The spam pandemic has grown to epic proportions. In 2002, I received over 23,000 spam messages (about 35 percent of my mail), and that's even after employing the Mail Abuse Prevention System RBL+ realtime blackhole list and a handful of other conservative server-side spam filters on our primary mail server. There's no question that my address is both older (it hasn't changed since I switched away from the UUCP style <firstname.lastname@example.org>) and more widely published than most, but my exposure generally means I'm just ahead of the curve. If you're not getting a lot of spam now, you're both lucky and living on borrowed time.
Think Positive -- Nevertheless, although I don't see the amount of spam dropping for a while yet, I think we've turned the corner in developing the basic concepts that will eliminate most spam from our lives - at least when those concepts are intelligently combined and implemented. These concepts include so-called Bayesian filtering, which attempts to predict the likelihood that a message is spam by the frequencies with which certain words occur; whitelists, which allow mail through only when it comes from people from whom you've received legitimate mail in the past; and challenge/response systems, which require that new senders authenticate themselves before their mail reaches you. Also potentially useful deterrents are the various U.S. state anti-spam laws and the lawsuits against spammers they make possible; well-run blackhole lists that let mail servers refuse to accept connections from other mail servers that have been compromised by spammers; and the combination of proper default settings and network administrator education that has cut down on the number of open relays for spammers to exploit.
Note that I explicitly do not include arbitrary server-side content filtering in that list of potentially useful approaches to controlling spam. Creating server-side filters that reject mail based on the inclusion of a word or two merely because the administrator has seen those words in spam is more damaging to the overall utility of email than spam itself. Geoff Duncan brought this problem to light with "Email Filtering: Killing the Killer App" back in TidBITS-637; that article triggered widespread coverage in mainstream media outlets such as the New York Times, the Newhouse News Service, and more.
Our efforts at educating the public to the dangers of arbitrary content filters certainly don't hurt, but the problem continues. Our recent gift issue was rejected by one mail server (which will undoubtedly do so again with this issue) because the word "cows" appeared in the text. (Ironically, it wasn't even in relation to the worthy Heifer Project charity, but to a comment about the game Tropico.) In an effort to avoid losing subscribers when these content filter rejections trigger our bounce automation, we've taken to trying to switch impacted subscribers to the announcement version of TidBITS, which is much more likely to slip past content filters purely on the basis of containing many fewer words.
Cue Habeas -- There's one more new tool that we've just started to employ. A new company called Habeas, started by TidBITS author Dan Kohn, has come up with "sender warranted email." The idea is that, with the addition of nine specific header lines to your messages, you can warrant that your outgoing email is not spam. ISPs, email providers, spam filters, and even individual recipients can then trust that any incoming message that contains Habeas headers is legitimate.
Here's what the Habeas headers look like.
X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report/>.
"But but but...," I can hear you saying. "What prevents spammers from simply adding the Habeas headers to spam as well?" Nothing. Well, except for the thousandweight of lawyers that Habeas plans to drop on anyone who does so, basing such lawsuits on both copyright and trademark law. Habeas can do this because the Habeas headers include a copyrighted three-line haiku and several trademarks. In addition, Habeas will add any infringers to a DNS-based blacklist that doesn't suffer from some of the legal problems that have plagued other blacklists.
I'm waiting with bated breath to see how Habeas handles the first infringers. My experience with suing a spammer under the Washington State anti-spam law wasn't great because I couldn't expend the money, time, and effort to carry the suit through to the most satisfactory conclusion. In contrast, Habeas has venture capital and significant incentive to make examples of infringers, so they're likely to have a better chance of running the spammers to ground and extracting financial penalties from them. By basing the protection on copyright and trademark law, Habeas avoids the many variations on state anti-spam laws and doesn't have to wait for federal legislation that may be too little and is already too late. Plus, international copyright law offers similar protections everywhere but Afghanistan, Bhutan, Ethiopia, Iran, Iraq, Nepal, Oman, San Marino, Tonga, and Yemen. On the collection side, Habeas plans to turn spammers over to the collection agency Dun & Bradstreet for maximum extraction.
Although there are some high-profile spammers who are making very real money at spam (but are stupid enough to give their real names in interviews, opening themselves up to real world harassment from furious spam victims), I doubt Habeas will end up making significant money from successful lawsuits. Most spammers simply don't have deep pockets. However, Habeas does earn money from licensing the Habeas headers to businesses. Licenses are free for individuals and ISPs that warrant that all their email is not spam; other companies pay $200 per year for a license unless their business revolves around sending verified opt-in commercial email, at which point the license is based on the number of recipients.
Practical Habeas -- From a user's standpoint, you need to know two things about Habeas: how to add Habeas headers to your email messages (remember, it's free for individuals) and how to filter Habeas warranted messages. The details vary significantly with the software you use for email, but Habeas has developed instructions and plug-ins for many common pieces of email software (it's just a matter of dropping a plug-in into the appropriate folder with Eudora, for instance), and they're happy to post user-submitted instructions for additional programs. Also, many email programs hide unusual headers by default, and for those programs that don't, Habeas also offers instructions for hiding the Habeas headers so you don't have to look at them in every message.
What are we hoping to get out of adding Habeas headers to our mailing lists? Quite simply, less damage due to errant spam filters. Habeas is working with many of the vendors of server-side spam filters to encourage them to whitelist Habeas compliant messages, and we hope that anyone who has gone to the effort of rolling their own spam filters will do the same to reduce the incidence of false positive spam identification. I encourage everyone who's concerned about spam to sign up for a free individual Habeas license, and for anyone working on anti-spam tools, make sure your tools whitelist Habeas compliant messages as well.
There's no question that the use of Habeas headers will not eliminate the spam problem overnight, but when combined with the other tools and techniques that have started to appear, it should make a difference.
PayBITS: Want to support TidBITS in our ongoing fight against
spam? Consider supporting TidBITS by contributing via Kagi!
Read more about PayBITS: <http://www.tidbits.com/paybits/>