Collin Pruitt made a great post on [COLLIN] about the communication that happens in the Internet. Emails are still actively used since 1965. It didn’t get anywhere and still using the same mechanism over and over. However, it now contains SPAM more than ever. In 2005, we would say that legitimate emails and SPAM would be 1:1, i.e. 50% is SPAM. Excessively, the number is increasing and now we have 92% of the emails are SPAM!

What about Universitas Indonesia (UI)?

Well, to tell you the truth, we do have the same problem as the people around the world. We have a delicate position when it comes to emails, we often found a dilemma about whose legit whose aren’t. The problem also arise with the behavior of people in the Internet and their sense of security. Many I would find to have the same password across different systems. Worse, people even letting other people knows about their passwords and many should-be-confidential things.

IT supposed to be helping people and making people remember some cryptic symbols is inconvinient. It would be cumbersome for people to generate passwords comply to cracklib (usually combination of numbers and letters). And it would be not okay if people have to frequently change their passwords. Relearning process is somewhat a big burden and I myself also the one that don’t have that ability. (Though I’m forced to do those steps… 🙁 )

Unfortunately, the world far harsher than we could imagine. People/machines would randomly targeting people. They would forge information to steal. Many cracking (not hacking, mind you) styles come into play: buffer overloading, DDOS, virus, malware, trojans, and so on is practiced indiscriminately. And the scariest of them all is social engineering. The typical of social engineering is to attain someone’s ID and then use it to steal other’s and so on. This would be an interesting topic, but we may conclude by saying that email is one of them.

A compromised server, a compromised user login, even a compromised user’s system can lead devastated state of our email system. Just one element is weak, the whole system is in jeopardize. That’s why, I found that there are many people would ended up sending their emails in the SPAM section, not INBOX. This is not just UI, but the whole world. And if we ever compromized just once, it would take times and email requests to many places to forgive our system — places like SpamCop, Spamhaus, etc. that store information about shaddy systems. Some places require us to pay them money to put us out from their blacklist.

Because of how severe the punishment given by Internet to compromised systems, I found that many would do some extreme preventions:

  1. Blocking incoming and outgoing  emails from MSN (live.com), GMail, Yahoo, or any public emails that have bad reputation.
  2. Making some corporate policy by only sending emails to trusted domains.
  3. Supervising emails by using DNSBL, spamassasins, vendor-based solution, and many tools.
  4. Using DomainKeys and such to authenticate the messages.
  5. Manually checking them one by one.

These solutions pose to another problem. We would end up in a situation a ham becoming SPAM (false positive) and a SPAM becoming legit/ham (false negative). These two are fearsome as we would lose important email and prone to scams. The volume of emails also a problem in terms of time and cost. Some vendors would cost us based on volumes and a trained eyes would slipped unwanted emails or accidentally delete wrong one.

We play cat and dog in every minutes! A virus could have an antidote in 15 minutes, but a new variant will be there in seconds. We may blocked a new pattern, but in few minutes the SPAMs can evolve as if they were important. This forces our system to have many rules to forbid them coming. One catch about it is we can’t force a uniform one. We are a public institution that have a vast range of interests. So, the subjects that are forbidden for some are legitimate for others.

One simple example is some man’s thing medicine (Vgra, Cis, etc). It would totally okay, may be, in pharmacy and in health, but not in technics, math, computer, etc. Probably not okay also in the psychology and many. But, one consideration also, what about if that was a personal thing that the person himself asked it from the Net? Are we some dictators that can forbide people to exercise their freedom? No, we don’t have a ground for it. I myself don’t like such restriction. But what if people getting annoyed because of those messages?

The problem with current email protocols are we can easily forged emails and send it as if it comes from other places. For instance, you are required to do authentication in SMTP to send emails, but you can forge headers in your email, especially the FROM header and get it sent legitimately. In non-technical saying, you could forge your email as if you are sending it from Microsoft or Google but actually it was sent from an obscure SMTP. BTW, no, you could not do that with our SMTP. (hehe :-P) But, many compromised and/or open email gateways could.

We have preventive systems such as DNSBL (Domain Name Server/DNS Blacklisted — a server that contains bad servers and bad patterns), Bayesian rules, tar pitting, etc. to put those SPAMs down (and rarely a  false positives, unfortunately). These can be done because we are fortunate with having enough bandwith to download informations about SPAM from any DNSBL. But, with the increasing population of SPAMs and its sophistication in the email communication, one may asked:

Is there not any alternative than an email?

Reference:

[COLLIN] Collin Pruitt. Does Email need to die? <http://collinp.com/index.php/2010/10/04/does-email-need-to-die/>