With few junk e-mail filters supporting a protocol for verifying the source address of digital messages, spammers have adopted it themselves as a way to appear more legitimate, according to a report released on Wednesday.
The author of the study, e-mail services provider MX Logic, analyzed nearly 10 million bulk e-mail messages that it had filtered on behalf of its clients in late August. The company found that nearly a sixth of the sources of the junk messages used a protocol known as Sender Policy Framework (SPF) to certify that the e-mail addresses used in the messages were real.
While SPF has been touted as a way to stop spam, the data has shown that the true value of the protocol is more about preventing fraud, said Scott Chasin, chief technology officer of the Denver company.
"Authentication (with SPF) by itself is not a spam cure-all," Chasin said. "SPF—as it relates to having an impact on spam—will hurt only those who spoof domains. You are still going to need content filtering to see if the message was unsolicited."
SPF is one of two technologies currently being considered as part of a hybrid method, dubbed Sender ID, for certifying the source of e-mail messages. Another technology, Microsoft's Caller ID for E-mail, makes up the other half of the proposed standard. Because it used technology that Microsoft is attempting to patent, Sender ID may require that users sign a license from the software giant, which has angered many project groups in the open-source world.
That debate has caused many Internet engineers and mail administrators to take another look at SPF, created by Meng Wong, the founder of e-mail service firm Pobox.com.
The Internet Engineering Task Force, the technical committee creating the standard, debated the issues extensively over its e-mail list during the last two weeks.
MX Logic's Chasin argues that SPF does not really solve the problem of spam—at least not until there are supporting services to provide a measure of the reputation of the various e-mail senders.
"SPF is great at combating fraud such as phishing," he said. Phishing is the Internet scam that usually uses e-mail designed to look as if it came from an official organization, such as a bank or government agency, to elicit personal data. "Phishing attacks are all about spoofing someone's domain name."
The majority of the SPF users found that spam was coming from "gobbledygook" domain names, not from legitimate companies, he said.
Chasin argues that new services are needed to give e-mail recipients a measure of the reputation of the sender. Such services would basically certify that certain servers belong to "good" e-mail senders, allowing message-filtering software to classify such e-mail as legitimate.
"The e-mail filters could then let through legitimate e-mail," he said. "It would be 'guilty until proven innocent.'"