According to Meng Weng Wong, CTO and founder of Pobox.com, whose group developed Sender Policy Framework (SPF), fighting spam has been like playing whack-a-mole. "As soon as you write an anti-spam rule, someone quickly finds a way around it." But there's light at the end of the tunnel.
Meng says the answer is to adopt a guilty-until-proven-innocent mentality. "Instead of having to accept every single message, we need to only accept those we know are from good people," Meng said. He acknowledges that this seems like a hard line to take when you consider the Internet was built on openness, but with what the statistics are telling us — eight out of ten messages, users receive are spam — something has to be done. "A technological orientation where we reject the message by default unless we have a good reason to accept it makes sense."
One drawback to this philosophy is the possibility of false positives and problems with forwarding. (To use SPF, the forwarding MTA has to rewrite the sender address.) Meng acknowledges these drawbacks: "The implementations of the authentication technologies are not perfect but we're working on that." And working on that means doing his best to get authentication technologies out there. These include SPF, Microsoft's SenderID (which may have some legs left in it, despite suffering a serious setback last year), and Yahoo's DomainKeys, a proposal that gives email providers a mechanism for verifying both the domain of each email sender and the integrity of the messages sent.
The ideal authentication technology has three qualities:
- Authentication
- Reputation
- Accreditation
Authentication
Authentication systems rely on domain owners to publish the servers or email addresses from which legitimate mail from that domain can be sent. These lists of legitimate address-domain correlations are then checked when a message arrives. If the sending address matches the address that is related to that domain in the list, it's authenticated. If the address is not listed, authentication fails. Its purpose is twofold, according to Meng. "It prevents the bad guy from pretending to be a good guy, and it lets the good guy definitively say who they are and get their email through."
Reputation
The problem with basic authentication techniques is that spammers can authenticate themselves — for example, they can go out and publish an SPF record. "But that's OK," says Meng. "We kind of expected that. It's like a chess game now, staying one step ahead of your opponent." The reputation step comes in after someone is authenticated. It determines whether the sender is a known spammer, a known legitimate sender, or a sender whose legitimacy is unknown. "You can distinguish between an aol.com, which doesn't send spam and an amazingoffer326.com, which does. Basically if you earn a "bad rep" you are added to a blacklist. It's the ability to distinguish between good guys and bad guys.
Accreditation
So what happens if you don't have a reputation? In other words, you're new and no one knows if you're a good guy or a bad guy. Accreditation basically says, "If you're a good guy then you have to take an action that sets you apart from the spammers." There are accreditation providers — such as BondedSender.com — that vouch for the reputation of senders based on sophisticated reputation analysis. Some of these require that users pay to be listed.
The next step for IT?
Meng recommends that IT managers start thinking about the authentication technologies that are being deployed. "You need to be thinking about SPF, about SenderID — the technology is light-weight, easy to implement, and doesn't require any additional equipment. You need to think about DomainKeys, which is a little bit more work but worth doing since it will enable you to sign your mail."
Meng recommends doing all the research you can to make sure you learn from sender authentication deployments so far, and also find out what you should be considering for your own organisation. Read white papers and visit the Yahoo and Microsoft product sites for more in depth information.
Talkback
It's kind of funny to me that this article about stamping out spam has a big, intrusive, undesired, unsolicited advertisement that didn't allow me to access the information that I was looking for in a timely manner, making me less productive and less efficient...that kind of sounds like a description of spam, doesn't it??
I do agree with allot of what Meng is saying, and have read many of the pro's and con's of SPF, SenderID, Domain keys etc.
There are problems with all of these, but they are problems that cannot be resolved. I think the biggest problem today is agreeing on a standard that everyone can stick to, whether it is SPF, Domain Keys or a combination of these and/or other techniques.
These solutions generally require implementation at the mail transport level so it is not going to be an overnight job! It will certainly takes months and maybe even years to implement a solution of the transport level.
I am biased on this, but I do think we have a solution to the problem of spam. At ClearMyMail.com we have developed what we believe to be the worlds first 100% successful spam solution. It has roots in many of the techniques Meng and other engineers have been trying to accomplish for the last few years, but does not require any of the massive transport level changes.
E-mail: info@clearmymail.com
Let me first say I am not an employee of ZDNet but I do get tired of the harping of the whole anti-ad brigade who are so incredibly naive in their understanding of how the web economy works and the difference between website ads and proper spam.
Firstly, the difference between ads in web pages and spam is spam is forced upon the user who has no choice but to download it if he wants to keep using his email address.
Secondly, further to the last point, the email address belongs to the user of the address; the user has has the right to control how the email address is used. The ZDNet website belongs to *ZDNET*, therefore it is their right to decide what goes on the site. If someone doesn't like what is on the site they shouldn't visit it ZDNet even has a proper attitude and respect towards their users by not using pop-ups, fly-ins and irrelevant flashing various get-rich, win the lottery type ads that drive so many of us mad.( Kudos to them for that!).
Tthirdly, nobody forces anyone to visit this page people do so out of their own free volition. In fact, by visiting this page every user *has* actually "requested" every item on the page including the ads (find out exactly how a browser works if you want to appreciate the irony of this). I am tickled by the notion that the last poster accuses ZDNet of wasting his time when it was he who chose to visit the site when perhaps he could (should, if at work?) be doing something else.
Fourthly, the only reason why so many users are able to view such quality content online for free is precisely because of the ads.
Gosh it's awful I know, but I actually *like* the ads! They are not too obtrusive to my ability to read the content; they are relevant and inform me of products i might actually buy and benefit from as an computer enthusiast / professional.
So don't knock the ads, learn to love them for what they are, look at them, admire them as the only things keeping this great and informative site free and great for all of us. (One of them might actually provide you with a bargain one of these days of you keep your eyes open!)
Perhaps the only feasible alternative is for ZDNet to offer a parallel subscription service which allows the ads to be removed for readers who really don't like them?