As I said in this space last week, spam has grown to dominate legitimate e-mail to such an extent that leaders of the computer industry might actually be forced to make significant changes to the worldwide e-mail system as early as this year.
There’s no agreement as yet on what the new standard will be, however.
I examined the three leading proposals that offer systemic e-mail changes. My findings? None of the changes would eliminate spam completely. But one of them would make an excellent first step.
A Problem That’s Grown Worse Year After Year
A basic flaw that has haunted e-mail since its very beginnings is that it’s trivially easy for anyone to make any e-mail message look like it came from any e-mail address.
Spammers use this fact to falsify the From lines of their unsolicited bulk e-mails. This means you can’t simply block a few “bad” addresses to filter out spam.
In addition, computer users are suffering from a new wave of “phishing” e-mails. These messages falsely claim to come from financial institutions and instruct innocent people to “re-enter” their credit-card numbers and passwords — at look-alike sites that are controlled by criminals.
Each of the proposed e-mail fixes would require better identification of who the “sender” of an e-mail message is.
The Contenders for a Systemic E-Mail Fix
The following three proposals, in order from least to most effective, represent various ways to alter the sender-recipient relationship:
• SPF.Sender Policy Framework is currently an “Internet-draft” that’s being considered by international standards bodies. It would require the owners of domain names to publish the IP addresses of their outbound mail servers. Any message from, say, PayPal.com that didn’t come from one of PayPal’s published IP addresses would be assumed by any receiving server to be a fake that should be discarded.
SPF would still allow forgery, however. Malicious hackers could set up a new domain name at a new, temporary IP address. E-mail messages with a From line saying, for example, “PayPal.com” would pass right through an SPF test. All the hackers would have to do is set the unseen Bounce address of the messages to their own IP address, which they’d abandon as soon as it had done its job.
“That is correct,” responded Meng Weng Wong, a chief proponent of SPF and the founder of Pobox.com, when I asked him about this. “SPF solves part of the puzzle. The scenario you describe needs to be solved using other technologies, such as Yahoo’s DomainKeys or Caller ID.”
• Caller ID for E-Mail.The so-called Caller ID scheme is the brainchild of Microsoft Corp. Its proposal would examine the domain name in the visible From address of an e-mail message. This domain would be queried to see if it held an “E-Mail Policy Document.” This document, a file up to 2048 bytes in length, would be written in XML format and would, like SPF, specify a list of legitimate IP addresses for outgoing mail.
Caller ID, however, would demand changes to the installed software of most portable devices that send mail from outside a corporate network. It would also require updates for mailing list services, forwarding services, e-greeting sites, outsourced e-mail providers, and users of personal domain names who send their e-mail through a separate ISP account. This would certainly slow the adoption of the scheme.
• DomainKeys.Yahoo.com, one of the world’s largest e-mail services, is the chief advocate of DomainKeys. This proposal envisions that legitimate e-mail senders will digitally sign their outgoing messages. The signature would ensure that no one could modify the From line or the body of a message in transit without the receiving e-mail software detecting the tampering.
The owner of a domain name would post a “public key,” which would be checked by any mail server that received a message purporting to be from that domain. If the key lined up with the signature of the message, the receiver would be assured that the mail, in fact, did originate from a sender at that entity.
To implement the RSA-style encryption required by DomainKeys, bulk e-mail senders would have to install a new signing module and corporate mail servers would optionally have to begin checking incoming e-mail for validity. Consumer ISPs, such as Verizon and Qwest, would sign all outgoing mail and check all incoming mail on behalf of their legitimate subscribers, so end users wouldn’t have to understand any technical details.
Calculating a digital signature for an entire e-mail message consumes a lot of processing power. So mass senders could calculate just a 128-bit “hash,” which is easy.
What These Standards Would and Would Not Do
“The first question to ask about all three of them is what problem they’re trying to solve,” says John Levine, the co-chair of the Antispam Research Group, a committee of the Internet Research Task Force of the IAB. “It’s not ‘spam,’ for any normal definition of spam.”
That’s true. The new schemes would merely make it more likely that an e-mail message with a certain domain name in its address, such as Qwest.net, would actually have some connection to someone at that domain name. This wouldn’t end spam — but it wouldmake the sources of it much easier to track and therefore filter out.
This alone would help to identify at least 65% of spam. This is the percentage that Spamhaus.org, a major antispam service, says is now being sent from PCs infected with “Trojan horse” programs that relay unsolicited bulk e-mail for spammers.
“The spam [from Qwest subscribers] will all say it’s coming from Qwest.net, which is something,” Levine agrees.
Signing All Mail As a Much-Needed Step
If positive identification of senders is to be the first step in stopping spam, many computer experts feel that digital signatures, such as those required by the DomainKeys proposal, are the way to go.
“The one [proposal] I like the best, but that will probably take the longest to implement, is DomainKeys,” says Eric Allman, the CTO of Sendmail.com, a provider of e-mail software to 70% of the Fortune 1000. Signed-mail proposals, he feels, best lend themselves to “reputation services” that can say which senders are spammers and which are legitimate businesses.
As a result, Sendmail is working with Yahoo to test the DomainKeys spec, but the company has also endorsed Microsoft’s Caller ID plan.
Even if DomainKeys is adopted, a great deal of spam will continue because some spammers are perfectly happy to identify themselves. Many well-known corporations have been caught spamming — they call it “communicating our advantages to potential customers” — and only negative reactions from recipients limit the flow.
Until the U.S. and other countries ban spam as a theft of services, as the European Union did last year, sender-identification plans such as DomainKeys look promising. At the least, they’ll help you sort bulk mail broadcasters into the “good guys” and the “bad guys.”