[IP] E-Mail Providers Devising Ways to Stop Spam
E-Mail Providers Devising Ways to Stop Spam
By Jonathan Krim
Washington Post Staff Writer
Thursday, October 30, 2003; Page E01
Congress recently edged closer to passing the nation's first law to curb
e-mail spam, but those who work under the Internet's hood are attacking the
problem from another angle.
Rather than trying to flag and prohibit unsavory messages, as a Senate bill
that passed last week would attempt, they are tinkering with the technical
architecture of e-mail so that computers will be able to recognize good mail.
Then, the theory goes, it is a relatively simple matter to block all other
e-mail from getting through.
For the past nine months, several separate initiatives by technologists at
e-mail and Internet provider companies have sought to crack the problem,
but solutions have been elusive. A major hurdle is that spammers exploit
the very attributes of e-mail that help make it popular: Anyone can send
mail directly to anyone else and can do so anonymously if they choose.
The result is that it can be difficult to sort good from bad. Not only can
spammers devise fictitious Internet addresses to mask their locations, but
increasingly they are forging the addresses of legitimate individuals and
companies.
Now, efforts to make such identity "spoofing" more difficult are beginning
to yield results. The software code for one such approach, put forth by a
small e-mail account company in Philadelphia, was made available this week.
Meanwhile, a trade group of direct e-mailers issued a blueprint for its
system last month.
And Microsoft Corp., America Online, Yahoo Inc. and EarthLink Inc. -- the
top Internet provider and e-mail account companies that joined together to
work on the problem last spring -- are close to an announcement on a
"trusted sender" system.
"We have to allow legitimate senders of e-mails to distinguish themselves
from spammers," said Harry Katz, a program manager at Microsoft.
The approaches by the different groups vary, but they all hinge on
retooling e-mail so that servers -- the computers that power networks of
other computers -- can mark mail that is sent as trusted and identify those
same characteristics when the e-mail is received.
"The impunity of anonymity" for bulk mailing must be stopped, said J.
Trevor Hughes, executive director of the Network Advertising Initiative, a
consortium of companies that do bulk e-mailing for firms marketing products
and services.
Last month, the group unveiled the first outlines of a plan, dubbed Project
Lumos, to certify e-mail and to electronically measure the reputations of
bulk mailers.
Like other initiatives, the plan relies on bulk e-mailers voluntarily
adopting a set of technical standards for adding information to the
"header" portion of a message, which provides routing information for the
Internet's e-mail system.
Internet account providers such as AOL, Yahoo, Microsoft and EarthLink
would adjust their incoming mail servers to recognize the new information
and block mail sent in bulk that does not include the information.
To be certified, bulk mailers would have to agree to abide by rules that
would require them to take certain actions, such as providing easy ways for
consumers to stop getting messages. The system also creates an electronic
scoring system that rates mailers based on the number of complaints they
receive for failing to comply with the rules, and incoming mail servers
could block mail from mailers with low compliance.
The proposal and other such efforts are being followed closely by a loose
federation of organizations that govern the Internet's plumbing.
"Project Lumos is a well-thought-out proposal," said Paul Q. Judge, chief
technology officer for CipherTrust Inc., a Georgia-based e-mail security
firm. He also is co-chairman of the Anti-Spam Research Group, one of many
such groups under the umbrella of the Internet architecture board.
Another system, known as SPF, for senders permitted from, simply seeks to
stop spammers from hiding behind fictitious Internet addresses or forging
the addresses of others, a tactic known as "Joe-jobbing."
"People get Joe-jobbed every day," said Meng Wong, chief technology officer
and founder of Pobox.com, a Philadelphia-based e-mail account provider.
"Spammers forge their e-mail address and then send huge spams. The only
thing their [Internet provider] can do is to shut off their mail."
Under Wong's system, companies that operate outgoing mail servers would
electronically "publish" the numeric Internet addresses of all confirmed
machines that send mail from its domain.
Every Internet-connected computer is assigned such an address by its
Internet account provider.
When an e-mail arrives that purports to be from an aol.com address, for
example, the incoming mail server could check to see whether it is indeed
coming from a numeric Internet location that AOL has assigned. If not, the
AOL address has been spoofed, and the mail would be rejected.
If AOL account holders are spamming, they can be easily found.
Wong acknowledged that his system would not work if a spammer is exploiting
a worm that allows him to actually commandeer another computer and launch
spam from that machine. In that case, the spam is coming from a legitimate
source, even though the owner has nothing to do with it.
Wong said that Internet providers have expressed interest in his system and
that one spam-blocking software company, SpamAssassin, will include it in
its next version.
Katz of Microsoft said that the working group of top Internet providers
plan to have an announcement of its system in the coming weeks.
Katz said that to be effective, any of these new initiatives will require a
"tipping point," or a threshold of participants after which a firm that did
not join in would be at risk of losing business.
A spokesman for America Online said that identifying good mail is "an
elixir, not a panacea." He added that his company remains committed to its
filtering system as well as to collaborative research on other approaches.
Hans Peter Brondmo, one of the technical architects of the Project Lumos
initiative and a senior vice president at bulk mailer Digital Impact Inc.,
said he does not know whose initiative will prevail, but he thinks the
first step will be an Internet address check along the lines of Wong's plan
by the end of this year.
But a broader solution is at least a year away, he said.
"I'm reasonably good with crystal balls, but not so good with timing,"
Brondmo said.
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/