Exterminating the nuisance of spam
Suresh Ramasubramanian oversees the development of junk e-mail countermeasures for tens of millions of Internet users.
As the India-based head of antispam operations at Outblaze, which handles mail for large sites such as Mail.com and Register.com, Ramasubramanian has overseen the development of junk e-mail countermeasures for tens of millions of Internet users. Outblaze is a privately held company with headquarters in Hong Kong.
He's become such an expert on the topic that international treaty organizations, including the Organisation for Economic Co-operation and Development, have sought his advice. He also wrote part of a book (click here for PDF) on Internet governance published by the United Nations Development Program.
Along the way, Ramasubramanian has not shied away from debates with groups like the Electronic Frontier Foundation--which has taken issue with antispam techniques like America Online's Goodmail. (One essay he wrote compares EFF's advocacy techniques to ones used by Republican political operative Karl Rove.)
CNET News.com interviewed Ramasubramanian at a United Nations Internet summit here earlier this month.
Q: You're a systems administrator and a spam fighter. What are you doing at a U.N. summit?
Ramasubramanian: I've been doing antispam for the past 10 years or so. Pretty soon, I figured out that a lot of things have to fix themselves for spam to fix itself: capacity building for people, training sys admins, training users not to click on attachments, promoting open source. That would cover the cost angle of this. Improving connectivity, so people don't suffer from the effects of spam.
There's this conference in Fiji that was videocast to a bunch of places like Samoa, the Cook Islands. There was a woman from one of the islands who was watching it via videocast (but was kicked off because of a deluge in spam saturating the connection). When you're using dial-up or a BlackBerry, the cost is still there. (The effects of spam) are much more apparent in developing countries. A huge chunk of spam comes from developing countries.
What can this United Nations process do to slow spam, if anything?
Ramasubramanian: The process by itself? Not much. The people attending this, who are exposed to new ideas? A lot.
There are people attending this from a wide variety of backgrounds. You have (nongovernmental organizations), you have regulators, you have law enforcement, you have (Internet service providers). They're all stakeholders in solving this problem. Probably the one thing is getting people in the same room and exposing them to the same ideas.
What's the single most important thing that can be done to stem the flow of spam?
Ramasubramanian: If I can get even one fraction of a percentage of e-mail users to stop clicking on attachments, and if I can get ISPs engaged in antispam mailing lists with the rest of the spam community, and if I can get some regulators listening and implementing reasonable spam (laws) and get some NGOs, that's fine.
Once Korean schools had a configuration error that turned their computers into a wide-open proxy. An open proxy is something that can be used to anonymously proxy spam.
Every single Korean school on the Internet became a magnet for spammers (click here for PDF). They did a pretty good quick emergency job in finding those servers. The Koreans fixed that. But it's an illustration of why, when you're deploying (information and communications technology) to the general public, you should make sure it's secure.
How many messages does Outblaze filter a day?Ramasubramanian: Outblaze has 40 million users, and we provide filters to some broadband ISPs, corporations and Web mail. That pushes the total closer to 70 million or 80 million.
Our mail servers alone, which process mail for 40 million users on several thousand domains we host, may reject as many as a million spams a minute for every 100,000 messages we accept.
So the ratio of junk e-mail to legitimate e-mail is at least 10:1?
Ramasubramanian: A bare minimum. Our servers are magnets for dictionary attacks.
You've got thousands of domain names compared to Yahoo Mail, which uses one. Does that make it worse for you because all of your servers get hit?
Ramasubramanian: When a spammer does a spam run, he sends literally millions of spam messages a day with forged e-mail addresses. His valid e-mail rate is likely to be less than 1 percent. His delivery rate is likely to be up to 10 percent of that 1 percent, depending on how good he is. Which still adds up to a sizable number. But his costs are very low. If he does a botnet or an open relay, his costs are even lower.
When the spammer has delivered a fraction of a fraction of 1 percent, maybe 2 percent to 3 percent are going to buy the product he's selling. If he sells even 50 Rolexes a week out of several million spams sent, you see his profits?
Do you ever interact with spammers personally?
Ramasubramanian: Some here or there. Mostly through e-mail. I have seen one or two people I consider spammers attend antispam conferences.
I tend not to see spammers all that often, which is probably a relief for my blood pressure.
What's the closest you've ever come to saying, "I give up--I can't handle this anymore?"
Ramasubramanian: I came in at 9:30 one morning and left at 10 the next morning. As soon as I was going to leave--pretty late, around 9 in the evening--we got this massive spam run come in. I was doing regular sysadmin (work) then, around 2001. I spent the rest of the bloody night doing stuff to block this guy.
This was before our systems were as refined as they are now. A lot of it was a bit more manual than I'd like it to be. When you've got a spam run coming in real time, the best person to (handle it is the one there in person). Now I like working, and I like my job, but 25-hour workdays are just too much.
Sometimes, I have a really bad nightmare: I have a mail server that's full of spam. I've been having those nightmares for ages.
