March 22, 2004 4:00 AM PST
Technology solution to slicing spam lags
America Online, EarthLink, Microsoft and Yahoo scored a major publicity coup earlier this month, when they launched their first joint legal assault against spammers. The suits claim that hundreds of unnamed defendants sent messages using false e-mail addresses--a violation of the newly enacted federal Can-Spam Act.
There are few signs of unity in developing technology standards that could be more effective in slowing the deluge of spam.
While lawsuits are one way to target spammers, a technology solution is seen as being more effective. The major Net companies are working on separate solutions and say they hope to agree soon on a standard approach.
Behind the scenes, however, these same companies are struggling to find consensus on technology standards for addressing spam. Notably, three out of four members back competing proposals to rein in e-mail forgery, which ranks among the top frustrations of antispam enforcers.
The lawsuits, which came just shy of one year since the companies formed the group, with the goal of stopping spam, have spurred some antispam experts to question what progress has been made on the crucial standards issue.
"It has begged the question: What's happened to the peace, love and singing kumbaya that was promised last April at the (Federal Trade Commission) Spam Forum?" where the joint initiative was announced, said Ray Everett-Church, chief privacy officer at ePrivacy Group.
Spam has become a consumer headache and corporate nightmare: It costs U.S. companies an estimated $1 billion per year in security, human resources and productivity. And various companies estimate that it comprises at least 50 percent--and possibility as much as 90 percent--of all e-mail.
In a major step toward broader cooperation in setting antispam technology standards, the Internet Engineering Task Force (IETF) recently agreed to expedite the formation of a working group devoted to a domain name system (DNS)-based e-mail authentication scheme.
But antispam advocates said the industry has shown surprisingly few signs of teamwork in pushing forward antispam standards to date.
In the months since AOL, Yahoo, Microsoft and EarthLink first announced their creation of the Anti-Spam Technical Alliance, little has come of it--at least publicly. If the coalition has been quiet as a group on the technology front, however, its members have been busy individually.
Yahoo has repeatedly discussed plans to support a proposed system, known as DomainKeys, for verifying the identity of an e-mail sender. AOL has recently begun testing a DNS-based system, formerly known as Sender Permitted From and recently renamed Sender Policy Framework (SPF). Microsoft, too, has developed its own system for identifying the origin of e-mail, called Caller ID for E-mail.
Other efforts have already launched to attack the problem, such as the Trusted E-mail Open Standard. But so far, they have failed to gain widespread adoption, partly because of the balkanized efforts.
"Sooner or later, we are going to see what is going to be a compromise proposal that includes elements from the more workable proposals being put forward--DomainKeys and SPF, for example," said Suresh Ramasubramanian, chief technical officer for Outblaze, which provides e-mail services for about 30 million people.
Coalition members said the group is committed to finding common solutions but admitted that progress has been slow, due in part to the complexity of the problem and a lack of conclusive research into the effectiveness of the competing proposals.
Microsoft spokesman Sean Sundwall said the group is working on various technical solutions to stop spam and meets almost weekly to devise a long-term plan for cooperation. "We're close to coming up with a road map to guide the industry on how we should solve this problem from a technical perspective," he said.
An AOL representative said the coalition is laboring to find a common technical approach. Members have largely agreed to test each other's proposed solutions, he said, but the group is still in the process of determining what works and what doesn't. "There's a lot more to the work we're doing, and we're hopeful...we can talk about that soon."
Representatives of Yahoo and EarthLink made similar comments, indicating that there was more to come on the technical front as to high-level solutions to the problem.
Although coalition members say they are working toward consensus, it may take a considerable amount of time to reconcile their competing proposals.
Consider authentication, one of the biggest problems spam police face, thanks to holes in the current Simple Mail Transfer Protocol e-mail standard that make it easy to forge return addresses.
Forgeries have been used to stage "phishing" attacks aimed at fooling people into handing bank and credit card account information over to hackers, among other things.
"Because spammers can hide behind forgery, the audit trail is hazy," said Meng Wong, founder and chief technology officer of e-mail services company Pobox.com, who helped devise SPF. "When we establish accountability in e-mail, spammers will be much easier to prosecute."
At least four technical solutions to the problem have been proposed to date, with Yahoo, AOL and Microsoft each backing a different one.
SPF is a leading contender, having already been implemented by AOL and Google, and selected for review by the IETF. SPF is designed to change the DNS database so that e-mail servers can publish which Internet Protocol (IP) addresses they use to send mail.
ISPs receiving e-mail can instantaneously verify whether an e-mail originates from where it says it does. For example, an e-mail recipient would be able to look at an SPF record from AOL to ensure that e-mail appearing to originate from one of its servers--such as email@example.com actually sent from that address. The recipient would do this by using the SPF record to cross-check DNS data associated with AOL's IP addresses.
The Yahoo-backed DomainKeys authentication system is also gaining attention in spam-fighting circles. It is designed to authenticate the author, or the "from" header, by attaching encrypted "keys" or tags to every e-mail sent. One key is held in a public database and another key, which is private, is linked to the message. Once the message is delivered, the receiving Internet service provider matches up the private key to the public key held in the open database to verify the sender's identity. If the public key cannot corroborate the signature, the message could be easily tagged as spam.
Microsoft is leaning toward its own Caller ID for E-mail solution. Similar to SPF, the program is designed to authenticate e-mail by using the DNS, but it targets the author, or message headers, of the e-mail rather than the sender, or return-path field in the message envelope. Microsoft's Sundwall said Caller ID has a more "elegant" approach to difficulties in verifying the sender of forwarded messages--a known pitfall of SPF. (SPF has a technical add-on to deal with message forwarding.)
Sundwall said Microsoft believes that an encryption method will play a part in a long-term solution, but the jury's still out on whether DomainKeys is the answer.
A move toward standards
The IETF working group will consider technologies researched and developed by the Anti-Spam Research Group (ASRG) of the Internet Research Task Force (IRTF). The proposals include AOL's Sender Policy Framework (SPF), the Designated Mailers Protocol (DMP), Reverse Mail Exchange (RMX), Designated Relays Inquiry Protocol (DRIP), MTAMark and Flexible Sender Validation (FSV).
One participant in the IETF's Seoul meeting, attended by about 120 people, said the group's work would likely draw more broad-based support than the proposal of any single company, specifically Microsoft's Caller ID proposal.
"The IETF has always played a founding role in mass adoption of Internet technologies," said Scott Chasin, chief technology officer of e-mail and antispam software provider MX Logic. "Microsoft's Caller ID proposal does embrace a licensed technology, and that brings up a lot of questions."
Chasin stressed that regardless of whether an open standard or a proprietary solution carried the day, even the most successful authentication scheme could only play a part in a complete antispam strategy.
"There has to be technology, education and legislation," Chasin said. "This won't be the silver bullet, but it will have a pretty big impact on spammers who send e-mail fraudulently."
CNET News.com's Paul Festa contributed to this report.
3 commentsJoin the conversation! Add your comment