Spam: You just can't win

No real solutions arise at the Information Security Best Practices conference at Wharton School of the University of Pennsylvania.

Larry Dignan
2 min read
This was originally posted at ZDNet's Between the Lines.

For anyone even slightly optimistic about thwarting the never-ending crush of spam I have two words: don't bother.

At the Information Security Best Practices conference at Wharton School of the University of Pennsylvania, I've learned the following from the first panel.

Comcast's Gerard Lewis, senior counsel and chief privacy officer, noted that the Can-Spam act of 2003 "hasn't done anything to curb spam," but is "a well intentioned law." Indeed, almost all e-mail is classified as spam.

Lewis should know since Comcast moves millions of e-mails a day--450 million on average to be exact. Lewis walked through the evolution of spam and how defenses have moved from generic filtering to a more sophisticated model. The rub: the fancy stuff doesn't work too well either.

Lewis said that giving consumers more control and tools to prevent spam helps a bit. But plenty still fall for social engineering tricks.

What's the solution?

I haven't heard one yet. Chris Marsden, a professor at the University of Essex, said there are a bevy of regulation schemes being cooked up across the pond. But it didn't sound like there were any spam killers coming from the UK.

Marsden said ISPs will likely see more regulation, but giving consumers more tools isn't the answer per se.

"ISPs have made it clear that consumers will not implement filters," said Marsden. Australia has even sent CDs to citizens to prod them to implement filters. One outcome may be required filtering for spam and content on all PCs as a regulatory requirement.

Think of these efforts as mandatory seat belt laws for Web surfing.

Update: In a follow-up conversation, Lewis said the biggest issue with laws like Can-Spam is that it doesn't reach overseas where a huge chunk of the spam originates. Carol DiBattiste, senior vice president of privacy, security, compliance and government affairs at Lexis-Nexis, spoke about a different topic, but the solution sounds a lot like what the folks in Talkbacks to this post are seeing. Lexis-Nexis as part of its security policy blocks international IP addresses.