Security threats Toolkit

Anti-spammers seek proof of senders' identity

Tags:
Authentication,
Smtp,
Protocols,
Verify

Paul Festa CNET News

Published: 27 Oct 2003 09:15 GMT

A new group will try to reconcile competing methods to thwart spam with a kind of caller ID for email.

The Anti-Spam Research Group (ASRG) of the Internet Research Task Force (IRTF) early this month formed a subcommittee to hammer out differences between a number of competing protocols that all aim to do the same thing: verify that email senders are who they say they are.

With the way things work now under the Simple Mail Transfer Protocol (SMTP), there is no widespread method for that kind of verification. That has led some to calls for the revision or replacement of the ubiquitous protocol.

Proposals for how to achieve email verification without scrapping SMTP abound, and many of those proposals have found their way to the IRTF, which is affiliated with the Internet Engineering Task Force.

These include Sender Permitted From (SPF), the Designated Mailers Protocol (DMP) and Reverse Mail Exchange (RMX). The ASRG's new subcommittee is charged with blending them into a single standard.

The idea behind the related schemes is to change the Domain Name System database so that email servers can publish what IP addresses are associated with them. Internet service providers receiving email can instantaneously verify whether an email originates where it says it does.

The system, if successful, would protect email server and individual address owners from having their addresses falsely suspected of sending spam.

Some efforts to attack the problem, such as the Trusted Email Open Standard, have already launched. But so far, they have failed to gain widespread adoption.

The problem of email address spoofing is a fundamental obstacle to curbing spam, say ISPs and anti-spam companies. Spammers typically cover their tracks by hacking into unprotected email servers, or open relays; by hijacking other email servers; and by falsifying names and email addresses in the email sender field.

ASRG members sounded an optimistic note about the new unification subcommittee and the prospect of solving the spam problem with protocols, rather than legal curbs or economic disincentives that would force people to pay to send email on a per-message basis.

"We can solve spam with a technical solution, rather than by going through the Congress or by implementing micropayments," said Meng Wong, founder and chief technology officer of Philadephia-based email service provider Pobox.com, a backer of SPF and a member of the ASRG subcommittee. "We're all trying to come together on this. Because I think SPF offers a superset of functionality, we're probably going to wind up with something very similar to it by the end of the process."

Earlier this year, Pobox.com estimated that more than 70 percent of the email it processed was spam.

Wong said sender-verification systems would have to work in conjunction with some type of reputation system that would help recipients recognise known spammers' domains.

"Once you have reputation systems that work on the basis of domains, which spammers cannot forge, then no matter how many machines you hack into, you still have to use the spammer's domain," Wong said. "And that's how we'll get you."