Are anti-spam measures fair?

Spam has been in the news and on many people’s minds lately. So my interest was piqued by this inquiry from a reader:

“I’d be very interested in hearing your opinion on the subject of ‘Blacklisting’ an ISP’s non-spamming customers for the purpose of soliciting a negative response from those customers towards the ISP who is viewed as ‘spammer friendly’ by the blacklisting organization.

“Let me start by saying that I’m an e-mail administrator for a moderate size company, 500 or so users. The company I work for has had its e-mail server blacklisted by an anti-spam organization SPEWS.org [Spam Prevention Early Warning System] solely because it uses AT&T as an ISP.

“From what I’ve been able to find out, SPEWS.org supposedly identifies a spammer’s network (IP address range), blacklists it, and notifies the spammer’s ISP. If the ISP does not remove the ‘so called’ spammer, [SPEWS.org] expands the scope of the blacklisted IP address range to include adjacent networks — spammer networks or not. This is SPEWS.org’s way of forcing AT&T’s customers to confront AT&T on their behalf about supposed spammer’s residing on its network.

“This is the case with my employer’s network. Its IP address range has been blacklisted, along with dozens of other networks, with total disregard for the loss of legitimate e-mail and the consequences that it brings. Luckily the company I work for has multiple Internet connections and therefore has the ability to route e-mail through those connections in order to minimize the effects of SPEWS.org’s questionable practices.

“My biggest fear is that the companies, organizations, and ISPs who use these publicly available lists are unaware of the practices used to create the lists. I’m also appalled at the attitude displayed by people in the Usenet newsgroup news.admin.net-abuse.email (NANAE) when I requested our IP address range be removed from the SPEWS list. This is where the SPEWS.org website directs visitors for posting questions, complaints, etc., as [the organization] does not provide contact information on its page.”

Now back to my opinion. I have a friend who is a nationally known expert on air filtration. He will delight in telling you that the most efficient air filter is a brick wall. It is 100 percent efficient because no pollutants get through. His point, as you may have guessed, is that what’s important in measuring the effectiveness of an air filter is how much clean air gets through — a measurement known as the Clean Air Delivery Rate. (You should remember this when beguiled by ads for air filters that promise to remove 99.99 percent of pollutants.)

The reason for this little digression into air filters is to draw a comparison between that situation and current spam-blocking techniques. My first reaction to the reader’s complaint was that the approach certainly seemed unfair and had the potential to punish the innocent along with the guilty. However, I made a trip to the SPEWS.org Web site and found that the organization’s explanations sounded reasonable, if a little drastic. As far as adverse reactions on the newsgroup, nothing will bring out the snarling beast in some people quicker than spam or even a discussion about it. So, beware.

Spam is a growing problem for many individuals and businesses, resulting in lost productivity, rendering some mail systems all but useless, and promising to choke Internet mail communication in the near future — unless something is done.

A while back — in a column no longer available in the archives, unfortunately — I raised the issue of spam and how we can define it in objective, as opposed to subjective, terms. This definition would them enable us to create filters, write laws, or use other techniques to limit, if not prevent, some of this objectionable material from reaching our inboxes. The key problem is that almost any definition of spam leans heavily on the term “unwanted,” and that is highly subjective. Some people use the term “unsolicited,” and that covers a lot of territory but not 100 percent.

My situation is a good example. As a journalist, I frequently receive press releases from people I don’t know and from whom I haven’t solicited anything. The senders find my e-mail address and hope I’ll be interested in their products. Sometimes I am; sometimes I’m not. But I’d hate to see the incoming mail dry up because there’s a chance I’d miss an interesting story. Most other journalists are in the same position.

Not having a good working definition for spam, I argued in the earlier column, prevents us from creating tools and filters that will do the job we need. False negatives that let some spam through are to be expected. False positives that screen out legitimate mail are more problematic.

I had an experience a while back in which an old friend came across my column on the Web and tried to e-mail me to make contact. She had her e-mail client set up so that only her first name appeared in the “From” field and she typed “Hey there” in the subject line. At the time I was acting as my own spam filter, and I ditched three of her e-mail messages before she finally put her full name in the subject line and I realized who she was. Until then, her e-mail looked just like those porn messages that come in almost every day.

Automatic spam filters are even less discerning than I was. They use rules that rely heavily on words and techniques that spammers commonly use. The problem is that legitimate e-mailers may innocently use those same words and techniques — unaware that they’re going to be snagged as possible spam. This has forced many of us into defensive tactics to create e-mail messages that will make it through the filters.

Although this may be a necessary evil, given the magnitude of the problem it’s only a stopgap maneuver. The spammers will also figure out how to get around the filters. Then, we’ll need to build new filters with new rules, and we’ll find ourselves in a cat-and-mouse game similar to viruses and virus scan software.

Hope is on the horizon, however. A newly formed group — scheduled to meet yesterday for the first time — promises to find a radical way to stem the flood of unwanted e-mail. The Anti-spam Research Group says it will focus on “consent” as the key to facilitate communication. The group admits that a key problem is the one I raised months ago: the lack of a common agreement on how to define spam in a way that allows effective blocking techniques. Addressing this issue will be one of the group’s first objectives.

You can find more information in a recent news story on ASRG.

As far as my reader’s complaint, I can understand the frustration. I can also understand the frustration of system administrators who have to deal with tens of thousands — or more — of spam messages clogging their e-mail systems daily. As the old saying goes, harsh times call for harsh measures. With spam increasing at an astounding rate — one estimate is that it now accounts for 40 percent of all e-mail — we may have no choice but to live with the “unfair” solutions that can limit, though not eliminate, the unwanted and unsolicited messages.