I came across an interesting article yesterday on a new form of spam: using webmail providers’ Out-of-Office features to do a new type of backscatter spam. This is an excellent example of how unsecured messaging does not mix well with automated message generation capabilities. Any good Web developer can tell you that it’s a bad decision to blindly accept and process untrusted input, and yet SMTP bots (that’s what OOF functionality is at its core) do precisely that, thanks to the lack of a standard for verifying the authenticity of the sending identity and the integrity of the end-to-end message route. This is nothing new; this is the same variety of vulnerability that backscatter spam has been exploiting for years: target the NDR/bounce generation mechanism to do the dirty work for the spammers and send the paylod to the victim.
This new form of attack just underscores my growing conviction that our current system of email is going to be gradually supplanted by a variety of mechanisms for communicating with people outside of our organizations. There’s too big of a disconnect between “enterprise” features that business want from email and the inherent limitations of the current store-and-forward mechanism SMTP is built upon. And no, I’m not one of those people who thinks that pay-per-email schemes are the answer; what works well for physical, tangible products becomes quickly unworkable for virtual communications.
I don’t think there’s going to be One True Successor for SMTP, nor do I see SMTP going completely away any time soon (just as Usenet, despite all predictions, still manages to hang on for certain applications and communities). Dependable synchronous communications modes such as instant messaging, voice, and video will, I think, begin taking up a lot more of the message trafrfic currently carried by email. By avoiding store-and-forward asynchronous mechanisms, you reduce the opportunities that attackers and spammers have to forge and inject illegitimate communications into your users’ workspaces. Allowing users to decide which communications mode is best for them helps alleviate the pressure on email systems.