Technology solution to slicing spam lags

Lawsuits filed by some of the Web's biggest players against junk e-mailers have portrayed an industry united in the war against spam--but there are few signs of collaboration in developing technology standards that could be more effective in slowing the deluge.

America Online, EarthLink, Microsoft and Yahoo scored a major publicity coup earlier this month, when they launched their first joint legal assault against spammers. The suits claim that hundreds of unnamed defendants sent messages using false e-mail addresses--a violation of the newly enacted federal Can-Spam Act.

News.context

What's new:
There are few signs of unity in developing technology standards that could be more effective in slowing the deluge of spam.

Bottom line:
While lawsuits are one way to target spammers, a technology solution is seen as being more effective. The major Net companies are working on separate solutions and say they hope to agree soon on a standard approach.

More stories on this topic

Behind the scenes, however, these same companies are struggling to find consensus on technology standards for addressing spam. Notably, three out of four members back competing proposals to rein in e-mail forgery, which ranks among the top frustrations of antispam enforcers.

The lawsuits, which came just shy of one year since the companies formed the group, with the goal of stopping spam, have spurred some antispam experts to question what progress has been made on the crucial standards issue.

"It has begged the question: What's happened to the peace, love and singing kumbaya that was promised last April at the (Federal Trade Commission) Spam Forum?" where the joint initiative was announced, said Ray Everett-Church, chief privacy officer at ePrivacy Group.

Spam has become a consumer headache and corporate nightmare: It costs U.S. companies an estimated $1 billion per year in security, human resources and productivity. And various companies estimate that it comprises at least 50 percent--and possibility as much as 90 percent--of all e-mail.

In a major step toward broader cooperation in setting antispam technology standards, the Internet Engineering Task Force (IETF) recently agreed to expedite the formation of a working group devoted to a domain name system (DNS)-based e-mail authentication scheme.

But antispam advocates said the industry has shown surprisingly few signs of teamwork in pushing forward antispam standards to date.

In the months since AOL, Yahoo, Microsoft and EarthLink first announced their creation of the Anti-Spam Technical Alliance, little has come of it--at least publicly. If the coalition has been quiet as a group on the technology front, however, its members have been busy individually.

Yahoo has repeatedly discussed plans to support a proposed system, known as DomainKeys, for verifying the identity of an e-mail sender. AOL has recently begun testing a DNS-based system, formerly known as Sender Permitted From and recently renamed Sender Policy Framework (SPF). Microsoft, too, has developed its own system for identifying the origin of e-mail, called Caller ID for E-mail.

Other efforts have already launched to attack the problem, such as the Trusted E-mail Open Standard. But so far, they have failed to gain widespread adoption, partly because of the balkanized efforts.

"Sooner or later, we are going to see what is going to be a compromise proposal that includes elements from the more workable proposals being put forward--DomainKeys and SPF, for example," said Suresh Ramasubramanian, chief technical officer for Outblaze, which provides e-mail services for about 30 million people.

Coalition members said the group is committed to finding common solutions but admitted that progress has been slow, due in part to the complexity of the problem and a lack of conclusive research into the effectiveness of the competing proposals.

Microsoft spokesman Sean Sundwall said the group is working on various technical solutions to stop spam and meets almost weekly to devise a long-term plan for cooperation. "We're close to coming up with a road map to guide the industry on how we should solve this problem from a technical perspective," he said.

An AOL representative said the coalition is laboring to find a common technical approach. Members have largely agreed to test each other's proposed solutions, he said, but the group is still in the process of determining what works and what doesn't. "There's a lot more to the work we're doing, and we're hopeful...we can talk about that soon."

Representatives of Yahoo and EarthLink made similar comments, indicating that there was more to come on the technical front as to high-level solutions to the problem.

Forging ahead
Although coalition members say they are working toward consensus, it may take a considerable amount of time to reconcile their competing proposals.

Consider authentication, one of the biggest problems spam police face, thanks to holes in the current Simple Mail Transfer Protocol e-mail standard that make it easy to forge return addresses.

Forgeries have been used to stage "phishing" attacks aimed at fooling people into handing bank and credit card account information over to hackers, among other things.

"Because spammers can hide behind forgery, the audit trail is hazy," said Meng Wong, founder and chief technology officer of e-mail services company Pobox.com, who helped devise SPF. "When we establish accountability in e-mail, spammers will be much easier to prosecute."

At least four technical solutions to the problem have been proposed to date, with Yahoo, AOL and Microsoft each backing a different one.

SPF is a leading contender, having already been implemented by AOL and Google, and selected for review by the IETF. SPF is designed to change the DNS database so that e-mail servers can publish which Internet Protocol (IP) addresses they use to send mail.

ISPs receiving e-mail can instantaneously verify whether an e-mail originates from where it says it does. For example, an e-mail recipient would be able to look at an SPF record from AOL to ensure that e-mail appearing to originate from one of its servers--such as bob@aol.com--was actually sent from that address. The recipient would do this by using the SPF record to cross-check DNS data associated with AOL's IP addresses.

The Yahoo-backed DomainKeys authentication system is also gaining attention in spam-fighting circles. It is designed to authenticate the author, or the "from" header, by attaching encrypted "keys" or tags to every e-mail sent. One key is held in a public database and another key, which is private, is linked to the message. Once the message is delivered, the receiving Internet service provider matches up the private key to the public key held in the open database to verify the sender's identity. If the public key cannot corroborate the signature, the message could be easily tagged as spam.

Microsoft is leaning toward its own Caller ID for E-mail solution. Similar to SPF, the program is designed to authenticate e-mail by using the DNS, but it targets the author, or message headers, of the e-mail rather than the sender, or return-path field in the message envelope. Microsoft's Sundwall said Caller ID has a more "elegant" approach to difficulties in verifying the sender of forwarded messages--a known pitfall of SPF. (SPF has a technical add-on to deal with message forwarding.)

Sundwall said Microsoft believes that an encryption method will play a part in a long-term solution, but the jury's still out on whether DomainKeys is the answer.

A move toward standards
The IETF working group will consider technologies researched and developed by the Anti-Spam Research Group (ASRG) of the Internet Research Task Force (IRTF). The proposals include AOL's Sender Policy Framework (SPF), the Designated Mailers Protocol (DMP), Reverse Mail Exchange (RMX), Designated Relays Inquiry Protocol (DRIP), MTAMark and Flexible Sender Validation (FSV).

One participant in the IETF's Seoul meeting, attended by about 120 people, said the group's work would likely draw more broad-based support than the proposal of any single company, specifically Microsoft's Caller ID proposal.

"The IETF has always played a founding role in mass adoption of Internet technologies," said Scott Chasin, chief technology officer of e-mail and antispam software provider MX Logic. "Microsoft's Caller ID proposal does embrace a licensed technology, and that brings up a lot of questions."

Chasin stressed that regardless of whether an open standard or a proprietary solution carried the day, even the most successful authentication scheme could only play a part in a complete antispam strategy.

"There has to be technology, education and legislation," Chasin said. "This won't be the silver bullet, but it will have a pretty big impact on spammers who send e-mail fraudulently."

CNET News.com's Paul Festa contributed to this report.

[Steve Jordan]

I'm already using a better solution to SPAM.

Let the ISPs knock themselves out trying to out-hack the hackers, there's an easier solution that we can all practice right now. Simply, be familiar and specific in your subject and reply lines, and tell others who e-mail you to do the same.
Spammers have the hardest time faking specific e-mail subjects... all of their titles are very generic, like "Re: Your File." So don't be generic! Say something like "The Davidson Case file," that the recipient will instantly recognize as a viable subject. Or use a familiar personal or company name or nickname, that a spammer can't guess, but your recipient will recognize. And tell your friends that "Hi" in the subject line is no longer acceptable! Try "Hi from Craig B," or "Petey says hi," instead.
A familiar e-mail name and a specific and/or familiar subject line will take the guesswork out of 90% or more of e-mail. If we all start doing this, spam will be obvious the moment it shows up in your mailbox, and more easily removed or filtered out. I've already added a line to this effect on the bottom of my e-mails, to spread the word around.

Quick solution that work until a perm. fix is created

I use to open my inbox and have 300 - 400 junk email in one night. I have had this email address for 7 years. The first 4 years, I received little junk mail then one day it just exploded. 100 a day, 200 a day and so on. Then I found this

<a class="jive-link-external" href="http://www.cloudmark.com/products/spamnet/" target="_newWindow">http://www.cloudmark.com/products/spamnet/</a>

I still get junk mail but I never see it Because it is moved to a folder in Outlook that I never have to look in. Some Junk email still gets through the filter, but it is next to nothing maybe 5 - 8 a day. That is incredible compared to 300 or more. This program is A++++. Been using it for 7 months with no complaints.

[bjbrock]

Nothing new is needed.

We have become slack in enforcing standards like Name resolution. Instead of easing up on the rules so sloppy IT implementations get away with less than proper configuration, tighten up the slack and force companies to learn to set up IT the way it was designed. Case in point: MX records are becoming less and less used and only an A record is querried for a mail server's host name. And soetimes not even that when receiving mail. Using the Helo command, a mail server will respond with it's FQDN which can be verified against the DNS entry for the MX record which also shows the IP address which the MX record resolves to. Verifying that the sender's domain portion of his E-mail address is the same domain which the IP address of the sending SMTP serve, as resolved by the MX and PTR records using a DNS querry, will stop nearly all E-mail with a bogus sender's E-mail address. We are looking for some Magic Bullet when all that is needed is to follow the rules and standards which we already have.

The founders of the Internet and WWW new what they were doing and did it right. If users would simply obtain proper education for administering their IT, and we would stop letting those who haven't or won't obtain the knowledge needed to implement the rules and procedures we already have from getting by with sloppy work and poorly configured and maintained IT implementations, most of our problems would go away. Internet user have got to take responsibility or no amount of new technology is going to help. Nobody is looking at the user as apossible solution. The user has created the problems, then has to live with the mess. Why not let the user fix the same problems he caused through acting when unqualified to act. WHY DO WE REFUSE THIS APPROACH, when it is the only valid solution?