliver email. A message that is filtered will take over 1000 times the processing power than unfiltered email. Email vendors have to bear the costs of this processing and it adds to the overall costs of email delivery. When costs are increased it burdens society and often excludes those in developing countries who can not afford to cover these increased costs.
  • Free Speech – Spam often blocks free speech and free communication because spam crowds out good email. Spam is like weeds in a garden sucking up the resources and killing the crops through competition. Good email is blocked by spam filters, by email box quotas, by slow connections to the Internet which prevent email from being downloaded, and from lack of time a fatigue. Some people just don’t have the time so sort through thousands of junk email messages to find the good ones and even with manual filtering they delete a lot of good email.

Where Spam Comes From

Most spam comes from virus infected computers that have been exploited and turned into “spam zombies”. The computer owner is usually unaware that their computer is under the control of criminals who control millions of exploited computers. These computers are exploited through computer viruses or worms or through software installed from web sites that trick people into installing software that contains code giving criminals remote control of the computer.

Another source of spam are web sites that are exploited through software holes in popular applications or people who’s passwords are hacked and the intruder gains access to servers and set up scripts to send spam. As hard as server owners try it is nearly impossible to keep ahead of criminal who are constantly trying to hack into and exploit servers. Many larger systems have to fend off attacks at a rate of several per minute.

Even if vendors succeed in fending off attackers from exploiting their servers the vendor has to spend a lot of time and resources to do so. This investment of time and resources takes effort and costs money adding to the total cost of providing services to the people of the planet. Every time you increase costs some people are excluded from the process.

Other spammers operate their own servers specifically to transmit spam. Many hosting companies who provide bandwidth services will shut down customers who send spam, but many vendors will provide bandwidth to anyone who is willing to pay for it regardless of the consequences to the public.

Fixing the Problem

Fixing the problem is not something that’s going to be easy. But there is a lot of things that can be done that can reduce the problem significantly. In reality that spam problem is really many problems that need to be addressed individually solving as many problems as possible in order to reduce the problem. This is a problem that is ever changing with technology and just like any kind of crime it’s a process to fight it. Spam will never be beaten, just reduced.

Te problem is that the Internet was created in innocent times before anyone had any idea how big it was going to grow and how popular it would be. In that time standards have been set and it would be difficult if not impossible to change those standards to something else that is more secure, yet provides the freedom and privacy needed to protect the people of the world from being exploited from oppressive governments who would tap into email as a way of oppressing the citizens of all countries. In spite of this there are changes that could be made that will preserve or increase civil liberties while preserving compatibility with existing standards and providing an evolutionary path to a better system.

Some of the solutions involve closing loopholes that spammers use to exploit other people’s computers turning them into spam zombies. Other solutions involve changing standards so that it is more difficult to impersonate other people. There will also be a need for international laws to be enforced so that people in one nation aren’t exploiting people in other nations. The Internet is an international community so we need international solutions to deal with the problem.

Stopping Spam at the Source

The biggest sources of spam are virus infected Windows zombies. Microsoft has taken some steps to reduce the problem but not nearly enough steps. The problem is in part that Windows is often pirated and the pirated versions which are more exploitable are cut off from the upgrades needed to keep them from being turned into spam zombies.

Microsoft takes the position that it has no obligation to provide services to people who steal their product, and on that point they are correct. However, pirated copies of Windows have become a toxic waste product of Microsoft’s business model and the rest of the world is not obligated to suffer extreme economic loss and loss of freedom to communicate so that Microsoft can enrich themselves. Just like a factory can’t dump chemicals into the river and has to take responsibility for what comes from their smoke stacks, Microsoft has to take steps to prevent damage generated as a result of marketing their flawed operating system. They don’t have an obligation to support those who steal their product. But they do have an obligation to prevent their product from being exploited in a way that affects innocent third parties. Microsoft should be required to make fixes available so that their product can’t be exploited to become a hazard to the Internet.

If Microsoft and other operating system vendors were required to make their security patches available to the public then they would reduce the amount of “toxic waste” generated as a byproduct of their marketing model. Nations should require Microsoft to make security patches generally available in order to be able to sell windows in their country. This would be the biggest and easiest single step that could be passed to reduce not only the spam problem, but other security problems like denial of service attacks and fraud. This should be implemented immediately.

ISP Protection – In more innocent times any computer that connected to the Internet was a peer with every other computer on the net. That was a time when there were less people trying to exploit each other and most of the people in the web were sophisticated users. Times are different and end users need protections from those who would exploit them.

One of the things that can be done is that information and technology can be made available to ISPs so that they can provide firewall services to end users allowing them to surf the web while preventing the web from surfing them. However – some people want to provide web services so the end user should be able to open up services allowing them to determine what incoming traffic they will accept. End users need protection – but the also need freedom. The UN can help ISPs get the technology they need to provide both and set standards for best practices.

Additions to standard email protocols – As stated before the email SMTP protocol was created in simpler times. One of the problems is that it is far too easy for any one person to impersonate any other person on the planet. One of the things that will reduce spam and fraud on the Internet is to make it more difficult for one person to impersonate someone what they aren’t. But to do this we need to change that way email is distributed and do it in a way that is a natural evolution of the current system.

In the beginning the Internet was a Unix network where every computer has its own SMTP server. One person would create an email that was submitted to the local SMTP server, the local server contacted the destination SMTP server and that server would deliver the message into the local email box. That method still works today but few people get their email that way.

Today we have more of a consumer model where consumers run email clients and leave the SMTP servers to their Internet Service Providers (ISPs) The user creates an email message that is sent to their local ISP who has an SMTP server. That server accepts the email and then transfers the email by SMTP to the server that stores the incoming email for that user. Then the recipient connects to their server by POP/IMAP protocols to download their email.

The problem is that anyone can impersonate any other person by setting their address to be anyone else on the planet. SMTP provides no checking to determine if the sender is the same person as they say they are. And the end user is using the same protocols to talk to servers that servers use to talk to each other so servers can’t tell if they are talking to legitimate servers or end users. I suggest a modification in the IMAP/POP protocols that allow for a two way transfer of email rather than requiring incoming email to be downloaded with IMAP/POP and outgoing to be SMTP.

If IMAP and POP were enhanced to allow outgoing email to be transferred back up the same connection as incoming email it would have several advantages.

1) it would eliminate the need to configure outgoing SMTP. That makes it easier for the consumer. It would also eliminate the need for authenticated SMTP because IMAP/POP are already authenticated protocols.

2) The server would accept outgoing email and label the from field to be the same as the email account preventing the user from pretending to be an email address other than the one the user authenticated as. It would then deliver the message to the local SMTP server which would then send it to the destination server.

3) This method allows the system to assert that the sender’s email address was sent from a person who had the ability to log in and read the email. Thus if you get an email from bill.gates@microsoft.com then you know that the person sending the email had the username and password to receive email on that account.

4) It would eliminate virus infected spam zombies from pretending to be SMTP servers because they would no longer be the official source of messages for domains that they pretend to be. It will be easier to create rules that keep servers from impersonating other servers when clients and servers use different protocols.


Standardized Complaint System -

Personal tools