Stamping out spam
Toni Bowers
Published: 04 May 2005 13:00 BST
According to Meng Weng Wong, CTO and founder of Pobox.com, whose group developed Sender Policy Framework (SPF), fighting spam has been like playing whack-a-mole. "As soon as you write an anti-spam rule, someone quickly finds a way around it." But there's light at the end of the tunnel.
Meng says the answer is to adopt a guilty-until-proven-innocent mentality. "Instead of having to accept every single message, we need to only accept those we know are from good people," Meng said. He acknowledges that this seems like a hard line to take when you consider the Internet was built on openness, but with what the statistics are telling us — eight out of ten messages, users receive are spam — something has to be done. "A technological orientation where we reject the message by default unless we have a good reason to accept it makes sense."
One drawback to this philosophy is the possibility of false positives and problems with forwarding. (To use SPF, the forwarding MTA has to rewrite the sender address.) Meng acknowledges these drawbacks: "The implementations of the authentication technologies are not perfect but we're working on that." And working on that means doing his best to get authentication technologies out there. These include SPF, Microsoft's SenderID (which may have some legs left in it, despite suffering a serious setback last year), and Yahoo's DomainKeys, a proposal that gives email providers a mechanism for verifying both the domain of each email sender and the integrity of the messages sent.
The ideal authentication technology has three qualities:
- Authentication
- Reputation
- Accreditation
Authentication
Authentication systems rely on domain owners to publish the servers or email addresses from which legitimate mail from that domain can be sent. These lists of legitimate address-domain correlations are then checked when a message arrives. If the sending address matches the address that is related to that domain in the list, it's authenticated. If the address is not listed, authentication fails. Its purpose is twofold, according to Meng. "It prevents the bad guy from pretending to be a good guy, and it lets the good guy definitively say who they are and get their email through."
Reputation
The problem with basic authentication techniques is that spammers can authenticate themselves — for example, they can go out and publish an SPF record. "But that's OK," says Meng. "We kind of expected that. It's like a chess game now, staying one step ahead of your opponent." The reputation step comes in after someone is authenticated. It determines whether the sender is a known spammer, a known legitimate sender, or a sender whose legitimacy is unknown. "You can distinguish between an aol.com, which doesn't send spam and an amazingoffer326.com, which does. Basically if you earn a "bad rep" you are added to a blacklist. It's the ability to distinguish between good guys and bad guys.
Accreditation
So what happens if you don't have a reputation? In other words, you're new and no one knows if you're a good guy or a bad guy. Accreditation basically says, "If you're a good guy then you have to take an action that sets you apart from the spammers." There are accreditation providers — such as BondedSender.com — that vouch for the reputation of senders based on sophisticated reputation analysis. Some of these require that users pay to be listed.
The next step for IT?
Meng recommends that IT managers start thinking about the authentication technologies that are being deployed. "You need to be thinking about SPF, about SenderID — the technology is light-weight, easy to implement, and doesn't require any additional equipment. You need to think about DomainKeys, which is a little bit more work but worth doing since it will enable you to sign your mail."
Meng recommends doing all the research you can to make sure you learn from sender authentication deployments so far, and also find out what you should be considering for your own organisation. Read white papers and visit the Yahoo and Microsoft product sites for more in depth information.
Did you find this article useful?
90 out of 177 people found this useful
- Share this article:
Full Talkback thread
3 comments
