According to Meng Weng Wong, CTO and founder of Pobox.com, whose group developed SPF (Sender Policy Framework—the most popular anti-forgery technology being used), fighting spam has been like playing whack-a-mole. "As soon as you write an anti-spam rule, someone quickly finds a way around it." But there's light at the end of the tunnel.
Meng, who will be a panelist at the INBOX Email event in San Jose, CA June 2-3, says the answer is to adopt a guilty-until-proven-innocent mentality. "Instead of having to accept every single message, we need to only accept those we know are from good people," Meng said. He acknowledges that this seems like a hard line to take when you consider the Internet was built on openness, but with what the statistics are telling us—eight out of ten messages, users receive are spam—something has to be done. "A technological orientation where we reject the message by default unless we have a good reason to accept it makes sense."
One drawback to this philosophy is the possibility of false positives and problems with forwarding. (To use SPF, the forwarding MTA has to rewrite the sender address.) Meng acknowledges these drawbacks: "The implementations of the authentication technologies are not perfect but we're working on that." And working on that means doing his best to get authentication technologies out there. These include SPF, Microsoft's SenderID (a new authorization specification that Microsoft created by merging its Caller ID product with SPF), and Yahoo's DomainKeys, a proposal that gives e-mail providers a mechanism for verifying both the domain of each e-mail sender and the integrity of the messages sent.
The ideal authentication technology has three qualities:
Authentication systems rely on domain owners to publish the servers or e-mail addresses from which legitimate mail from that domain can be sent. These lists of legitimate address-domain correlations are then checked when a message arrives. If the sending address matches the address that is related to that domain in the list, it's authenticated. If the address is not listed, authentication fails. Its purpose is twofold, according to Meng. "It prevents the bad guy from pretending to be a good guy, and it lets the good guy definitively say who they are and get their e-mail through."
The problem with basic authentication techniques is that spammers can authenticate themselves—for example, they can go out and publish an SPF record. "But that's OK," says Meng. "We kind of expected that. It's like a chess game now, staying one step ahead of your opponent." The reputation step comes in after someone is authenticated. It determines whether the sender is a known spammer, a known legitimate sender, or a sender whose legitimacy is unknown. "You can distinguish between an aol.com, which doesn't send spam and an amazingoffer326.com, which does. Basically if you earn a "bad rep" you are added to a blacklist. It's the ability to distinguish between good guys and bad guys.
So what happens if you don't have a reputation? In other words, you're new and no one knows if you're a good guy or a bad guy. Accreditation basically says, "If you're a good guy then you have to take an action that sets you apart from the spammers." There are accreditation providers—such as BondedSender.com—that vouch for the reputation of senders based on sophisticated reputation analysis. Some of these require that users pay to be listed.
The next step for IT?
Meng recommends that IT managers start thinking about the authentication technologies that are being deployed. "You need to be thinking about SPF, about SenderID—the technology is light-weight, easy to implement, and doesn't require any additional equipment. You need to think about DomainKeys, which is a little bit more work but worth doing since it will enable you to sign your mail."
Meng recommends doing all the research you can. Attend conferences, such as the INBOX event which will cover what has been learned from sender authentication deployments so far, and what you should be considering for your own organization. Read white papers and visit the Yahoo and Microsoft product sites for more in depth information.
Toni Bowers is Managing Editor of TechRepublic and is the award-winning blogger of the Career Management blog. She has edited newsletters, books, and web sites pertaining to software, IT career, and IT management issues.