What about spam?

Irony has a field day in Mumbai city. Every single day.

The Mumbai Police, in collaboration with the Indian Merchants’ Chamber, declared August 18-23 as Cyber Safety Week in the city, with a series of seminars for ordinary folk and businesses on how to guard against cyber crime. Two days later, back in the real world, two car bombs blasted through the heart of the city, leaving at least 50 dead.

During the Cyber Safety Week, one of the organisers claimed that the aim was to make Mumbai the "cyber safety capital of the world." Whatever that means. This amidst a candid confession from the Commissioner of Police: "I am a computer illiterate," he candidly confessed. That there irony again. Nevertheless, I do think that the Cyber Crime Cell of the Mumbai Police is doing a superb job of awareness creation and cyber crime detection, despite having to contend with frugal resources, arcane and absurd cyber laws, and a largely clueless constabulary.

So, through the week there were discussions on exotic cyber crimes of every ilk—illegal hacking and cracking, database break-ins, eavesdropping, cyberstalking, impersonation, identity theft, source code theft, credit card fraud and what not. While only a very very small minority of Internet users would probably ever be directly affected by any of the above transgressions to any great degree, there’s no doubt that everyone needs to be aware of the dangers such threats pose, and what the possible preventive measures and solutions could be.

But, ironically, the one problem that affects each and every one of us e-mail users—spam—was glossed over. The session to discuss ways and means of tackling the menace of spam was attended by all of six persons—most of whom were anyway unaware of the magnitude of the problem. In fact, over 50 percent of the mail traversing the Net today is useless and unwanted spam. That percentage is rising rapidly, and if things continue the way they are without any remedial intervention, Gartner Research predicts that the Net will be brought down to its knees by mid-2004.

Like it was just a few days ago with the Sobig worm, which picked up e-mail addresses from connected machines and flooded the Net with e-mail copies of itself. Purists may contend that by definition the Sobig-generated mail could not be classified as spam. Maybe then the very definition of spam has to be changed in this age of the ‘blended threat’, to encompass all mail that’s bulk as well as unwanted—commercial or otherwise. Interestingly, some investigators seriously suspect that Sobig was an ingenious plot by professional spammers to harvest a pile of new, live e-mail addresses.

Last month I moderated a round-table discussion on spam in the enterprise, hosted by our sister publication Network Magazine. The verdict in a nutshell: Spam is clear and present danger in corporate India. Several CIOs and IT heads are well aware of the problem and are addressing it very adequately indeed; while others are choking in a marshland of filtering rules, black lists and white lists, and are quite shocked that they’re still being spammed so much.

Any approach to combat spam needs to be a multi-pronged one. First, and foremost, comes the education of employees, with a policy that deters and prevents internal abuse of e-mail. An Internet Access Policy document signed by all employees is a must, but more important, the spirit of the Policy needs to become second nature to all, with significant provisions regularly refreshed in everyone’s memory.

Then, one needs to have anti-spam and anti-virus tools installed at the gateway and server level. Having such tools at the client level is not in itself a bad thing, but in a networked organisation, it’s akin to fighting a fire after most of the building has already burned down. The trend is to use heuristics-based tools, rather than rigid rule-based ones, with regular updation of the ‘spam patterns’ much like is done with anti-virus software. Vendors like Trend Micro and Symantec are quite active in this category. At a personal level, products like MailWasher and SpamCatcher are pretty effective, and worth the Rs 1,500 or so you’d have to pay if you decide to upgrade from the free-trial version.

While black lists and white lists are certainly not a foolproof answer, an IT head at the round-table reported a reduction in spam after utilising black lists maintained by The Spamhaus Project (www.spamhaus.org).

Despite all the above weaponry, one can only expect limited success in the fight against spam. The very nature of spam, and of e-mail itself, makes complete victory an impossibility. Freedom from spam can occur only when e-mail technology evolves to ensure that the sender’s credentials cannot be forged and can be validated at the recipient’s end. When anonymity and impersonation is not permissible in the real world, there’s no reason why it should continue to be considered a birthright in cyberspace. When a recipient has the (automated) ability to optionally reject e-mail that doesn’t have validated credentials, that’s when unwanted spam can finally be annihilated.

Will it happen with IPv6? To an extent, because of the increased security features that are inherent to this upgraded Internet Protocol. But it would also require changes in the specification for e-mail—possibly moving from the Domain Name System to DNSSEC (DNS Security Extensions), a technique for securing the DNS to provide end-to-end authenticity and integrity.

Which finally brings us back to the law. Almost everyone at the round-table was of the opinion that it’s no use waiting for legislation against spam or other cyber crimes to be enacted. One needs to take only a cursory look at our IT Act 2001 to understand the reason for this despondency. In Oliver Twist, Mr Bumble proclaims, "The law is a ass, a idiot." He would have died of apoplexy had he seen our IT Act, wherein idiocy has free reign. And this from a country which aspires to be the software superpower of tomorrow.

Actually, irony has a field day in India. Every single day.

Val Souza, Editor
valsouza@expresscomputeronline.com