According to Meng Weng Wong, CTO and founder of Pobox.com, whose group developed SPF (Sender
Policy Framework–the most popular anti-forgery technology being used), fighting
spam has been like playing whack-a-mole. “As soon as you write an
anti-spam rule, someone quickly finds a way around it.” But there’s light
at the end of the tunnel.

Meng, who will be a panelist at the INBOX Email event in
San Jose, CA June 2-3, says the answer is to adopt a guilty-until-proven-innocent
mentality. “Instead of having to accept every single message, we need to
only accept those we know are from good people,” Meng said. He
acknowledges that this seems like a hard line to take when you consider the
Internet was built on openness, but with what the statistics are telling us–eight
out of ten messages, users receive are spam–something has to be done. “A
technological orientation where we reject the message by default unless we have
a good reason to accept it makes sense.”

One drawback to this philosophy is the possibility of false
positives and problems with forwarding. (To use SPF, the forwarding MTA has to
rewrite the sender address.) Meng acknowledges these drawbacks: “The implementations
of the authentication technologies are not perfect but we’re working on
that.” And working on that means doing his best to get authentication
technologies out there. These include SPF, Microsoft’s SenderID
(a new authorization specification that Microsoft created by merging its Caller
ID product with SPF), and Yahoo’s DomainKeys,
a proposal that gives e-mail providers a mechanism for verifying both the
domain of each e-mail sender and the integrity of the messages sent.

The ideal authentication technology has three qualities:

  • Authentication
  • Reputation
  • Accreditation

Authentication

Authentication systems rely on domain owners to publish the
servers or e-mail addresses from which legitimate mail from that domain can be
sent. These lists of legitimate address-domain correlations are then checked
when a message arrives. If the sending address matches the address that is
related to that domain in the list, it’s authenticated. If the address is not
listed, authentication fails. Its purpose is twofold, according to Meng.
“It prevents the bad guy from pretending to be a good guy, and it lets the
good guy definitively say who they are and get their e-mail through.”

Reputation

The problem with basic authentication techniques is that
spammers can authenticate themselves–for example, they can go out and publish
an SPF record. “But that’s OK,” says Meng. “We kind of expected
that. It’s like a chess game now, staying one step ahead of your
opponent.” The reputation step comes in after someone is authenticated. It
determines whether the sender is a known spammer, a known legitimate sender, or
a sender whose legitimacy is unknown. “You can distinguish between an
aol.com, which doesn’t send spam and an amazingoffer326.com, which does.
Basically if you earn a “bad rep” you are added to a blacklist. It’s
the ability to distinguish between good guys and bad guys.

Accreditation

So what happens if you don’t have a reputation? In other
words, you’re new and no one knows if you’re a good guy or a bad guy. Accreditation
basically says, “If you’re a good guy then you have to take an action that
sets you apart from the spammers.” There are accreditation providers–such
as BondedSender.com–that vouch for
the reputation of senders based on sophisticated reputation analysis. Some of
these require that users pay to be listed.

The next step for IT?

Meng recommends that IT managers start thinking about the
authentication technologies that are being deployed. “You need to be
thinking about SPF, about SenderID–the technology is light-weight, easy to
implement, and doesn’t require any additional equipment. You need to think
about DomainKeys, which is a little bit more work but worth doing since it will
enable you to sign your mail.”

Meng recommends doing all the research you can. Attend
conferences, such as the INBOX event which
will cover what has been learned from sender authentication deployments so far,
and what you should be considering for your own organization. Read white papers
and visit the Yahoo and Microsoft product sites for more in depth
information.