Put an end to spam and phishing by reforming email

Monday, May 15, 2006 by Mike Adams, the Health Ranger Editor of NaturalNews.com (See all articles...) Tags: spam, phishing, email marketing

It is way past time for the internet community to do something serious about spam and phishing attacks. The problem has gone way beyond spam now. Spam itself was quite annoying. We've all waded through hundreds, if not thousands, of emails in our inboxes, trying to find the legitimate emails that we wanted. Even all the anti-spam software, spam filters and schemes for authenticating inbound email and making senders click links to verify real people didn't really stop spam, because the spammers got creative. They said, "We can send emails with keywords that aren't spelled in a way filters will recognize, or we can send a message that looks like a lot of text, but it's really just a graphic, so there are no keywords to filter out." They can come up with any number of other tricks to keep sending spam to honest internet users all over the world. And they do.

For a long time, I was a proponent of the puzzle solution to ending spam, and to some extent I still am, but let me explain why the puzzle solution is not enough. The puzzle solution is designed to add friction to the sending of email by placing a processing burden on outbound mail servers. Essentially, it would slow mail servers so that spammers could never send 10 million emails in one day. It changes the economics of sending spam. Let's face it: Spam is really an economic question. The only reason spammers are sending spam is because it pays off. If you can change the economics so that it no longer pays off, then they will stop sending spam. They will go off and do something else to con people out of money, but they won't be sending spam.

Right now, spam is profitable, and that's why it persists. It's profitable because it's cheap to send and because some foolish people still click on spam and buy products from spammers. They are just as much to blame for this problem as the spammers themselves. It only takes one idiot out of 1,000 people clicking a spam email and buying a product to make it financially justifiable for that spammer to send 10 million more emails. In effect, one person can bankroll spam that will affect millions of other people. This is what's happening today all across the internet.

Phishing is identity theft via spam

Then, something new and horrifying came on the scene. Of course, I'm talking about "phishing." Phishing is really identity theft, and it's where spammers got even more creative. They said, "Hey, why make money selling products when we can just send emails to people and act like we're from their bank?" They get people to log in and type in their username, password and identity information. Then phishers use that information to log in to people's bank accounts and transfer money to offshore accounts.

This is phishing, and it's a huge problem. I must get two or three phishing emails from con artists every day. Of course, I ignore them. Most of them are from banks that I don't bank with. But every once in a while, something comes in from a bank that I do bank with. It's pretty convincing stuff. If I were a new user to the internet, or if I wasn't covering this kind of topic, I might click on it and I think it was legitimate. It all looks legitimate. The logo is there, and the domain name looks right. It all looks very official. These scammers are very good and creating these official-looking "phishing" websites. In fact, they're making a living doing it, and I'm sure they're making a very good living, because many people log in. They'll give their usernames, passwords and social security numbers right to the con artists.

Then, it's over. The con artists have got you. They've got everything they need to make your life miserable from that day forward in terms of your finances and your credit rating. Once your identity is stolen, it is very difficult to get your finances back in order.

By the way, if you want to know how to beat identity theft, credit fraud, phishing scams and other threats to your finances and personal safety, definitely check out our downloadable Real Safety Guides.

The worst may be yet to come

When it comes to email, we used to think that spam was the biggest problem. Now we know that spam was just the tip of the iceberg! Now we've got phishing, and the financial institutions are getting worried because customers of the big banks in the United States and around the world are falling prey to this scam. This is where it's really starting to get serious. Now we have the attention of powerful corporations, because it's hitting them where it counts. These crimes are being committed against their financial institutions.

I think that "phishers" or scammers have awakened a sleeping giant in using this tactic. They have enraged the financial world. The financial world has money, and it is influential. I believe it is going to get some laws put into place that will clamp down on these security breaches. What's at stake here is not just the personal victims of phishing attacks. What's at stake is the credibility of these financial institutions and the credibility of email as a medium of communication. If we can't get these problems solved, people may increasingly distrust email, period.

This threatens the very foundation of trust between customers and their financial institutions. What would happen if we all had to go back to banking by paper and postal services? Can you imagine actually writing out a physical check, licking a stamp and mailing it to your bank? We need to find a way to crack down on phishing and stop the spammers cold.

Solutions for safeguarding online safety

Many of you out there are nodding your head and saying, "Yes, we know all this. What about some solutions?" Remember, I've been in this industry for more than 12 years. I am the president of a software company that's focused on permission email marketing software. I've seen the problems and trends in this industry.

My personal belief is that we're going to require a global system of sender authentication. I regret saying that, because I think it's going to add a layer of bureaucracy to the internet and ultimately make it less free. Freedom is very, very important, especially in terms of online speech. But this problem is becoming so serious that we are looking at a situation where we need to know who is sending email.

Essentially, we need a system in which people who send email must effectively show their ID to send that email. I don't mean that they would send you a copy of their driver's license, but there must be some mechanism by which the identity of a company or individual is permanently and irrevocably attached to that particular message. Then there needs to be a system so that we, as end-users or receivers of the email, can click a link or go to a website to verify the identity of that sender.

This is no small proposal. There are many problems in making this a reality. The first of those problems is that not everybody agrees that this is a viable solution. The second problem is that if there is a cost involved, it becomes an economic issue, and you automatically exclude those who don't have the money to afford this personal identification mechanism, whatever it happens to be. You don't want to punish people in third world countries, people with lower incomes or non-profit organizations. You don't want to say to them, "You can't send email because you can't afford the filing fee." On the other hand, we need a system of authentication. We need to know who's sending emails, and we need to be able to verify it. I think we're past the point now of arguing that everybody should be able to anonymously send email. We must start requiring email sender certification.

At the same time, I do not believe that any particular government should do this. I think if the government gets involved, it will take two or three years longer than necessary to put it in place. This solution must come from the industry itself, and it should probably come from the big companies leading the industry: Microsoft, AOL, Yahoo and MSN. These are the companies that have the influence, the technology and the user base required to put something like this in place.

But here's the catch: These companies have to agree. Imagine sitting all these competitors in the same room and saying, "Map out a solution. Shake hands on it, implement it and exchange these certification systems with each other. Then, propagate it to the entire world." This is no small task, but I believe it is the very task that we must ask these industry leaders to undertake. We must agree to do this if we are going to live in a world where email communications can be trusted. We're at a crossroads now. We can go down the path of allowing email to continue being the Wild West, with anonymous emails flying around with no real control standards and no real authentication system, but things are going to get worse.

Spamming and phishing will only get worse if email isn't reformed

There are going to be more victims of phishing. There are going to be more spammers finding new, creative ways to get into your inbox. The problem is going to get worse. There may be new things coming down the road that we don't even know of yet. Who would have thought of phishing five years ago? What's going to happen two or three years from now? It will probably be something new and even more horrifying in terms of identity theft, credit theft or financial scams. Who knows what these people can come up with?

Or, we can go down another path. We need to reshape the email medium. We need to have a trusted system so that we can authenticate the identity of senders. It's a difficult thing to do, but we can go down that path. We can move on as a society, living in a world where the information technology infrastructure is more secure and more trusted, and we can experience all of the efficiencies of technology and communication that go along with that.

That is the path I think we must choose as a society. It has taken too long to get these big companies to sit down and agree to things. Here's the danger: If they cannot agree on a set of standards, eventually there will be enough pressure from financial institutions, internet users and legitimate email marketing companies to get Congress to pass new laws mandating some kind of sender certification or authentication system. That, my friends, is what we don't want. Again, I think the government won't do it right. It will be very bureaucratic, costly, delayed and inadequate. We do not want the government to come and regulate this medium. We want a private industry solution, and it probably needs to come from the big leaders and the big corporations.

I urge those reading to recognize that now is the time to call for serious reform of the email medium. We need a technical change. It's going to require upgrading all of the SMTP servers and all the POP servers. It needs to cover both the open source community -- all the Linux users and the Unix users -- and of course the Microsoft and Mac world, as well. It must be an open source standard. It can't be a proprietary technology, yet it needs to be secure. It needs to be unbreakable and unhackable. There can be no back doors.

The time for a move toward change is now. If we don't change, the very credibility of the email medium is at stake. If we don't change, governments are going to come in and mandate a solution that none of us want to live with. You can be sure of that.