Spim, spam, spit

Davey Winder Read more October 7, 2009

A couple of years ago, at just about every security conference I attended around the world, the buzzword was SPIM (SPam over Internet Messaging). I was assured that SPIM would become the next big junk mail threat, but it hasn’t become the all-consuming evil that was predicted. I’m being warned by the same conference circuit that I should be watching out for SPIT this year, and I do believe that SPam over Internet Telephony is likely to become more of a problem than SPIM ever was as more consumers follow the VoIP trend.

In its new report, Voice: a vision of the future (£1,950 from store.ovum.com), the consultancy Ovum provides a perspective onto the voice market from 1990 through to 2015, and the particularly interesting bit for me is a shortlist of key issues that will drive the market over the coming decade. It’s no surprise that traditional PSTN calls are seen as continuing to decline while mobile calls will increase, nor that broadband-based VoIP (with and without termination) will also grow. However, if Ovum has it right, the killer telephone apps are going to be VoIP-over-3G mobile and public Wi-Fi/WiMAX. Yet despite this unstoppable march of internet telephony into home and workplace alike, I’m still not convinced that a SPIT epidemic is likely.

Even with today’s relatively simple VoIP implementations, I’ve seen precious little evidence that spammers are turning their attention to voice technology. Certainly, my small-business clients who use VoIP haven’t yet found their voicemail boxes overflowing with messages concerning penis enlargements. As long as you configure your client correctly, you can actually get a far better level of control over cold-calling under VoIP. Okay, so you can’t pre-filter content as you can with email spam, and many businesses can’t afford an “accept calls only from people in my address book” policy either. And certainly, telephone calls are more invasive than email, offering no opportunity to second-guess their content before picking up and answering beyond the existing regulatory practices (which continue regardless of how the call is transmitted). I predict that a combination of regulation, ever more sophisticated phone clients and security solutions alike will fend off this particular threat.

Can the spam

That leaves us with the one pest we can’t seem to get rid of – good old-fashioned email spam. Regular readers will know there are many things you can do to reduce the amount that makes it through your defences, from simple filters to dedicated server-side solutions. My current favourite is to use two mailboxes, one receiving all mail, which is then filtered and only those properly addressed to me being forwarded to the box I poll throughout the day – the remainder is sifted once or twice a day for false-positives. Most consumers and small businesses have to balance the cost of detecting spam against the real-world cost of doing nothing, and for many it makes sense to just install a no-cost or low-cost spam filter at the client end. This can work well as part of a bigger security solution, such as the A-Listed ZoneAlarm Security Suite 6, but it won’t make spam go away – it will merely reduce its impact with varying degrees of effectiveness.

Legislative measures against spammers have been introduced around the world but have done little to stop spam, even if the US law of 2003 was called the CAN-SPAM Act. Yep, you read correctly, that law is already three years old and spam remains as big a problem as ever, despite a few high-profile prosecutions and unlikely sounding fines, with one spammer being fined $900,000 (£520,000). Such successful prosecutions are few and far between, and the same handful of corporate uber-spammers are still responsible for much of the global junk mail we receive.
European legislation (Directive on Privacy and Electronic Communications 2002/58/EC) was also passed three years ago, but appears even less effective. The English version of the directive (see www.ico.gov.uk) gives you the right to seek damages against spammers, but the Information Commissioner responsible for enforcing this is unable to check the actual origin of the spam, and only UK-originated spam can be dealt with. Also, the Information Commissioner’s Office makes no secret of the fact that it will investigate only after several complaints about the same spammer have been received. If it investigates at all, that is, since a report published last year revealed that from 600 complaints received up to July 2005, absolutely no legal actions were taken. Even if there had been legal action, the spammer could appeal against any enforcement notice and continue trading (and spamming) during what would most likely be a lengthy process.

There are two ways to really hurt spammers and both involve money: fine them and stop businesses from using their services. For a spammer to be fined under the UK regulations, the Information Commissioner first has to issue an enforcement order to cease and desist, then wait for that order to be broken before a British court will impose any financial punishment. It therefore isn’t too surprising that the first chap to successfully sue a spammer in the UK bypassed the ICO entirely – Nigel Roberts instead went direct to Colchester County Court using the small-claims process and the E-Privacy Directive to prove the point. By keeping the damages he claimed below £300, the case cost only £30 to file whether he won or lost, and that’s a reasonable enough figure since it would be difficult to prove any larger loss resulting from the action of one spammer. The spammer, Media Logistics (UK) Ltd, didn’t defend the action, so his case was won, and the company settled for the full £300, including costs, “out of court” before it was moved up to a district judge to decide on compensation.

Due to the size and nature of this settlement, it doesn’t count as new case law and no legal precedent has been set, but it does prove you can strike back, at least against UK-originated spam. Money Claim Online (www.moneyclaim.gov.uk) is Her Majesty’s Courts Service online service for claimants and defendants alike, and is recommended for anyone who wants to follow Mr Roberts’ example, as is his own site at spamlegalaction.pbwiki.com

The frog is blue

This brings me nicely on to the second of the “money hurts” attack strategies; namely, cutting off the spammers’ source of income. Amazingly enough, I can’t recall anyone exploring this avenue with any real effort in the past – there have been schemes to direct Denial-of-Service-type attacks or community complaint systems against the spammers themselves, but all proved to be water off a duck’s back because spammers are masters at obfuscating their real address and changing it regularly. A spammer has every reason to hide their own address and absolutely none to reveal it, but the opposite is true of the actual business whose products are being marketed via the spam – you can’t be tempted to buy if you can’t see who from.

This is the weakest link in the spam chain, and it’s one that Blue Security (www.bluesecurity.com) has opted to attack with its innovative Blue Frog client, linked to its equally impressive Do Not Intrude Registry. I’ve been putting this system through its real-world paces for the last six weeks, using the Firefox browser extension implementation and a very busy Gmail account as the testing ground. I chose this combination because I wanted to see what it offered beyond being “just another Outlook application”, and if it works well with a web-based system such as Gmail (it also works with MSN Hotmail and Yahoo Mail on the web side of things) there’s no reason it shouldn’t be as effective within any other mail client.
To think of Blue Frog as just another proactive complaints script would be to miss its point, as would lumping it in with the Distributed Denial-of-Service vigilante brigade – it’s much cleverer than either. It takes your basic right to complain about receiving spam back to the actual advertiser. Whenever you get a spam message, click on the Java-powered Blue Frog icon to report it (or just configure the azure amphibian to automatically report messages as they arrive in your Gmail spam folder) and it will be checked by a team of analysts to ensure it really is spam. This gets around problem number one; namely, competitors or disgruntled former employees waging vendettas against innocent businesses. If identified as spam, a request is sent to the merchant concerned asking them to stop spamming members of the Blue Community.

If the merchant agrees to this, they’re offered free tools that put them in compliance with a Do Not Intrude Registry by removing all Blue Community members from its mailing lists. This quite cleverly gets around problem number two, abuse of opt-out lists, which spammers have previously treated as just another handy source of punters’ addresses – the Do Not Intrude Registry is only ever exposed in encrypted format and at no time reveals your actual email address. The spammer/merchant downloads the Registry with all the addresses hashed, and a hashing tool runs on their own machine to scrub their own mailing lists of any matching addresses.

If the merchant doesn’t respond and chooses not to comply then the Blue Frog scripts kick into action, examining the merchant’s website for web forms that can be used to make a complaint about the spam. This is done in much the same way you or I may go looking for an online complaint avenue – an HTTP session is opened and complaint/opt-out text is posted into areas such as site registration or purchase forms. Sure, it’s possible for a company to guard against this kind of automation by using the “copy verification code here’ approach, but if they don’t have that installed already it’s an added expense and hassle that may still serve as a useful reminder as to why spamming is a bad idea. To remain ethical about the whole process, Blue Security only posts these opt-out requests at the rate of one for each spam received, and they’re signed by Blue Security without revealing your identity or email address. At the same time, Blue Frog sends aggregated reports regarding rogue sites identified during analysis to its ISPs, domain registrars and law-enforcement agencies if appropriate.

Of course, Blue Frog can only be effective if it gathers enough users to reach some kind of critical mass. When I first became aware of it last year, the goal was a community of 100,000 users, but when I spoke to the company at the start of April that figure had already grown to over 280,000 members. So what difference has it made to my Gmail spam load during these six weeks of intensive trialling? Well, it hasn’t eliminated spam entirely, but it has reduced it by 35%, which is a good start. Best of all, though, it’s left me feeling empowered, given me back a voice for complaining about spam rather than just filtering it out once it’s been sent. The fact that it has a zero rate of false-positives, because it isn’t filtering but only reporting, is important to me as well. I can’t afford, and neither can you, for anti-spam solutions to eat important business-related emails.

There’s no ongoing maintenance involved with Blue Frog, no system slow-down or impact on network infrastructure. My main concern – although Blue Security has escaped litigation so far – is that the show will be stopped by some spamming company with deep pockets and voracious lawyers. Only time will tell but, in the meantime, I have absolutely no hesitation in suggesting that you sign up and start finding your own anti-spam voice. You can protect up to ten email addresses free of charge, and Blue Security CEO Eran Reshef told me that small businesses, protecting an entire domain with up to 200 email addresses, can also sign up free of charge for a limited time.
When wheels fall off a blog…

As a sometime book reviewer and author, I get to see a lot of books. Publishing houses send me books to review, and often pre-publication drafts for comment as I’m part of a wider IT industry panel. During the past two years, I’d have to say that the subject that’s generated most of my book-flow would have to be blogging, the vast majority of these tomes following a predictable “build your own blog in 24 hours” template. You may question the worth of these when weblog apps such as Blogger.com are so self-explanatory, but it’s possible to raise an argument for printed reference works about the business end of blogging – Movable Type (www.movabletype.org), for example. Even then, though, if you really “get” what blogging is about, you’ll probably also “get” the directions to online support forums for hands-on community help.

However, one manuscript that came my way recently was different enough to grab my attention; namely, Blog Marketing by Jeremy Wright, which is to be published by McGraw Hill. Once I clawed my way past its tedious subtitle, “The Revolutionary New Way to Increase Sales, Build Your Brand, And Get Exceptional Results”, this turned out to be a useful read. Rather than looking at the “how” of business blogging, it concentrates on the “what” and “why”, and always with an eye to business benefits.

There can be times when a blog isn’t good for business, though, such as when a rogue employee posts something embarrassing (similar things arise when the CEO or financial director are allowed to blog), or when a carefully established official blog is compromised. Perhaps I’d best not dwell too much on the case of googleblog.blogspot.com (I’m sure PC Pro’s lawyers have enough work to be getting on with), but the official Google blog went down towards the end of March and “compromised” is certainly the word I’d apply. What actually happened was that the blog itself was deleted by Google admin from its Blogger.com base, and when you delete a Blogger blog that blog address immediately becomes available again. Unfortunately for Google, someone happened to be in the right place at the wrong time and claimed the googleblog name for themselves, thus effectively destroying a carefully crafted blog brand.

If that had been your business, it could have proved disastrous, especially if you’d been using that blog for business marketing purposes, and doubly especially if the person who claimed new ownership were to start making derogatory postings – you get the picture, I’m sure. Of course, the difference here is that Google just happens to own Blogger, which might explain why the downtime was less than a day and why there appears to have been no problem in regaining ownership of the googleblog name. Obviously, it’s better not to be terminally stupid with your business blog in the first place, but at least if you make a note of 27 March 2006 you’ll have something to refer to as a precedent for why your blog should be restored to you if a similar thing happens.

dtSearch 7

When putting the industrial-strength (and industrially priced) Desktop search client dtSearch 7 through its paces in the PC Pro Labs recently, I was surprised to find it didn’t index the Thunderbird messagebase on the testbed machine, and a quick scan of the Help files failed to list any support for Thunderbird. I’ve since discovered that dtSearch does support MBOX formats, as used by Thunderbird, but was at something of a loss as to why my test messagebase wasn’t indexed. The overall ratings for the review remain unchanged, Thunderbird indexing or not, but I’d be happy to hear from any dtSearch and Thunderbird users who have successfully indexed their messagebase in order that I can report back with a definitive answer – and discover why my messages went missing!