I had a watershed moment last week – I received spam that contained only a single PDF file. I have never had this stuff before, but I have a feeling more is on the way.

Fortunately, the developers of the spam filter I use – the Anti Spam SMTP Proxy (ASSP) – appear to be on the case and eager to help solve the problem. The trouble is, solving this one issue will only create new problems.

For example, when a greylisting feature was added to ASSP about 18 months ago, it proved effective, cutting my personal spam from about 85 percent to about 60 percent. But greylisting has become such a common feature in most spam filters that some spammers have already updated their software to deal with it.

In short, the more popular an anti-spam solution becomes, the more likely it is that spammers will try to defeat it.

The interesting thing about the Sender Policy Framework (SPF – the protocol used to eliminate email forgeries) is that this “less is more” rule doesn’t hold true. The only thing spammers can do to bypass SPF filtering is to register more legitimate domains from which to send their mail. People could then block those domains, either by manual methods or, more likely, by having their spam filter automatically update itself from a spam blacklist.

This would mean the newly registered domains would only be effective until they were spotted and added to the blacklists, something that would probably take less than a few hours. Registering domains wouldn’t be popular with spammers because they cost money and are traceable.

Some argue there is no point using technologies such as SPF if there are too few email service providers signed up to it. While this is partly true, there are already some notable exceptions, including AOL and Google’s Gmail. And while spam filters probably can’t use an SPF “fail” result to positively identify spam, they can use an SPF “pass” result as an indicator that the mail is not spam.

Previously, SPF has also been criticised for not handling mail-forwarding very well. Messages that were forwarded from domains using SPF to mail servers also using SPF would be rejected. However, the complementary Sender Rewriting Scheme (SRS) deals with this problem.

Admittedly, implementing SPF and SRS is a little more complicated than installing a basic spam filter. A company would need to update its DNS servers with appropriate records, for example. But this is not too onerous, and most organisations would probably agree it is a price worth paying to reduce the volume of spam in their users’ mailboxes.