October 24, 2003 12:29 PM PDT
Antispam methods aim to merge
The Anti-Spam Research Group (ASRG) of the Internet Research Task Force (IRTF) early this month formed a subcommittee to hammer out differences between a number of competing protocols that all aim to do the same thing: verify that e-mail senders are who they say they are.
With the way things work now under the Simple Mail Transfer Protocol (SMTP), there is no widespread method for that kind of verification. That has led some to calls for the revision or replacement of the ubiquitous protocol.
Proposals for how to achieve e-mail verification without scrapping SMTP abound, and many of those proposals have found their way to the IRTF, which is affiliated with the Internet Engineering Task Force.
The idea behind the related schemes is to change the Domain Name System database so that e-mail servers can publish what IP addresses are associated with them. Internet service providers receiving e-mail can instantaneously verify whether an e-mail originates where it says it does.
The system, if successful, would protect e-mail server and individual address owners from having their addresses falsely suspected of sending spam.
Some efforts to attack the problem, such as the Trusted E-mail Open Standard, have already launched. But so far, they have failed to gain widespread adoption.
The problem of e-mail address spoofing is a fundamental obstacle to curbing spam, say ISPs and antispam companies. Spammers typically cover their tracks by hacking into unprotected e-mail servers, or open relays; by hijacking other e-mail servers; and by falsifying names and e-mail addresses in the e-mail sender field.
ASRG members sounded an optimistic note about the new unification subcommittee and the prospect of solving the spam problem with protocols, rather than legal curbs or economic disincentives that would force people to pay to send e-mail on a per-message basis.
"We can solve spam with a technical solution, rather than by going through the Congress or by implementing micropayments," said Meng Wong, founder and chief technology officer of Philadephia-based e-mail service provider Pobox.com, a backer of SPF and a member of the ASRG subcommittee. "We're all trying to come together on this. Because I think SPF offers a superset of functionality, we're probably going to wind up with something very similar to it by the end of the process."
Earlier this year, Pobox.com estimated that more than 70 percent of the e-mail it processed was spam.
Wong said sender verification systems would have to work in conjunction with some type of reputation system that would help recipients recognize known spammers' domains.
"Once you have reputation systems that work on the basis of domains, which spammers cannot forge, then no matter how many machines you hack into, you still have to use the spammer's domain," Wong said. "And that's how we'll get you."