The Fight Against Spam

Ariana Eunjung Cha
Washington Post Staff Writer
Thursday, July 7, 2005; 11:00 AM

Like the Internet itself, e-mail is an innovation born out of idealism that has found itself stymied by abuse. Junk messages, or "spam," has grown from 50 percent of all worldwide e-mail in July 2003 to about 69 percent today. The industry's failure to adopt a solution that all agree is necessary is a lesson in the complicated nature of who controls the online world. Post staff writer Ariana Eunjung Cha (read her story here) was online Thursday, July 7 to discuss why -- if everyone agrees that the problem has to be fixed -- none of the critical players seems to be able to agree on how.


Washington, D.C.: Fascinating behind-the-scenes look at the e-mail battle, but I think the story went too easy on Microsoft. The company is evil and the justice department says so.

Ariana Eunjung Cha: Good morning everyone and welcome.

Aha! I expected a few of these question-opinions about Microsoft. Other companies certainly have reason to be suspicious of Microsoft, but so far Microsoft seems to be living up to its promises when it comes to its efforts to fight spam. Bill Gates has personally stated his commitment to the cause. Even Microsoft's arch enemy, locally based America Online, in recent months has come around to supporting Microsoft's efforts on spam.


Washington, D.C.: Are the major ISPs cooperating at all on the spam problem?

Ariana Eunjung Cha: Yes. Many of these companies have taken a leadership role in the fight against spam. Yahoo, Earthlink, Microsoft and AOL have been holding "secret" (closed) meetings for several years about the problem and as early as 2003 they agreed that the only way to stop or reduce spam is if the big companies work together.

Cooperation seems to have increased recently. In addition to Meng Wong and Microsoft's efforts to merge their systems, to create one standard so that there's less work and confusion for administrators of e-mail systems, Yahoo and Cisco have also announced they will merge their technology.


Washington, DC: Has Microsoft's Hotmail changed it's spam policy recently? Many times I receive mail that is spam, but other messages that were sent directly to me from a valid source get blocked, or never arrive.

Ariana Eunjung Cha: Microsoft tells me that has been aggressively experimenting with better spam filtering systems since the end of last year. That's when they started using the SenderID authentication system on the backend to help them make a better guess about which e-mails are spam and which are legitimate. According to their "honeypot" accounts, which are fake accounts set up simply to capture spam, this has dramatically reduced the amount of spam going into people's Hotmail accounts. It is possible this system has also mistakenly captured some messages from valid sources. It's a work in progress.

For more detailed information about Microsoft and e-mail you might want to check out this very helpful Web site.


Kingstowne, VA: I frequently respond to spam e-mails by simply writing UNSUBSCRIBE in the subject line and hitting the reply button. Yet they often bounce back saying "unknown user." How can they be an unknown user if they just spammed me?

Ariana Eunjung Cha: A great question. The way the e-mail system was built makes it very easy to "spoof" one's email address. On many e-mail programs you can just type in a fake address in on the sender or from line and they will not check it against any database. So when you hit reply, you are trying to reply to a fake address. That's why it bounces back.


Alexandria, VA: I use MSN and haven't seen anything that led me to believe they were checking the authentication of the address. Are they planning on using it themselves?

Ariana Eunjung Cha: Yes, they already are. But it's really only been a few weeks since they made their use of authentication visible to the user so that's why you may not notice any changes yet. Look carefully at the e-mail headers. You may see that certain e-mails contain a highlighted line that says, "The sender of this message could not be verified by SenderID." It's very subtle.


Ijamsville, MD: You know, not all unsolicited mail is spam. Just the other day I got an e-mail from a Nigerian billionaire who promised me several million dollars for no apparent reason.

Ariana Eunjung Cha: Wow, what a coincidence. He promised me the same thing!


Washington, D.C.: I've heard the Wong/Microsoft technology won't get rid of all spam, that there are problems with it.

Ariana Eunjung Cha: I don't think anyone believes that SenderID will solve the spam problem completely. Even Meng Wong and Microsoft say it's a good first step to fighting spam. The advantage of their program is that it's extremely easy for e-mail administrators to implement. You see, at this point no one's been able to come up with a solution that wouldn't involve some sort of modification to ALL the e-mail servers at all the companies, government agencies, etc. that send e-mail on the Internet. So ease of implementation is important.

One of the main disadvantages of SenderID is that things get complicated if e-mails are forwarded. One scenario that might confuse the system: If you keep a college alumni account, for instance, and Amazon sends you a receipt there and then it's forwarded to your Yahoo account. Yahoo would check to see if the college alumni account is valid but if that college does not use SenderID (even though Amazon does) it might not be authenticated.

Yahoo and Cisco have come up with a cryptographic solution that solves this issue but it's not as easy to implement.

So that's a long way of saying that I don't think the spam problem is going completely away anytime soon -- if ever.


OAK HILL, VA: Just charge a penny an e-mail -- that will stop most of it.

Ariana Eunjung Cha: Sounds like a great idea -- theoretically speaking. But you'd have a rebellion on your hands from legitimate e-mail users. Once you give something away for free it's hard to start charging for it, even if it's only a penny.


Baltimore MD: With nearly 70% of all e-mail being spam, is it not possible that these abusers will eventually shut down the Internet entirely due to overload? Many industries, hospitals and emergency information services are dependent on the Internet. Why is it not possible to imprison these "terrorists" who thrive on creating chaos in civilized societies?

Ariana Eunjung Cha: Definitely, that's the nightmare situation. I hear reports practically every day about spam clogging up certain companies/accounts on a smaller scale. A few weeks ago, I got tens of thousands of copies of an e-mail (I guess it's debatable whether it's actually spam or not; it was a press release) and it crashed my e-mail system. If this happens at the same time to tens of thousands of hundreds of thousands of people, it is possible it could slow the Internet down.

Some states have anti-spam laws and some people have been sent to prison for sending out too much spam. It's not easy to catch many spammers because they either operate out of the country or they route their spam through computers that are out of the country so it's hard to gather evidence for use in a case against them.


New York NY: It seems to me that spammers are, in fact, protected by whomever should regulate this behavior. Why not just forward spam to an authority who is charged with pursuing and shutting down spam abuse? I'd even support paying a tax, in my cable payments, to allow this service (I might even be very happy to do this work!).

Ariana Eunjung Cha: That's the billion dollar question -- who should be responsible. The FTC? The FBIT? The Internet service providers?

For now, many security experts say they forward one type of spam (phishing e-mails which try to steal people's financial or other personal information) to the Anti-Phishing Working Group, a volunteer organization. It is dedicated to building a repository of these e-mails to educate people and prevent people from being scammed by these solicitations in the future.


Burke, Va.: "So when you hit reply, you are trying to reply to a fake address. That's why it bounces back."

More importantly, replying to spam is almost always a very bad idea:

(1) Even if it doesn't bounce, it's probably forged, so in many cases your "unsubscribe" e-mail is going to some innocent third-party who had nothing to do with the spam

(2) Even if the reply actually does go back to the spammer, all you've done is tell the spammer they've hit a valid address, and you'll actually get much more spam than if you hadn't replied at all.

Very few spammers are going to take the trouble to remove you from their lists -- if they were that considerate, they wouldn't be spamming you in the first place.

Ariana Eunjung Cha: Absolutely -- well said.


Washington, DC: Augh! Kingstowne, never, never, never, NEVER reply to spam. NEVER. If the e-mail address that you reply to does happen to be valid, you've just told them that your e-mail address is valid as well, and you'll get even more spam. You will never be removed from a spammer's list by asking, because spammers are soulless, worthless, morally bankrupt scum who will do anything to make a buck off of you.

Ariana Eunjung Cha: More good advice...


Potomac, Maryland: I'm just an "ordinary" computer user -- not in IT security, government. Can I contact the Internet Storm Center?

Ariana Eunjung Cha: Yes -- If you believe you've encountered a new/interesting/major problem on the Internet, I'm sure they'd love to hear about it. But you should think about the storm center like you would think about calling 911. They are not there to troubleshoot your personal computer problems or walk you through installing software or anything like that.

Best way to reach them is via their e-mail form on their site. Before you contact them about an issue, you might want to check out their "diary" a daily log of problems on the Internet.


Cap Hill, DC: Thank you for taking questions. I don't understand how we are able to track down terorrists bank accounts online, locate hackers, crack child porn rings etc., but we can't figure out who is sending thousands of fake Citibank, Ebay or other company e-mails that ask me to "confirm my account information" or "re-enter my password." These phishing scams are as blatant as ever. Are they really impossible to trace to the source?

Ariana Eunjung Cha: The Internet is not as anonymous as many people might think. There are many ways of tracing where an e-mail was sent from. Computers on the Internet are linked to numerical addresses called IP addresses which can be used to pinpoint what cable provider, corporate network, etc. was used to send the e-mail. The big challenge is that many spammers cleverly route their spam through computers that are abroad so it's more challenging for U.S. law enforcement to get access to their logs.


Ariana Eunjung Cha: Thanks for all the great questions! Let's do this again soon.

Please feel free to contact me directly if you have any questions/comments.




Editor's Note: moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions.

© 2005 The Washington Post Company