[IP] E-Mail Providers Devising Ways to Stop Spam

To: ip@xxxxxxxxxxxxxx
Subject: [IP] E-Mail Providers Devising Ways to Stop Spam
From: Dave Farber <dave@xxxxxxxxxx>
Date: Thu, 30 Oct 2003 10:40:17 -0500
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx


E-Mail Providers Devising Ways to Stop Spam

By Jonathan Krim
Washington Post Staff Writer
Thursday, October 30, 2003; Page E01

Congress recently edged closer to passing the nation's first law to curbe-mail spam, but those who work under the Internet's hood are attacking theproblem from another angle.

Rather than trying to flag and prohibit unsavory messages, as a Senate billthat passed last week would attempt, they are tinkering with the technicalarchitecture of e-mail so that computers will be able to recognize good mail.

Then, the theory goes, it is a relatively simple matter to block all othere-mail from getting through.

For the past nine months, several separate initiatives by technologists ate-mail and Internet provider companies have sought to crack the problem,but solutions have been elusive. A major hurdle is that spammers exploitthe very attributes of e-mail that help make it popular: Anyone can sendmail directly to anyone else and can do so anonymously if they choose.

The result is that it can be difficult to sort good from bad. Not only canspammers devise fictitious Internet addresses to mask their locations, butincreasingly they are forging the addresses of legitimate individuals andcompanies.

Now, efforts to make such identity "spoofing" more difficult are beginningto yield results. The software code for one such approach, put forth by asmall e-mail account company in Philadelphia, was made available this week.

Meanwhile, a trade group of direct e-mailers issued a blueprint for itssystem last month.

And Microsoft Corp., America Online, Yahoo Inc. and EarthLink Inc. -- thetop Internet provider and e-mail account companies that joined together towork on the problem last spring -- are close to an announcement on a"trusted sender" system.

"We have to allow legitimate senders of e-mails to distinguish themselvesfrom spammers," said Harry Katz, a program manager at Microsoft.

The approaches by the different groups vary, but they all hinge onretooling e-mail so that servers -- the computers that power networks ofother computers -- can mark mail that is sent as trusted and identify thosesame characteristics when the e-mail is received.

"The impunity of anonymity" for bulk mailing must be stopped, said J.Trevor Hughes, executive director of the Network Advertising Initiative, aconsortium of companies that do bulk e-mailing for firms marketing productsand services.

Last month, the group unveiled the first outlines of a plan, dubbed ProjectLumos, to certify e-mail and to electronically measure the reputations ofbulk mailers.

Like other initiatives, the plan relies on bulk e-mailers voluntarilyadopting a set of technical standards for adding information to the"header" portion of a message, which provides routing information for theInternet's e-mail system.

Internet account providers such as AOL, Yahoo, Microsoft and EarthLinkwould adjust their incoming mail servers to recognize the new informationand block mail sent in bulk that does not include the information.

To be certified, bulk mailers would have to agree to abide by rules thatwould require them to take certain actions, such as providing easy ways forconsumers to stop getting messages. The system also creates an electronicscoring system that rates mailers based on the number of complaints theyreceive for failing to comply with the rules, and incoming mail serverscould block mail from mailers with low compliance.

The proposal and other such efforts are being followed closely by a loosefederation of organizations that govern the Internet's plumbing.

"Project Lumos is a well-thought-out proposal," said Paul Q. Judge, chieftechnology officer for CipherTrust Inc., a Georgia-based e-mail securityfirm. He also is co-chairman of the Anti-Spam Research Group, one of manysuch groups under the umbrella of the Internet architecture board.

Another system, known as SPF, for senders permitted from, simply seeks tostop spammers from hiding behind fictitious Internet addresses or forgingthe addresses of others, a tactic known as "Joe-jobbing."

"People get Joe-jobbed every day," said Meng Wong, chief technology officerand founder of Pobox.com, a Philadelphia-based e-mail account provider."Spammers forge their e-mail address and then send huge spams. The onlything their [Internet provider] can do is to shut off their mail."

Under Wong's system, companies that operate outgoing mail servers wouldelectronically "publish" the numeric Internet addresses of all confirmedmachines that send mail from its domain.

Every Internet-connected computer is assigned such an address by itsInternet account provider.

When an e-mail arrives that purports to be from an aol.com address, forexample, the incoming mail server could check to see whether it is indeedcoming from a numeric Internet location that AOL has assigned. If not, theAOL address has been spoofed, and the mail would be rejected.


If AOL account holders are spamming, they can be easily found.

Wong acknowledged that his system would not work if a spammer is exploitinga worm that allows him to actually commandeer another computer and launchspam from that machine. In that case, the spam is coming from a legitimatesource, even though the owner has nothing to do with it.

Wong said that Internet providers have expressed interest in his system andthat one spam-blocking software company, SpamAssassin, will include it inits next version.

Katz of Microsoft said that the working group of top Internet providersplan to have an announcement of its system in the coming weeks.

Katz said that to be effective, any of these new initiatives will require a"tipping point," or a threshold of participants after which a firm that didnot join in would be at risk of losing business.

A spokesman for America Online said that identifying good mail is "anelixir, not a panacea." He added that his company remains committed to itsfiltering system as well as to collaborative research on other approaches.

Hans Peter Brondmo, one of the technical architects of the Project Lumosinitiative and a senior vice president at bulk mailer Digital Impact Inc.,said he does not know whose initiative will prevail, but he thinks thefirst step will be an Internet address check along the lines of Wong's planby the end of this year.


But a broader solution is at least a year away, he said.

"I'm reasonably good with crystal balls, but not so good with timing,"Brondmo said.



-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] ARRL's "private game preserve"
Next by Date: [IP] more on busted selling off email addresses to spammers
Previous by thread: [IP] ARRL's "private game preserve"
Next by thread: [IP] more on busted selling off email addresses to spammers
Index(es):
- Date
- Thread