Proposed Spam Blockers Are Still A Long Way Off

Anti-spam researchers are working on technologies designed to authenticate e-mail senders. Earlier this year, researchers predicted that solutions would be in place within months, but now those predictions appear overly optimistic, and researchers say it will take some time to produce tangible results.

One organization working on sender-authentication mechanism is a commercial alliance comprising the biggest consumer e-mail providers: Microsoft, Yahoo, America Online and Earthlink. Another organization, the Anti-Spam Research Group, is an organization of anti-spam researchers affiliated with the Internet's main technology standards body, the Internet Engineering Task Force. And a small vendor, ICS, in Bohemia, New York, is selling its own, proprietary sender-authentication service.

The alliance, called the "big gorilla project" by ASRG members, formed in April to develop technology quicker than what they believe can come out of the research body. The alliance is proposing a method for authenticating an email sender, and is seeking support for its ideas from other vendors and industry experts.

"What we really want to do is make sure that the Internet community is in agreement that this is a good solution, and an appropriate solution," Miles Libbey, anti-spam product manager for Yahoo Mail, said. "Certainly, we don't want to willy-nilly go implement something and then force it down the industry's throat."

id
unit-1659132512259
type
Sponsored post

Under the proposal, ISPs and any other organization with their own domain name system (DNS) would use a private key in their mail servers to place an encrypted code in the header of each piece of outgoing mail. When the mail arrived at its destination, the receiving mail server would get the sender's public key from its DNS server to decrypt the header, thus verifying the message's origin.

If the message is spam, or even a legitimate marketing message the receiver doesn't want, then email from that DNS can be blacklisted, or automatically blocked. "Once you have identity, then you can establish reputation and trust," Libbey said. "Those are really important concepts in e-mail."

Yahoo has done some proof-of-concept testing of the idea internally, but the technology is still at the early stages of development and no timetable for general release has been set.

The ASRG is considering three major proposals, Reverse MX, Sender Permitted From and Designated Sender Protocol, John R. Levine, co-chair of the organization said.

"They're bascially all variations on the same theme, which is the attempt to identify mail that's not coming from where it should," Levine said.

The technologies would allow a mail server receiving a message to query the domain that a message purports to be from, asking if the server that sent the mail is authorized to send from that domain. They would be add-ons to the existing Domain Name System.

The group, however, is at least a year from getting one proposal to the IETF for consideration as an international standard. Levine wants each proposal to be implemented and tested so researchers can have actual data to compare.

"Once you've done that, then I think it makes sense to hand it to the IETF," Levine said. "That gives them something solid to work with and to move forward in the standards process."

In May, Levine's predecessor, Paul Judge, had said the ASRG expected some technologies from its anti-spam work to be deployed within months. Judge, who is also chief technology officer for e-mail filtering service provider CipherTrust, was "too optimistic," Levine said.

"Nothing surprising," Levine said. "Spam is a very complex problem. If there were simple solutions, we'd have solved it by now."

The ASRG has no staff and no budget, so work on technology can take time. "It's just a coordinating organization," Levine said. "So mostly, this is a way to get people with good ideas to come forward."

In the meantime, companies like ICS Networks, based in Bohemia, N.Y., are selling their own proprietary sender authentication services.

ICS calls its anti-spam technology Mail Authentication Protocol, which is part of the company's Mail Sentry security service.

The privately held company added MAP in June out of fear that it would lose customers if it didn't help them close the floodgates on spam. "They were all crying for an anti-spam solution," Steve Trupp, owner and president of ICS, said.

When a sender connects to an ICS mail server, MAP grabs the sender's email address, determines the return route via a DNS lookup, connects to the mail server and validates the sender's address. If the mail server validates the address then the mail goes through, if it doesn't, then the mail is rejected. Most of the times, the process takes less than a second, Trupp said.

"Across our entire customer base, we reject 50 percent of all e-mail messages, because either the sender's address is forged, false or unverifiable," Trupp said. "That number is more than 80 percent on weekends, which have been as high as 92 percent."

Financial services company CRT Capital is a customer of ICS Networks, and would certainly support any standards work underway to pummel spam. Joe DeMarsico, CRT director of information tehnology, is skeptical.

"I don't know how it's going to be implemented across the world easily or anytime soon," he said.

Indeed, even if Congress passes anti-spam laws with stiff penalties, DeMarsico wonders whether spammers can be controlled any easier than the Internet itself. "It's really a brave new world out there," he said.

The amount of junk e-mail flooding the Internet with sleazy sales pitches for sexual-performance drugs, porn, debt reduction and weight loss is staggering. High-tech research firm Gartner predicts that spam will account for 60 percent of email traffic on the Internet by mid-2004.

The trashy messages are particularly troubling to Internet service providers that wage a never-ending battle to reduce the amount of spam reaching subscribers' inboxes. Consumers, on the other hand, are subjected to often-offensive content; and businesses are forced to spend money on software or service providers to filter incoming mail, hoping that needed messages aren't blocked by mistake.

"I just wish spam would go away," DeMarsico said.

This story courtesy of TechWeb.