EMAIL IS BROKE, and if we continue to use the current protocols that manage it, we'll simply get to the point where we won't want to use it. That's a shame.
After differing false starts (largely because the world hadn't been networked together), email is arguably the application that drives inter-business and individual communications today. From pizza parlours to cell phones, connectivity is still driven around personal communications as the killer app. And whether it's web-based, POP or IMAP, the underlying protocols are as open as a book and subject to lots of spamming skullduggery.
Sure, you can fight back, but no one has time. Sam Spade (www.samspade.org) has a great app to find spammers and kill their accounts. It might even work if it weren't for the fact that most mail service providers don't look at their spam complaints until the damage is far past done.
I surveyed the accounts of ten 419 spammers (I'm guessing the same guy) last week, most of them located at home.nl. I sent not one, but ten complaints. As of today, the complaints haven't been addressed save for the cursory do-not-reply acknowledgement sent by most mail providers. Despite the fact that most people are on to what 419 spam is (the famous Nigerian Letter and variants) there are people like my dear sweet dottering mother that's occasionally unlikely to even remember what day it is, let alone details about 419. As PT Barnum said, "there's a sucker born every minute".
And so, three years from now, two classes of email will likely emerge: authenticated email, and wild-and-woolly unauthenticated emailthe type we use today.
ICANN won't have the guts to allow domains to be removed from DNS when they don't respond to abuse complaints. International law, let alone that of organized areas, can't address the problem. During the composition of this tome, I received mail coming from China and Myannmar both hotbeds of jurisprudence. Not.
Should we shut down domains? Consider AOL. Some poor sap surfs with the newly incumbent AOL Internet Explorer to a site that gives him a bad case of remote-control leechware. The fool hasn't a clue to install or even use something like Norton's NIS2003, or Kolla's Spybot, or AdAware, and so on. So he gets a big case of remote control. He goes to sleep after surfing, leaving his machine on. A spammer wakes his hijacked machine, sends a few hundred Viagra commercials, and shuts off. He doesn't even know how he's enlarging the world's penises.
The next day, some agency gets a complaint about AOL-originated spam. AOL does have controls and monitors spam output from members, but they have thresholds that trigger problem status, and it's somewhat easy to get under the threshold if you're smart. Spammers are smart. So, does the complaint agency shutdown AOL by removing their DNS listing? Can't you hear several law firms going cha-ching and having visions of vacations around the world?
So using DNS or another domain blocking capability like the RBL (Real-Time Blackhole List) can only be marginally useful. Can we block the domains where spammer's web pages are? Imagine the madness in trying to do that. Think of more attorneys getting frequent flyer miles.
The answer, the only answer, is authentication and therefore partial loss of one of the things that gives great liberty to the Internet: anonymity. Even the authentication system has to be agreed upon to be useful. Once upon a time, there was PGP, and while good, PGP (Pretty Good Privacy) became a political football after Network Associates bought the intellectual property behind it. It's not that authentication protocols don't exist, it's just that the baggage that they bring thwarts them.
RSA has methods that can work and additionally encrypt email. Currently, it's believed that most all encryption can be cracked, otherwise the US NSA wouldn't allow it to be exported. That said, I'm also of the belief that encryption in SMTP or POP will trip lots of spookware across the planet. Perhaps they'll find those Africans that were trying to sell uranium to the Iraqis. Note that the aforementioned sentence is all that is necessary to appear on someone's list in the computer quarries of McLean Virginia.
Can we authenticate? Do we want to? One of the mavericks of ICANN, the rogue popularly-elected director Karl Auerbach, used to send an authenticating message in reply to every message sent to him to verify the sender. Only the replies got throughif the message was sent from the same sender. Sounds nice, and Karl made sure that his mailbox wasn't very cluttered. But it took several messages to get through to him. That's another reason why the hard disk business will never sink.
Spam filtration, another burgeoning business, has a sullied reputation for the number of false positives that it gives. If I send this column to Mike Magee and use the word Viagra or p e n i s or mortgage, and if he's using a filter (and I doubt it) , I'm likely to be wasting my time. I don't know if the phrase "sports book" has been exempted or not.
This begs the question, do I want to be authenticated? Well, now that I'm getting married, perhaps so. I'd sure love to have back the 100 or so real messages that I received daily, instead of the 500 or so spams as bad icing. My greatest fear is that Microsoft will drive the answer, and we'll be patching it forever. µ
Tom Henderson is managing director of ExtremeLabs, Inc., in Indianapolis
Sign up for INQbot – a weekly roundup of the best from the INQ