SPAM is a security issue. Why? Well, it drains away precious organizational resources. It reduces worker productivity by increasing time spent handling message, slowing messaging services, and inhibiting users from using electronic communication. SPAM increases the cost of doing business when effective use of electronic communication should be lowering the costs. SPAM has moved from an email problem to a problem that affects instant messaging, SMS messaging, blog comments, chat forums, newsgroups, online games, and wikis. The direct costs come from SPAM filtering services and software, hiring technicians to deal with the SPAM problem, deploying additional equipment to deal with the increasing amounts of SPAM, and purchasing additional network bandwidth and storage capabilities to handle the increasing size of our inboxes. SPAM affects the availability of electronic communication services and inhibits an organization’s ability to conduct business efficiently. In my opinion, that makes it a security issue.

A post (”SPAM is Back“) by Ed Felten prompted my thoughts on this issue. Professor Felten talks about the arms race in the SPAM arena. SPAM filters were keeping up for a while through textual analysis and identifying the sources of SPAM. Spammers are still evolving their techniques and changing tactics. Through the use of botnets, images, fewer URLs, and seemingly random text to confuse the analysis, spammers are gaining ground. In order to prevail though, the payoff for SPAM has to be reduced. One interesting statistic cited in the New York Times article is that nine out of ten email messages are unsolicited.

Many solutions attempt to address the SPAM issue. None appear to be completely successful so far. The basic problem with these attempts are that they are evolutionary, incremental, and only address the current set of weaknesses and common attributes of SPAM. The spammers change tactics, and the attempt no longer works reliably. The spam fighter then attempts another incremental solution, and so on. (Remember, this is an arms race.)

Most messaging services suffer from the basic security issues, namely the lack of confidentiality, integrity, and availability. In my opinion, the best way to solve these issues in the current messaging systems is to throw them out and start over. Wait, wait. Before you click away, think about it for a moment. The average user can’t send private email using current email encryption tools. The current IM clients make no guarantees on identity or authentication. Open SMS gateways provide a path for SMS SPAM. IRC bots spew chat forum SPAM. Need I say more?

The current method of incremental solutions only prolongs the arms race. In the end, there are no winners in the arms race. The way to “win” an arms race is to change the rules of the game. Or, in a sense, change the pieces on the gameboard.

Personally, I think we need a “do over”? A mulligan, if you will?

I think we can solve the security issues of electronic messaging systems. First, we have to agree that the current systems have issues that require significant change. Second, we have to acknowledge that even a “perfect” solution would require many years to completely roll out and must replace the existing systems. Third, the solution must have security “baked in” to address the issues of confidentiality, integrity, and availability. Fourth, privacy and anonymity must be supported without allowing significant misuse. Fifth, the solution must be resilient against denial of service attacks and fail gracefully.

Notice, I am not proposing a technical solution in this post, just some of my thoughts on how we start the process of developing more secure electronic communication systems.

Enter your email address to get Hack Report news via email:

2 Comments

Comments RSS TrackBack Identifier URI

Leave a comment

Name (required)

Mail (will not be published) (required)

Website