E-Mail Providers Devising Ways to Stop Spam

[Dave Farber <dave () farber net>]

E-Mail Providers Devising Ways to Stop Spam

By Jonathan Krim
Washington Post Staff Writer
Thursday, October 30, 2003; Page E01

Congress recently edged closer to passing the nation's first law to curb 
e-mail spam, but those who work under the Internet's hood are attacking the 
problem from another angle.

Rather than trying to flag and prohibit unsavory messages, as a Senate bill 
that passed last week would attempt, they are tinkering with the technical 
architecture of e-mail so that computers will be able to recognize good mail.

Then, the theory goes, it is a relatively simple matter to block all other 
e-mail from getting through.

For the past nine months, several separate initiatives by technologists at 
e-mail and Internet provider companies have sought to crack the problem, 
but solutions have been elusive. A major hurdle is that spammers exploit 
the very attributes of e-mail that help make it popular: Anyone can send 
mail directly to anyone else and can do so anonymously if they choose.

The result is that it can be difficult to sort good from bad. Not only can 
spammers devise fictitious Internet addresses to mask their locations, but 
increasingly they are forging the addresses of legitimate individuals and 
companies.

Now, efforts to make such identity "spoofing" more difficult are beginning 
to yield results. The software code for one such approach, put forth by a 
small e-mail account company in Philadelphia, was made available this week.

Meanwhile, a trade group of direct e-mailers issued a blueprint for its 
system last month.

And Microsoft Corp., America Online, Yahoo Inc. and EarthLink Inc. -- the 
top Internet provider and e-mail account companies that joined together to 
work on the problem last spring -- are close to an announcement on a 
"trusted sender" system.

"We have to allow legitimate senders of e-mails to distinguish themselves 
from spammers," said Harry Katz, a program manager at Microsoft.

The approaches by the different groups vary, but they all hinge on 
retooling e-mail so that servers -- the computers that power networks of 
other computers -- can mark mail that is sent as trusted and identify those 
same characteristics when the e-mail is received.

"The impunity of anonymity" for bulk mailing must be stopped, said J. 
Trevor Hughes, executive director of the Network Advertising Initiative, a 
consortium of companies that do bulk e-mailing for firms marketing products 
and services.

Last month, the group unveiled the first outlines of a plan, dubbed Project 
Lumos, to certify e-mail and to electronically measure the reputations of 
bulk mailers.

Like other initiatives, the plan relies on bulk e-mailers voluntarily 
adopting a set of technical standards for adding information to the 
"header" portion of a message, which provides routing information for the 
Internet's e-mail system.

Internet account providers such as AOL, Yahoo, Microsoft and EarthLink 
would adjust their incoming mail servers to recognize the new information 
and block mail sent in bulk that does not include the information.

To be certified, bulk mailers would have to agree to abide by rules that 
would require them to take certain actions, such as providing easy ways for 
consumers to stop getting messages. The system also creates an electronic 
scoring system that rates mailers based on the number of complaints they 
receive for failing to comply with the rules, and incoming mail servers 
could block mail from mailers with low compliance.

The proposal and other such efforts are being followed closely by a loose 
federation of organizations that govern the Internet's plumbing.

"Project Lumos is a well-thought-out proposal," said Paul Q. Judge, chief 
technology officer for CipherTrust Inc., a Georgia-based e-mail security 
firm. He also is co-chairman of the Anti-Spam Research Group, one of many 
such groups under the umbrella of the Internet architecture board.

Another system, known as SPF, for senders permitted from, simply seeks to 
stop spammers from hiding behind fictitious Internet addresses or forging 
the addresses of others, a tactic known as "Joe-jobbing."

"People get Joe-jobbed every day," said Meng Wong, chief technology officer 
and founder of Pobox.com, a Philadelphia-based e-mail account provider. 
"Spammers forge their e-mail address and then send huge spams. The only 
thing their [Internet provider] can do is to shut off their mail."

Under Wong's system, companies that operate outgoing mail servers would 
electronically "publish" the numeric Internet addresses of all confirmed 
machines that send mail from its domain.

Every Internet-connected computer is assigned such an address by its 
Internet account provider.

When an e-mail arrives that purports to be from an aol.com address, for 
example, the incoming mail server could check to see whether it is indeed 
coming from a numeric Internet location that AOL has assigned. If not, the 
AOL address has been spoofed, and the mail would be rejected.

If AOL account holders are spamming, they can be easily found.

Wong acknowledged that his system would not work if a spammer is exploiting 
a worm that allows him to actually commandeer another computer and launch 
spam from that machine. In that case, the spam is coming from a legitimate 
source, even though the owner has nothing to do with it.

Wong said that Internet providers have expressed interest in his system and 
that one spam-blocking software company, SpamAssassin, will include it in 
its next version.

Katz of Microsoft said that the working group of top Internet providers 
plan to have an announcement of its system in the coming weeks.

Katz said that to be effective, any of these new initiatives will require a 
"tipping point," or a threshold of participants after which a firm that did 
not join in would be at risk of losing business.

A spokesman for America Online said that identifying good mail is "an 
elixir, not a panacea." He added that his company remains committed to its 
filtering system as well as to collaborative research on other approaches.

Hans Peter Brondmo, one of the technical architects of the Project Lumos 
initiative and a senior vice president at bulk mailer Digital Impact Inc., 
said he does not know whose initiative will prevail, but he thinks the 
first step will be an Internet address check along the lines of Wong's plan 
by the end of this year.

But a broader solution is at least a year away, he said.

"I'm reasonably good with crystal balls, but not so good with timing," 
Brondmo said.


-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/