How to best combat spam?

Introduction

The problematic of unsolicited bulk email, commonly referred to as “spam” is, an ever-increasing worrying and probably one of the largest issue on the Internet. Nowadays, does the email spam still concern a lot of people considering that newest generations communicate with instant messaging system, through Facebook or Tweeter, via their iPhone? According to the Coalition Against Unsolicited Commercial Email, the answer is yes and the conclusions of a recent study confirm that email is still the top online activity, all generations considered. Furthermore; a recent Nielsen study shows that the first activity on mobiles devices is emailing and not social networking. One step further, in a Radicati Group report, the number of email users is forecasted to attain 1.9 billion by 2013. Because email has still significance, the spammers still value this communication tool.It is therefore crucial to find ways which permit to battle this security and privacy threat. In March 2011, spams represented 79.6 % of the emails traffic in the USA, against 79.1 % for the UK and 80.2 % in the Netherlands. Clearly, spam exceeded the stage of simple online annoyance. In spite of technological advancements, it is expected by 2014 that 19 % of email transferred to users’ mailboxes will nevertheless be spam.

Although the definition of spam can be broad and that spam can encompass numerous sorts of messages, the present work will mainly focus on “unsolicited commercial email”. Spam must be battle on all fronts. This is why, from a manifold perspective, the present work will argue what are the optimal ways to defeat spam.

USA’s legislation, global definition, social networks

1. Legal perspective

As many lawyers would agree, the legislative framework is probably not the best manner to cure spam. Indeed, the “legislation is a blunt instrument with which to beat junk email”.¹

Worldwide, lots of anti-spam legislations have been designed. Even worst, the CAN-SPAM Act (CPA) has the criticized opposite effect of making spam legal instead of prohibiting it. Nonetheless, one interesting clause, highly supported by Lessig, considers the establishment of a report mechanism. Individuals who help chasing breaches of the Act become entitled to perceive a reward. However, Tompkins and Handley argue that such a system would cause people breaching laws and could be an encouragement for hackers to violate people’s privacy.

The USA’s legislation is very weak, too superficial according to Mozena. It is totally antagonist to the EU one, as well as to the legislation in Australia and China, where spamming is not legal. Besides laws, it is thought that self-regulation system is not the adequate solution to circumvent spam, where it seems now clear that it cannot play an important role anymore and should be substituted by binding laws in order to prevent marketer’s’ abusive practices.

The main shortcomings of the regulations may be mainly explained as follow. Firstly, there is no global definition of what constitutes a spam. According to Starr, the central elements to define spam, i.e. unsolicited, bulk and commercial, are not adaptable to fit in a global spam explanation. Furthermore, Van Alstyne stresses that “recipients themselves do not agree on what constitutes spam”.²

Secondly, the law is restricted to a single jurisdiction. Indeed, EU laws are only applicable within the Union and the vast majority of spams emanates from outwith, which inevitably leads to a chaotic enforcement of anti-spam regulations. Indeed, about 90 % of EU spam troubles come from the USA where spamming is legal. Meanwhile, cybercriminals do not have boundaries and may even remote spamming, through a network of “zombie” computers.

Noteworthy, even if sender and recipient of email spam are both living in the same country or state, it does not automatically implies that the domestic law will apply, as it is very plausible that the email was dispatched via a server situated elsewhere.

Nevertheless, it is reasonable to argue that the Canadian Anti-Spam legislation (Bill C-28) will constitute an effective law, taking the best from the EU 2009 Directive and the USA Act. Embodying an opt-in regime, the bill provides for drastic penalties applicable to spammers. However, online, the identity of spammers is not easily detectable and fake identities can be used. Interestingly, the bulk character of the email spam would be irrelevant as the law would apply as soon as a single email is forwarded.

In conclusion, Starr is right when saying that “at best, anti-spam laws are ineffective; at worst, they cause more problems than spam itself”.³ Only when a regulation of global significance will be designed or when worldwide laws will be consistent, the law will stop constituting a utopic instrument to eradicate spam. Additionally, such law(s) would need to call for transborder enforcement, key feature the international scene is currently lacking of. Besides, cross-border prosecution can be arduous where 88.2 % of all spam is sent from botnets of “zombie computers”, where identity of the real sender is hidden. So, the spam issue encompasses more than just some loopholes in the global legislative framework(s). The willing to find a global consensus will always face two issues: either adopting a consumer-oriented law generally characterised by an opt-in system, such as the EU and Canadian laws, or a business-focused law generally characterised by an opt-out regime, such as the CPA. Basically, balancing interests are at stake. Undertakings need to be allowed to freely send advertisement emails but consumer’s privacy and consent should be preserved. Ultimately, it is wise to mention that “criminalization requires a clear definition of the crime and an ability to catch the criminal. Neither is possible with spam”.

2. Technological perspective

To solve the spam problem, why not just stop using emails, mobile phones, the Internet? Let’s face it; nobody wants to go back in time. Yet, according to a 2003 study, more and more people are tempted to partly or completely give up the use of email because of spam.

The elementary step to curb spam is the use of a content-base or Bayesian filter by the Internet Service Providers (ISPs) and the end-users. This allows solving the issue respectively uphill and downhill. However, spam filters are not foolproof and legitimate emails may seem for the filters to be unsolicited and sometimes may still be returned to the expedient without the receiver having knowledge of them. The main drawback of filters is highlighted by Loder et al: the “language plasticity permits an escalating arms race in which one side seeks better ways to block unwanted access and the other seeks better ways to gain it”.⁴ Yet, the Guardian stated in 2004 that dispatching unsolicited email was more difficult nowadays, where spammer must “play dirty” in order to fool filters.

Just to mention it, the black and whitelists registries system are usually not effective as spammer can buy inexpensive new identities or forge others’ identities (spoofing). Interestingly, a September 2011 study empirically reveals that a Support Vector Machine, developed to distinguish end-user and legitimate mail servers machines, greatly surpasses current largely employed blacklists, where filtering accuracy is drastically improved.

3.1. Spamgourmet

One valuable manner to eliminate spam is to utilise a free of charge discardable email address instead of one’s real email address. This is the method employed by Spamgourmet. It is thought this website provides for an effective solution to avoid spams. This was even advocated at the ABA TECHSHOW 2011. It offers disposable and time limited email addresses through a very simple functioning. A temporary address is created to receive a number of messages predefined by the user, and once the quota is exceeded, messages sent to that address will be automatically deleted. In practice, the user needs to register on spamgourmet.com. It will be asked to provide a username and a valid email address (protected address) where an activation link will be sent. Then, Spamgourmet will transmit the messages dispatched to the user’s disposable addresses to the protected address. After registration, the user disposes of the discardable addresses which will self-destroy after a period of time. Those addresses will always have the same format:

oneword.x.your_username@spamgourmet.com

“Oneword” stands for a simple word allowing the user to remember where a given address was used. “X” reveals the number of times (maximum 20) Spamgourmet may receive emails using this address before it destroys them. “Username” is self-explaining. The advantage of Spamgourmet is that the user does not have to come back on the website to create a disposable address before being able to actually using it, as opposed to other websites supplying the same service.

3.2. Camouflage of an email address

If a user prefers to conserve its “real” email address, more relatively sophisticated ways exists in order to dissimulate an address from spam robots. For instance, the “@” symbol may easily be replaced by the term “at” or a hexadecimal code; image containing an email address can be used instead of plain text too. It is thought that the latter, functioning on the same principle as the (Re)Captcha, is the most secured solution from a layman perspective. An alternative manner, but requiring a more in-depth knowledge of the internet, is to utilise a JavaScript.

One current trend of spammer is to use social networks such as Facebook and Twitter or fora. Indeed, every user of these networks is an easy spam target as spam robots continually scan these platforms to gather emails. Therefore, an effective way to receive less spam could be to use the Scr.im website solution. It protects an email address against spam, making it accessible through a safe and short personalised URL address. Concretely, instead of giving an address under its traditional format such as “[email protected]”, the user provides a personalised web link obtained thanks to Scrim into the following format: http://scr.im/1×2. Subsequently, everyone wishing to send an email to a “Scrim” address’s user has to enter the proposed URL which will unmask, after a basic test spam devices are not able to cross, the user actual address. Eventually, this free device retains the address imperceptible and blocks spam.

To conclude, contrary to the law, technology has no boundaries. According to Grimes, the “the final solution that seems to have the best chance according to most experts is a technological solution”.⁵

3. Economical perspective

According to Van Alstyne, “the two most common” perspectives referred above did (and will) have only a limited success. A step further, McCullaghn affirms that “spam is not primarily a technological or legal problem: it’s an economic one”.⁶ Indeed, as long as there will remain a mutual interest both for spammers and anti-spammers for the spams to survive, no concrete answer to spam can be framed. On one hand, spammers’ aim is attracting people with their advertisements. On the other a proportion of their opponents seem to be relatively happy with that. In fact, it is thought that undertakings vendors of anti-spam equipment have a genuine economic interest that spam keeps spreading on the Net. For instance, according to a Radicati Group study, the foreseen email security market share, where anti-spam products represents an important segment, will grow to attain in 2014 more than 7 billion US dollars, which is far superior than what the spammers will earn.

Spam is a parasite advertisement in the sense that it switches the costs of the operation on the targets’ shoulders, costing IPSs and the Internet users’ resources and time. Indeed, sending a single or bulk email(s) is cheap and therefore the low costs engaged can easily be recovered even if only a portion of emails provides economic results. Until the end of this scheme, spammers will evermore have a pecuniary interest into spamming, as only a few purchases is necessary for spam to be a lucrative activity.

Therefore, why a sort of payment system is not in place? In an experimental survey, where an example of a market mechanism is used to deploy human attention, it was held that by imposing postage fees for emails, senders will be more selective and smaller quantities of message will be sent. Although the authors acknowledge that this solution has potential they also point out that it still needs to be fully attained. Indeed, its first challenge is the tough task to change people’s minds on the way to charge for something which has been free from decades. The second is devising the adequate manner of the pricing mechanism. But the major counter-argument to impose such a payment system, which will arguably prevail for a long time, is that it would represent a huge “technological step backward” as well as express a “tacit admission of defeat” to the spam threat, regardless of the smallness of the payment. Nonetheless, it is thought that Kraut et al are right when arguing about the pricing mechanism that “given sufficient societal benefits, the shift is possible” as it was the case when people shifted from “free broadcast TV to fee-based cable and pay per view TV”.

Another instrument to allocate human attention is the “selling interrupt rights” mechanism devised by Fahlman and explored in a more superficial way in Ayres and Nalebuff book. Based on the same pricing email idea, this mechanism provides for that when a sender wishes to interact with someone via emails, he must pay a fee for disturbing this potential customer. When the recipient is willing to contract or not, he will either drop the fee or solicit it. Similarly as the above pricing system, sender’s emails would therefore be very targeted. Fahlman’s scheme is thought to be at least as captivating as the aforementioned one, probably even more.

Eventually, it should be clearly kept in mind that sending bulk unsolicited emails is an ill-advised practice not to be used by undertakings, where a “wealth of information” may bring on a “poorness of attention”,⁷ what should contravene the “freedom of commercial speech” advocates by Weintzen.

4. Conclusion

“Two years from now, spam will be solved”.⁸ The famous Gate’s quote in 2004, where he underestimated the spam issue, without taking into account that the anti-spam solution will not be found soon and solely in the technology. In spite of the numerous interesting suggested solutions/initiatives, it is careful to realize that a conclusive way to eradicate spam cannot yet be foreseen.

Implementation of anti-spam laws within diverse jurisdiction and anti-spam alliances shaped by leading IT undertakings have not contributed to a curtailment regarding spam. At most, a multidisciplinary approach should be able to lessen the spam problematic. Indeed, according to Cowper, “a global problem needs a global solution”.⁹ Through this work, it has been demonstrated that “there’s not one single way to eliminate the problem […] only a combination of initiatives”.¹⁰ Therefore any manner to stem spam will encompass a key concept: the international multidisciplinary cooperation.

The present work was limited to three perspectives: legal, technological and economic. Further researches should focus on the social, educational, ethical and environmental perspectives of spam.

Garry Trillet
LL.M. student in European and international Intellectual Property law at CEIPI
University of Strasbourg