You’ve got mail – how to stop spam and reduce cyber crime

Imagine a world where spam didn’t exist. It isn’t hard to do. AJC1

We’ve all received them: emails offering special prices on Viagra, offering fortunes we didn’t know we had, offering links to fantastic websites we simply must visit right away.

Annoying as! But the technology to stop spam and other undesirable emails not only exists, it’s been around for years.

With cyber crime costing Australia more than a billion dollars a year, it’s well and truly time we did something to improve our defences. And what better way to start than by securing email: a piece of technology that most of us use every day.

Cyber crime for dummies

One of the easiest methods for carrying out cyber crime is to send an unsolicited or spam email which contains: a virus; an attempt to acquire an individual’s sensitive information (known as “phishing”); or some other mechanism for perpetrating internet crime.

The current worldwide email system is based on a standard called the Simple Mail Transport Protocol (SMTP) which was created in 1982 and last updated in 2008.

The system has served us well for decades, but it also allows fake emails to be sent and received with no way of tracing them to their point of origin.

In the last 30 years there have been a number of updates to SMTP, including two methods that can be used to improve security and fight spam.

Sign-in to send

The first update, released in 1995, was an extension of SMTP called SMTP-AUTH. This was introduced to allow authentication of email clients.

Say your email system at work uses SMTP-AUTH. Whenever your email client (such as Microsoft Outlook or Apple Mail) communicates with the server that stores, receives and sends your emails, the server would ask the client for a password.

In this way, all email traffic sent through an email server is authenticated and can be traced in the case of fake or malicious emails.

While SMTP-AUTH is a great idea in theory, it hasn’t been adopted in practice because many organisations use email systems that either don’t implement SMTP-AUTH correctly or don’t specify that it should be turned on.

Worryingly, it’s also possible to fake the credentials required by the SMTP-AUTH rules in an email message and to make matters worse mail servers may be setup on hijacked computers solely for the purpose of sending fake or malicious emails.

As a result, SMTP-AUTH is practically useless if used alone.

Spam … not always what the discerning customer wants.

Lockdown

The second extension to SMTP that can be used to fight spam – Secure SMTP (also known as SMTPS) – was introduced in 1997. SMTPS has the benefit of using the encrypted Secure Sockets Layer (SSL) communication protocol, an approach used to secure e-commerce and online banking services today.

If your workplace wanted to utilise SMTPS, it would need to:

  • Choose one of the many SSL certificate providers (such as VeriSign)
  • Complete a verification process to prove the identity of the business
  • Pay the price for the SSL certificate (around $50 a year)
  • Install the SSL certificate on the company’s email server

With the SSL certificate installed on the email server, all communication between the server and the client (and with other mail servers) would be both authenticated and encrypted.

Tracing spam and other nasties

With SMTPS implemented, spam and malicious emails can then be tracked back to the source email server.

If an email server is found to be the source of spam or other email-related criminal activities, the authorities could issue a notice to the company that owns the email server.

The notice would contain details of the infraction and identify actions to be taken to prevent the problem happening again.

If an email server is found to be a constant source of problem emails, the authorities could act to: fine the company that owns the email server or revoke the SSL certificate issued for the email server domain, thereby removing the email server from service.

Cyber crime is now a significant worldwide problem and every effort must be made to reduce or stop the problem: people’s lives are being negatively affected and the economy is being harmed.

The Australian Government must act to reduce internet crime. Implementing the mandatory use of SMTPS would be a good start.

The Australian Government could go one step further and send delegates to the United Nations – which controls the standards used for the internet – and lobby for the immediate introduction of SMTPS worldwide.

One step at a time though …