<<< Date Index >>>     <<< Thread Index >>>

[IP] E-Mail Providers Devising Ways to Stop Spam




E-Mail Providers Devising Ways to Stop Spam

By Jonathan Krim
Washington Post Staff Writer
Thursday, October 30, 2003; Page E01

Congress recently edged closer to passing the nation's first law to curb e-mail spam, but those who work under the Internet's hood are attacking the problem from another angle.

Rather than trying to flag and prohibit unsavory messages, as a Senate bill that passed last week would attempt, they are tinkering with the technical architecture of e-mail so that computers will be able to recognize good mail.

Then, the theory goes, it is a relatively simple matter to block all other e-mail from getting through.

For the past nine months, several separate initiatives by technologists at e-mail and Internet provider companies have sought to crack the problem, but solutions have been elusive. A major hurdle is that spammers exploit the very attributes of e-mail that help make it popular: Anyone can send mail directly to anyone else and can do so anonymously if they choose.

The result is that it can be difficult to sort good from bad. Not only can spammers devise fictitious Internet addresses to mask their locations, but increasingly they are forging the addresses of legitimate individuals and companies.

Now, efforts to make such identity "spoofing" more difficult are beginning to yield results. The software code for one such approach, put forth by a small e-mail account company in Philadelphia, was made available this week.

Meanwhile, a trade group of direct e-mailers issued a blueprint for its system last month.

And Microsoft Corp., America Online, Yahoo Inc. and EarthLink Inc. -- the top Internet provider and e-mail account companies that joined together to work on the problem last spring -- are close to an announcement on a "trusted sender" system.

"We have to allow legitimate senders of e-mails to distinguish themselves from spammers," said Harry Katz, a program manager at Microsoft.

The approaches by the different groups vary, but they all hinge on retooling e-mail so that servers -- the computers that power networks of other computers -- can mark mail that is sent as trusted and identify those same characteristics when the e-mail is received.

"The impunity of anonymity" for bulk mailing must be stopped, said J. Trevor Hughes, executive director of the Network Advertising Initiative, a consortium of companies that do bulk e-mailing for firms marketing products and services.

Last month, the group unveiled the first outlines of a plan, dubbed Project Lumos, to certify e-mail and to electronically measure the reputations of bulk mailers.

Like other initiatives, the plan relies on bulk e-mailers voluntarily adopting a set of technical standards for adding information to the "header" portion of a message, which provides routing information for the Internet's e-mail system.

Internet account providers such as AOL, Yahoo, Microsoft and EarthLink would adjust their incoming mail servers to recognize the new information and block mail sent in bulk that does not include the information.

To be certified, bulk mailers would have to agree to abide by rules that would require them to take certain actions, such as providing easy ways for consumers to stop getting messages. The system also creates an electronic scoring system that rates mailers based on the number of complaints they receive for failing to comply with the rules, and incoming mail servers could block mail from mailers with low compliance.

The proposal and other such efforts are being followed closely by a loose federation of organizations that govern the Internet's plumbing.

"Project Lumos is a well-thought-out proposal," said Paul Q. Judge, chief technology officer for CipherTrust Inc., a Georgia-based e-mail security firm. He also is co-chairman of the Anti-Spam Research Group, one of many such groups under the umbrella of the Internet architecture board.

Another system, known as SPF, for senders permitted from, simply seeks to stop spammers from hiding behind fictitious Internet addresses or forging the addresses of others, a tactic known as "Joe-jobbing."

"People get Joe-jobbed every day," said Meng Wong, chief technology officer and founder of Pobox.com, a Philadelphia-based e-mail account provider. "Spammers forge their e-mail address and then send huge spams. The only thing their [Internet provider] can do is to shut off their mail."

Under Wong's system, companies that operate outgoing mail servers would electronically "publish" the numeric Internet addresses of all confirmed machines that send mail from its domain.

Every Internet-connected computer is assigned such an address by its Internet account provider.

When an e-mail arrives that purports to be from an aol.com address, for example, the incoming mail server could check to see whether it is indeed coming from a numeric Internet location that AOL has assigned. If not, the AOL address has been spoofed, and the mail would be rejected.

If AOL account holders are spamming, they can be easily found.

Wong acknowledged that his system would not work if a spammer is exploiting a worm that allows him to actually commandeer another computer and launch spam from that machine. In that case, the spam is coming from a legitimate source, even though the owner has nothing to do with it.

Wong said that Internet providers have expressed interest in his system and that one spam-blocking software company, SpamAssassin, will include it in its next version.

Katz of Microsoft said that the working group of top Internet providers plan to have an announcement of its system in the coming weeks.

Katz said that to be effective, any of these new initiatives will require a "tipping point," or a threshold of participants after which a firm that did not join in would be at risk of losing business.

A spokesman for America Online said that identifying good mail is "an elixir, not a panacea." He added that his company remains committed to its filtering system as well as to collaborative research on other approaches.

Hans Peter Brondmo, one of the technical architects of the Project Lumos initiative and a senior vice president at bulk mailer Digital Impact Inc., said he does not know whose initiative will prevail, but he thinks the first step will be an Internet address check along the lines of Wong's plan by the end of this year.

But a broader solution is at least a year away, he said.

"I'm reasonably good with crystal balls, but not so good with timing," Brondmo said.


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/