More than thirty years after the famous Monty Python sketch, spam has now become a worldwide implicating problem that grows exponentially every year. Most often defined as an “unsolicited commercial e-mail” or “unsolicited bulk e-mail”, spam messages are estimated to be between 45% and 70% of all incoming e-mails. Damages from spamming include communication service disruption, decrease in productivity (the average employee productivity loss per year due to spam is approximately 1200 minutes), security breaches, increased costs for anti spam techniques and activities, reputation damages, etc.
Since it is now undoubted that spam seriously interfere with the business operations of companies (ISPs and end users), as well it is more than a nuisance for the regular individual internet user, a proactive solution to the problem should be developed. Different anti spam techniques have been discussed, including technical measures, legal and informal measures such as self regulation. The results are quite clear – no single type of measure is capable of completely eradicating the spam trouble, so using a multilateral approach, which includes all of the abovementioned measures at the same time, should be adopted.
As already mentioned, multiple direct and indirect companies` and individual users` losses are attributable to spam and a versatile approach should be found. Unsolicited messages consume a substantial amount of traffic and bandwidth capacity, storage, time and money, and the technological means to combat them should be the first line of defense. Such measures mainly include filtering out and blocking techniques, whose main types and features will be presented. Filtering in this paper is used as s generic term that includes all kind of technologies at both mail server and inbox level.
One of the filtering methods is the usage of a black list of either domain names or IP addresses. This measure mainly consists of creating and maintaining a list of spam identified domains or IPs, which promises to be a fruitful approach since approximately 200 spammers account for about 90% of the spam sent worldwide. It allows spam messages to be caught at the mail server level before even getting to the users` inboxes. It however blocks all mails coming from the black list domain or IP, which can easily lead to a false positive identification (a legitimate message is filtered out just because it comes from the black list source) and not fulfilling a contract obligation for the ISP of delivering a certain message. Additionally, black lists can only include a certain part of all domains and IPs that are connected to spam, so they are just a partial solution. Another disadvantage is that creating black lists cannot be done automatically, but instead needs someone to include an entry in the list.
Another more sophisticated filtering method is the heuristic filtering. It is a rule system that doesn`t block e-mails based on source, but based on content, as it is looking for specific patterns used in the message. This method basically uses keywords identification, the use of exclamation marks, etc. (for example words like “Viagra” or “free sample”, as well as ill-structured subjects and headers). The heuristic filtering is proved to be more effective than just black list systems as it is estimated to identify approximately 90-95% of spam. Additionally, it is easy to set up and install and since it is maintained on a mail server level, there is no need for the end user to additionally interfere with the installation. However, it has a false positive identification rate as high as 5% and is quite static so it doesn`t take too much time for the spammers to find their ways to slide over the rule system.
Furthermore, effective filtering of spam can be achieved by the Bayesian Filtering systems. Those are statistical content based software types that compare words used in spam and legitimate mails and calculate the statistical probability of a word to be part of an unsolicited mail. Bayesian filters then analyze the word`s probability of being part of a spam message in every e-mail an individual receives, and come up with the overall probability of the entire mail being a spam, based on which they filter it out or block it. Due to the complex statistical methods they use and the fact that they are based on the actual mails everyone receives, their effectiveness is extremely high (up to 99,9% spam detection). It is an additional benefit that they evolve together with evolution of spam itself. However, a huge disadvantage is that they need to be adjusted and tuned every time they make a mistake, in most cases by the end user, not the ISP. The spammers have also learned to crack them by including many “good” words in their mails so the system classifies the entire message as a “good” one.
The abovementioned filtering methods present many advantages such as high rate of blocked spam messages, low rates of false positive identifications, easy set up and the lack of end user involvement in the maintenance of some of them. They however carry many disadvantages too, as blocking legitimate communications, high costs involved and the relatively low barrier for the spammers to technologically circumvent them, so it is clear that technological means alone are incapable of fighting the problem in an unconditional and cost effective manner. Even though the general use of a spam filter has been estimated to reduce an average of 35% of the spam messages received, further legal measures should be established in order to massively combat spam.
Technological measures have a huge importance in the battle against spam and in many cases are able to significantly reduce unsolicited messages send and received. In order to fight the trouble in a more complex manner however, further legal regulation is needed. Legal regulation has to focus on both – preventing spam and sanctioning those not abiding the rules.
In my opinion the first step in regulating spam, consists of clearly defining it. Different definitions in different countries create a heterogeneous understanding of what spam is, and thus no consistent regulation and enforcement practice can be followed. Definitions should be similar in saying whether a spam message needs to be commercial or not for example. Additionally, ambiguous parts of the current definitions should be made clearer – such as the option of sending unsolicited bulk messages to parties that a sender had “prior relation” with, which leaves an open door for spammers to use it.
Another important move to combating spam is drafting a legislation that clearly prohibits or restricts it. Spamming can be prohibited severely as it is in the Delaware computer crime law or left to the choice of a country to decide to what extent to restrict spam, as it is in the EU. However, in order to aggressively combat spam, the legislation should be as similar in different countries as possible, and as severe as possible. Due to the internationalization of internet, spammers are located all over the world and their spam objectives are worldwide too. This clearly means that even if one country strictly prohibits spam, spammers will either re-target spam addressees in other countries with more liberal legislation, or they will simply continue sending unsolicited mails, just because their location will make them harder to trace, locate and ultimately serve. As hard as it seems to unify and harmonize anti-spam legislation around the world, a step towards it can be achieved by international treaties and intense cooperation in this field.
Moreover, further specific measures which should be included in an anti spam legislation are the “opt in” and “opt out” systems. To most effectively handle the spam problem, an opt in system should be the principle. Opt in rule, viewed as the possibility to send unsolicited mails only to individuals or companies, who have explicitly agreed beforehand, if properly enforced, must be able to fight a substantial amount of spam. The opt out system, or the opportunity given by the sender to explicitly opt out from receiving the message, is another solution but it should be applicable only for the cases not covered by the opt in system. Further application of this system consists of the establishment of individual or national opt out registries where certain e-mail addresses or entire domains can be included. Government regulatory bodies should be established, such as the OPTA in Holland, which independently regulate compliance with legislation in the field of electronic communications.
The paragraphs above have briefly described some of the main anti spam legislation steps that, in my opinion, would have the most benefit. However, it is important to point out several problems with legislation measure against spam such as enforcement problems due to the internationalization of internet, lack of uniformity of legislation, or concerns regarding the freedom of speech or the free trade. Notwithstanding the obvious concerns with legal regulation of spam, legal approaches are just as important as the technological means to combat spam and should be carefully considered in a multidimensional anti spam battle.
Finally, the approach that has the highest chances of combating spam, includes a combination of advanced technological means to stop it, a clear spam definition, an uniformity in anti spam legislation that unambiguously impose sanctions on spammers, as well as international cooperation and coordination of anti spam efforts. It might not prevent all spam but it will set the barriers to enter the spam market so high, that most spammers would think twice before pressing the “send” button.
- Sorkin, David E., “Technical and Legal Approaches to Unsolicited Electronic Mail.” University of San Francisco Law Review, Vol. 35, No. 2, pp. 325-384, Winter 2001. Available at SSRN: http://ssrn.com/abstract=265768.
- Caliendo, Marco, Clement, Michel, Papies, Dominik and Scheel-Kopeinig, Sabine, “The Cost Impact of Spam Filters: Measuring the Effect of Information System Technologies in Organizations.” IZA Discussion Paper No. 3755. Available at SSRN: http://ssrn.com/abstract=1286693.
- Mossoff, Adam, “Spam – Oy, What a Nuisance!” Berkley Technology Law Journal, Vol. 19, No. 2, 2004; MSU-DCL Public Law Research Paper No. 01-20. Available at SSRN: http://ssrn.com/abstract=460720.
- Asscher, Lodewijk F. , “Regulating Spam: Directive 2002/58 and Beyond”, (May 1, 2004). Available at SSRN: http://ssrn.com/abstract=607183.
- Bolin, Rebecca Eve,” Opting Out of Spam: A Domain Level Do-Not-Spam Registry.” Yale Law & Policy Review, Vol. 24, 2006. Available at SSRN: http://ssrn.com/abstract=945290.
- Graham, Paul , “Stopping Spam”, 2003. Available at: http://www.paulgraham.com/stopspam.html.
- Graham, Paul , “Will filters kill spam?”, 2003. Available at: http://www.paulgraham.com/wfks.html.
- Sullivan, Bob, “Has the spam dam really burst?” (August 6, 2003). Available at: http://www.msnbc.msn.com/id/3078649.