• by Tom Hespos , May 28, 2002

We need to do something about spam, and we need to do it now.

When I’ve written about spam in the past, my problems with junk email were pretty much limited to trust issues – if spammers didn’t ease up, nobody would ever consider email to be a trustworthy commercial medium. These trust issues could destroy legitimate email marketing.

But now we have bigger problems. Spammers are threatening the very infrastructure of ISPs and other email providers.

I used to wonder why my Hespos.com mail account is flooded with Chinese-language spam almost every day, while my various free email accounts are completely free of the stuff. As it turns out, some of my free email accounts can’t get mail from China, period. Chinese domains have been blocked at the router level. No mail from a Chinese domain gets through.

You might expect this to be the work of an oppressive Chinese government, but that’s not the case. Email from China is often blocked because a good percentage of the email coming from Chinese domains is spam. Some network administrator weighed the costs and benefits of delivering this mail and decided (without asking the end user) that it would be better if Chinese domains were blocked.

It’s important to note that this is more of a bandwidth issue than a censorship issue. Spammers send so much mail that many ISPs and email providers simply can’t handle the volume. If they don’t take steps to keep the deluge of spam from flooding their infrastructure, legitimate email will suffer. An influx of several million pieces of spam, if not dealt with proactively, might cause a delivery failure in your legitimate email. It’s not too much of a problem if the dropped email happens to be a casual correspondence to your Aunt Bessie in Little Rock, but what if it’s an important business contract?

The conflicts over bandwidth occur continuously. A spammer sends a giant blast of unsolicited emails, and it clogs up the ISPs. The ISPs block the spammer’s IP and the spammer moves to another provider or steals bandwidth from legitimate Internet companies or individuals. They send more email, the ISP blocks them again and the whole process keeps going in circles.

One of the spammers’ more insidious tactics involves hacking Formmail Scripts. Formmail.pl is a Perl script that many ISPs give to their customers. It is one of the most popular CGI scripts in use today. When called, this script takes data submitted via form pages on the web, wraps up the responses in an email, and mails the data to the e-mail address specified by the form. I use Formmail.pl all the time. Formmail sends me an email when someone has signed the guestbook on my personal website, or when someone submits an application to join one of my mailing lists.

Spammers hack Formmail.pl and use it to send spam. There are several reasons why this is bad. First of all, the spam appears to originate from the domain at which the Formmail script is hosted. If a spammer hacked my script, I would know immediately, because I would be getting hundreds or thousands of angry responses to the spam. Thus, the spammer gets off scot-free while legitimate e-mail users take the heat for their transgressions. Secondly, if enough email is sent via the script, ISPs may choose to block its domain. So a spammer can get a legitimate online business blocked by multiple ISPs. It is very difficult for ISPs to determine the difference between legitimate email sent via Formmail and spam. This works in the spammer’s favour.

The Formmail script’s original author has implemented some changes that prevent outside domains from accessing the script. However, old versions are still in place at many domains, so the spammers still have plenty of ammo. You can tell when you get spam generated by a Formmail script when it reads, “Below is the result of your feedback form” or something similar at the top of the mail.

The tactics used by spammers to operate “under the radar” result in email blocking by ISPs. As spammers get more sophisticated, it becomes harder for ISPs to discern the difference between spam travelling across its network and legitimate e-mail communication. How long will it be before the situation devolves into one where a significant portion of legitimate e-mail traffic is halted because one major ISP blocks another in an effort to reduce spam? Can you see the political nastiness that could take place as a result? What would happen if AOL were to block mail from Yahoo? Would Yahoo retaliate and block AOL in return?

We need to impose penalties for spamming now. Or the situation may escalate and the interconnectivity we’ve enjoyed since the Internet debuted will be a thing of the past.