Internet providers test ways to outsmart spam

Sat Jul 24 23:11:58 PDT 2004

"A whitelist for my friends..."

...which, in the meantime, will probably suffice for the time being, at
least as far as Mr. Pareto is concerned.

Cheers,
RAH
"...all others pay cash."
When that 20% becomes 80% again, anyway...

--------
<http://www.post-gazette.com/pg/pp/04207/350858.stm>

Internet providers test ways to outsmart spam

Sunday, July 25, 2004
 By Chris Gaither, Los Angeles Times

 Be liberal in what you accept and conservative in what you send.

 That was the philosophy when computer scientists sent the first
electronic-mail messages over the Internet more than 30 years ago.

 At the time, the Internet was in its infancy, used by a few hundred
researchers at universities, government labs and high-tech companies.

 Today, hundreds of millions of people have e-mail addresses, and junk
e-mailers send out billions of messages every day. And Internet service
providers are racing to figure out how to force spammers to abide by that
old golden rule.

 Microsoft Corp., Yahoo Inc. and other companies are taking different
approaches, but they all have the same objective: finding a way to verify
that people who send e-mail are who they say they are.

 That would plug the biggest hole in Simple Mail Transfer Protocol, the
system that has been shuttling messages around the Net since 1983.

 The designers of SMTP knew their protocol didn't have a built-in
authentication system. But they saw no reason to worry.

 "There was very little attention paid to nasty people because we all knew
and trusted each other," said David Farber, an Internet pioneer who is now
a Carnegie Mellon University professor of computer science and public
policy. "It was understood that it was easy to forge mail, but who would
forge mail among your friends?"

 Spammers have taken full advantage of that oversight. They falsify their
names and reply-to addresses to bypass junk e-mail filters and trick
recipients into opening messages. They copy corporate logos to send fake
messages purporting to be from companies such as eBay and Citibank to fool
people into handing over their credit card numbers and other personal
information in so-called "phishing" attacks.

 "Accountability is really the missing link for many of the problems we
have on the Internet," said Phillip Hallam-Baker, principal scientist for
VeriSign Inc., the company that maintains the master list of commercial
Internet addresses.

 The Federal Trade Commission last month cited the lack of authentication
standards when it declined to create a "do-not-e-mail" registry modeled
after the "do-not-call" list for telemarketers. Without knowing for sure
who is sending a message, the FTC said, Internet service providers and
other spam fighters wouldn't be able to punish violators.

 The big Internet service providers don't agree on how to best fix the
authentication problem. Two systems being tested now are Yahoo's DomainKeys
standard and Sender ID, which is backed by Microsoft and the Pobox.com
e-mail service.

 Sender ID has attracted the most interest. It counts on the fact that
although e-mail headers are easy to forge, IP addresses -- the unique set
of numbers attached to every Internet domain -- are not.

 Here's how it works: A company like Amazon.com Inc. publishes its IP
address in a public database. When a message arrives that claims to be from
the online retailer, the recipient's e-mail program automatically checks
the information in the header and compares it with the information in the
database. If it matches, the message goes through. If it doesn't match, the
message is quarantined or blocked.

 ISPs including EarthLink Inc. and Time Warner Inc.'s America Online are
testing a component of Sender ID called SPF, or Sender Policy Framework.
AOL has started publishing the list of IP addresses from which it sends its
members' e-mail, so that other e-mail service providers can block messages
from spoofed AOL addresses.

 By the end of the summer, the country's biggest ISP hopes to begin
blocking e-mail that purports to come from companies often impersonated in
phishing attacks -- such as eBay's PayPal division -- but that can't be
verified as legitimate.

 Authenticating e-mail "is the single most important thing we can do to
enhance the SMTP," said Carl Hutzler, AOL's director of anti-spam
operations.

 DomainKeys takes an approach that is based on public-private key cryptography.

 Sent messages include an encrypted digital signature created by the e-mail
provider's private key. When the message arrives at the recipient's e-mail
server, the server checks a database for the sender's public key. If the
public and private keys match up, the signature can be decrypted, and the
sender's identity validated. If not, the message can be blocked by spam
filters.

 Yahoo began testing DomainKeys in March. The company said it planned to
implement it for outbound messages from its Yahoo Mail customers and at
least some incoming messages by the end of the year.

 If the ISPs succeed, e-mail marketers will have no choice but to
authenticate their messages to prevent them from being blocked. And if they
authenticate, ISPs and other spam fighters will be able to keep track of
senders and their reputations.

 Companies would be held accountable for the sending habits of their
employees, and ISPs would be responsible for their customers' e-mail. Those
that developed a reputation for generating spam could find their e-mail
blocked -- a situation that could force e-mail providers to ensure that
their customers' computers are secured, so spammers couldn't hijack them to
send junk mail.

 Legitimate e-mail marketers that allow recipients to remove themselves
from mailing lists and that obey other professional codes of conduct would
have their messages whisked around spam filters instead of getting blocked.

 Technologies like DomainKeys and Sender ID are needed to "take SMTP from
being dangerously wide open to being much more controlled," said Steve
Jillings, chief executive of FrontBridge Technologies Inc., a Marina del
Rey, Calif., e-mail security company that plans to implement Sender ID.

 The catch is that an authentication standard has to be widely adopted to
be effective. Getting companies across the world to agree on a standard and
implement it seems highly unlikely to technologists such as Carnegie
Mellon's Farber.

 But the future of e-mail depends on it, said Scott Weiss, chief executive
of the anti-spam company IronPort Systems Inc. "The innovation of e-mail
now needs to catch up with many of the rich features that have now been
rendered virtually unusable."
Back

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'