Anti-Fraud is not Anti-Spam

One of the biggest problems with e-mail is the complete lack of an inherent security model. Like the telephone, most people have come to take e-mail for granted; expecting that it simply works. Most e-mail users do not know how easy it is to forge almost every aspect of an e-mail message. We have all received spam that, when viewed in our e-mail client (Outlook, Entourage, Gmail, etc.) appears to have been sent to us, from us. How can this happen?

There is a common misconception amongst many in the e-mail security space that anti-fraud technologies like Sender Policy Framework (SPF), SenderID and Domain Keys Identified Mail (DKIM) are part and parcel anti-spam technologies. While it is true that anti-fraud/anti-forgery technologies have a nice side-effect of preventing some spam, this is not their main goal. In addition, by lumping these imporant technologies in as simply anti-spam misses the point and tends to dimish the importance of these technologies.

Protecting your domain from e-mail forgery is up to you; the owner of the domain. Does your domain publish a Sender Policy Framwork (SPF) record (http://www.openspf.org/)? If not, why? What are you waiting for? Is your inbound e-mail checked to see if the sender’s domain publishes a SPF record? If not, why? After all, if the sender’s domain administrator has elected to take domain forgery seriously, you should as well. Finally, are you recognizing DKIM (http://www.dkim.org/) signatures for inbound e-mail and is your e-mail server signing outbound e-mail?

In case you are wondering… Google, eBay, Yahoo, Cisco, and many other large companies are now on the DKIM bandwagon.

…and who says e-mail spam filtering works?

The following excerpt comes from MSNBC’s “The Red Tape Chronicles” :

[Let me begin by saying that you cannot make this stuff up!]

Friday: 10 Oct 2008
(http://redtape.msnbc.com/2008/10/att-customer-ca.html#posts)

AT&T reserves the right to change its terms of service by sending its Internet service customers an e-mail. Apparently, it also reserves the right to deposit those e-mails into its customers’ junk mail folders.

Last month, AT&T made some controversial changes to its Internet policies. Verbiage indicating that high-bandwidth users might experience some intentional slowdowns irritated some techies; another section that forces customers to use binding arbitration to resolve disputes annoyed consumer organizations; and an L.A. Times reporter bristled at the size of the full new agreement — 2,500 pages.

But Lance Mead, an AT&T Internet customer from Encino, Calif., almost missed the entire controversy. His notification of the new terms of service was sent via e-mail on Sept. 18, but AT&T’s own spam filters trapped the e-mail as spam and deposited it in his junk mail folder, he said. On a whim, he checked the folder and spotted the notice. He was furious.

Someone — anyone — please tell me how this is not proof positive the entire premise behind e-mail spam filtering is seriously flawed? I completely understand that mistakes happen. However, these “mistakes” are also considered “false positives.” In the “e-mail game” it is the false-positives that cost business real money. Is it really the end of the world if 5% to 10% of the e-mail received in your inbox is spam? Probably not. It is unnecessary, annoying, and unproductive to be forced to wade through spam, but missing an important e-mail thanks to the flawed concept of filters, a.k.a. guessing machines, should be considered absolutely unacceptable.

In Search of… A definition for e-mail spam

According to Wikipedia, e-mail spam is defined as follows:

“E-mail spam, also known as unsolicited bulk Email (UBE) or unsolicited commercial email (UCE), is the practice of sending unwanted e-mail messages, frequently with commercial content, in large quantities to an indiscriminate set of recipients. (http://en.wikipedia.org/wiki/Spam_(electronic)#E-mail_spam)”

This definition is okay, but is overly broad. I would like to propose the “Triangle of Spam” in an effort to more accurately define the problem.

Simply put, for any piece of e-mail to be considered “spam” it must be unsolicited, anonymous, and high volume. If any one (or more) of these characteristics is not met, the e-mail can be considered unwanted, but is not “spam.”

It is important to distinguish between “spam” and simply unwanted e-mail. For example, are “Lowest Fare” updates from United Airlines spam or, in my case, simply unwanted (I never fly United)? While I’m sure I did fly United at some point in the distant past, I certainly do not plan on flying United anytime soon. Technically speaking, United has the right, by virtue of our “previous business relationship,” to send me these updates. However, in my particular case, these are absolutely unwanted e-mails, but they cannot (or should not) be considered spam.

I am very interested to hear what other people think of the “Triangle of Spam.”