<http://www.washingtonpost.com/ac2/wp-dyn/A41460-2004Nov10?language=printer> The Washington Post washingtonpost.com E-Mail Authentication Will Not End Spam, Panelists Say By Jonathan Krim Washington Post Staff Writer Thursday, November 11, 2004; Page E01 For consumers and businesses increasingly shaken by the growing onslaught of unwanted e-mail and the computer viruses and other nefarious hacking spam can bring, any hope for quick relief was soundly dashed yesterday during a government-hosted gathering of technology experts. Several executives and academics speaking at a forum sponsored by the Federal Trade Commission said criminals are already steps ahead of a major initiative by e-mail providers to counter those problems by creating a system to verify senders of e-mail. In theory, such an authentication system would make it harder for spammers to disguise their identities and locations in an attempt to avoid being shut down or prosecuted. But a majority of spam is launched by "zombies," or infected personal computers that are controlled by remote spammers. E-mail from a zombie looks as if it is coming from a legitimate source -- because it is. The owner of that source is simply unaware that his or her computer has been commandeered. "We'll be lucky if we solve 50 percent of the problem" with e-mail authentication, said Pavni Diwanji, chairman of MailFrontier Inc., a Silicon Valley provider of e-mail security systems. By some estimates, the problem is rapidly becoming a crisis. In the first half of this year, an average of 30,000 computers a day were turned into zombies, according to the computer security firm Symantec Corp. In addition to serving up unwanted or fraudulent messages, spam is used to deliver viruses and other malicious software code that can allow hackers to capture private data such as credit card or bank account numbers from personal computers. Hackers and spammers also have been able to exploit a lack of awareness among many computer users, tricking them into providing their passwords or account information in response to e-mails that appear to be coming from legitimate financial institutions or retailers, a tactic known as phishing. The information is then rapidly sold on a black market heavily populated by elements of organized crime in Eastern Europe, Asia and elsewhere. As incidents of the resulting identity fraud mount, "we're losing consumer confidence in this medium," said R. David Lewis, vice president of Digital Impact Inc., which provides bulk e-mail marketing services to large companies. Lewis and others said that if the public reaches a tipping point at which Internet commerce is no longer trusted, the economic consequences will be severe. Despite the authentication effort's shortcomings, none of yesterday's speakers suggested abandoning it, because it is seen as an essential building block for other solutions. But the forum demonstrated in stark terms the depth and complexity of the problem. Any e-mail authentication system, for example, would check that the block of Internet addresses assigned to an e-mail provider includes the specific numeric address of a sender of a piece of e-mail. Thus, a red flag would go up if a message seeming to come from bob@xyz-123.net is actually not coming from a computer that uses the xyz-123.net mail service. But Scott Chasin, chief technology officer of e-mail security firm MX Logic Inc., said the underlying Internet system that houses the necessary data is insecure and can be tricked by hackers. Chasin said the problem has been known for 10 years, but industry and Internet standard-setters have been unable or unwilling to fix the problem by encrypting the data. Getting agreement on an authentication system has been similarly difficult and is partly why the FTC held the summit. The major e-mail providers, America Online Inc., Microsoft Corp., Yahoo Inc. and EarthLink Inc., are still testing and pushing various plans. The Internet group assigned to endorse a standard disbanded recently, unable to resolve discord and uncertainty over whether licensing rights asserted by Microsoft would cut out a broad swath of organizations that use so-called open-source software. Chasin and other panelists also said the basic operating systems that power computers -- the most dominant of which is Microsoft Windows -- remain too vulnerable to hackers. He said a worm was recently discovered that lodges itself in Windows files and goes to work when a computer user tries to access the Web site of his or her bank. The malicious code automatically redirects the Web browser to a fake page that looks like the real thing. In this scenario, the user has not been duped by a fake phishing e-mail. Instead, the vulnerability in the operating system has allowed the code to redirect the user's browser to a phony page where a hacker can capture the user's name and password. Still, panelists insisted authentication is a vital first step. After that, they said, could come a system that evaluates the "reputation" of senders, perhaps using a process that marks good e-mail with an electronic seal of approval. -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'