Products alone won't win against increasingly nasty junk e-mail; Net users must raise awareness, say tech bigwigs.
SAN FRANCISCO—Internet users beware: Laziness has dire consequences.
As technology executives hunker down for a prolonged battle against spammers and virus writers, they caution that their products can only go so far to protect consumers against the proliferation of "phishing" scams and virus-spreading e-mails. Instead, they say, some of the responsibility for spam prevention is on the shoulders of Internet users.
"This is an awareness problem, not a product problem," Symantec CEO John Thompson said during a panel discussion keyed to the launch of CNET Editor at Large Esther Dyson's Release 1.0 Web site.
If Thompson is right, it's a problem not given to quick solution. Despite advances in the last couple of years, other executives on the panel—which took place Wednesday at the headquarters of News.com publisher CNET Networks—agreed that the tech industry has a long way to go in raising this awareness.
Some panel participants, such as Brad Garlinghouse, vice president of communication products at Yahoo, and Meng Weng Wong, founder of PoBox.com, floated the idea of primary e-mail providers such as Yahoo, Microsoft and America Online giving users incentives to be more careful about how they share information online and what they download.
"We, as an industry, can give you incentives not to be lazy," said Yahoo's Garlinghouse. "By working collectively we can attack this."
Spam, once merely a nuisance that clogged in-boxes, has evolved into a tool for criminals intent on stealing credit card numbers or launching viruses.
Congress and a few states have passed laws that would impose jail time for some offenders. On Tuesday, the legislature of Ohio passed a bill that could bring out-of-state spammers to trial and impose harsh financial penalties and jail sentences. The bill, which has yet to be signed by the governor, follows the example of the federal government's Can-Spam bill, which went into effect at the beginning of 2004. Can-Spam would impose punishments based on falsified e-mail headers and "sexually oriented" messages that are not properly labeled as such.
At the same time, e-mail providers are taking their own steps to battle spam, steps that aren't necessarily in line with one another.
Yahoo and Cisco Systems have both created e-mail systems that use digital signatures to verify the sender's authenticity, called "DomainKeys" and "Identified Internet Mail," respectively. While the two products compete against each other, the companies are in discussions to establish some common ground, according to Cisco executive David Rossetti.
Other providers, such as Microsoft and America Online, are trying to tackle e-mail authentication by cross checking addresses with domain name service records. The idea is to ensure that the "@yourbank.com" address in one's in-box jibes with the message's underlying, numbered Internet protocol address.
Microsoft in May merged its "Caller ID for E-mail" technology with Pobox.com's SPF, or "Sender Permitted From" approach.
Microsoft eventually retracted its changes after open-source groups; America Online, which supports SPF; and Wong's Pobox.com pulled their support for Sender ID. Wong himself has filed with the IETF to standardize SPF. Yahoo has also filed to standardize DomainKeys.
Despite disagreements on how to tackle the spam problem, industry executives agree that spam can never be fully eradicated. Instead, companies, service providers and consumers alike will need to make their own contributions to reduce and prevent spam from harming their computers.
"There is no silver bullet to this problem," said Richard Gingras, CEO of Goodmail.