[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Friday, 21 July 2006, 12:32 GMT 13:32 UK
How to solve the problem of spam
Regular columnist Bill Thompson explains what it is like to fall victim to a "joe job" in which spammers abuse someone's good name and then leave them to clear up the mess.

Spam in e-mail inbox, BBC
Bill's inbox has been filling up with bounced spam e-mail
About two weeks ago I started getting a lot of bounced e-mails.

Most of them were notifications that my e-mail could not be delivered because the recipient didn't exist. Others were from spam filters to tell me I'd sent messages they were unwilling to accept.

It seems I've been pushing dodgy stocks, offering prescription drugs and even sending viruses to unwitting users. Except I haven't.

Most of the messages that arrived, at the rate of several hundred an hour, were originally sent by people called such things as hmvmshmcb@andfinally.com. Although that's my domain, it isn't one of the few e-mail addresses I use.

Close examination of the headers reveals that they didn't come from the andfinally.com domain or any of the servers run by my network provider.

I had nothing to do with these messages or any of the thousands that got through to unwitting recipients instead of being bounced.

Fake message

Spammers have picked my domain to use as the fake "from" and "return-to" field in the headers of the messages they send, hoping to fool a few filters into letting them through.

The way e-mail works and its lack of built-in authentication makes this easy. As a result I have to cope with thousands of these messages, and I face the danger that my domain, on which I depend, will be blacklisted and my real e-mails will stop getting through.

It's a complete mess, and it's getting on my nerves.

I have a few options and I'm going to have to waste my time persuading my network provider to get using one or more of the cobbled-together authentication systems like Sender-ID or Sender Policy Framework.

Then recipients can choose to check whether I really did send all those messages.

It won't fix the real problem, of course. It won't stop people forging e-mails that seem to come from me or injecting them into the network. And it won't heal the damage being done to my reputation.

Bill Thompson
It would be much better to have an e-mail architecture that actually made forged headers an exceptional technical achievement instead of something that any two-bit spammer can do in seconds

Despite the many problems, and even despite my own current experiences and unhappiness, e-mail isn't doomed. It fills an important space in the "information ecosystem", since messages are persistent and asynchronous, unlike instant messaging, and the recipient is notified of their arrival in a simple and usually convenient way.

Reputation server

Of course we need to sort out the big issues which make spam and forged headers possible. We need to think about how trusted computers and modern network standards can be used to authenticate messages and their senders.

It might involve reviewing how core e-mail protocols, like the Simple Message Transport Protocol, works instead of relying on add-ons like Sender-ID.

For example, at the moment messages and headers travel together. So when I send a note to my friend Simon about a cool gadget - or when he points one out to me - a copy is made and transmitted over the net.

That copy sits on his server until he downloads it and the one he sees is a local copy and not the one sitting on my server.

But in an always-on world surely there's no real need to send those bits over the network until they are actually needed? Millions of people happily use GMail and Hotmail and only access their messages when they can get online. Why not extend the model for those of us who can get online almost at will?

Instead of chucking bits across the network we could send only the headers, leaving the message itself to be retrieved by the recipient when they choose to.

Man signing cheque, Eyewire
Spammers forge addresses to fool filtering systems
And then we could do some proper checking before messages were accepted. Because apart from solving the problem of how to know whether someone has received or read an e-mail, this would also make generating spam with fake headers a lot less useful for spammers.

When an e-mail program received a message that appeared to come from me at andfinally.com, it would first ask my mail server if there really was a message waiting to be collected.

It's a lot harder to hijack a site's domain entry than it is to forge a header, so most of the spam would never be accepted. And there would be no bounced messages since even the dumbest corporate e-mail server would realise that a forged header which didn't relate to a message sitting on the real andfinally.com server didn't come from me.

Checking the originating domain is basically how SPF and Sender-ID work anyway but they are not yet in widespread use and take some effort to set up - as I am discovering.

They rely on having a network provider who is willing to respond to technical support queries and make changes to the mail server configuration. So far my provider hasn't bothered to reply.

I know I could run my own mail server, but while the technical aspects don't worry me I already have too little time for real work, and taking direct control of even more aspects of my online existence is not really an option.

It would be much better to have an e-mail architecture that actually made forged headers an exceptional technical achievement instead of something that any two-bit spammer can do in seconds.

Bill Thompson is a regular commentator on the BBC World Service programme Digital Planet

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific