RealTime IT News

Spam-Fighting Theories Far From Practice

WASHINGTON -- Filters and sender authentication protocols are not likely to do much to stem the spam flood around the world, at least for the time being, according to Gartner analysts.

Maurene Caplan-Grey, Gartner's research director, told attendees at the company's 10th annual IT Security Summit here that filters are in the "embryonic stage" and sender reputation-authentication services are, at this point, little more than theories.

Caplan-Grey said filters work fairly well as long as the majority of spam is generated in the United States since "they [filters] understand American English. Not just the words, but the meaning behind the words." But as unsolicited e-mail starts to "proliferate from outside the United States and in different languages" that effectiveness seriously declines.

Another problem with existing filters, Caplan-Grey said, is that they look at an e-mail message's origin to determine whether it is spam, although there is no guarantee that an e-mail comes from whom it says it did. The vulnerability has prompted spammers to forge the origin of the e-mail in a process known as spoofing.

Two of the newer anti-spam proposals -- Microsoft's Caller ID for E-Mail and Yahoo!'s DomainKeys -- aim directly at the spoofing efforts.

Microsoft is proposing to eliminate spoofing by verifying what domain a message comes from by requiring e-mail senders to publish the Internet protocol (IP) addresses of their outbound e-mail servers in the Domain Name System (DNS) in a standardized format. The recipient e-mail systems then query the DNS for the list of outbound e-mail server IP addresses of the purported responsible domain.

The next step is for the receiving systems to check whether the IP address from which the message was received is on that list. If no match is found, the message has most likely been spoofed.

The Yahoo! approach combines public-key cryptography with the DNS. The domain name owner uses the private key to generate a digital signature that's added to the header of every message that goes out. The owner also places the corresponding public key on his server.

When the message is received, the e-mail system extracts the digital signature and the claimed sending domain. It then fetches the public key from the domain name owner's server and determines whether the signature was generated by the corresponding private key, thereby verifying the sender's relationship with the domain.

Caplan-Grey, with tongue firmly in cheek, said sender authentication systems will work well as long as "everyone belongs to the same organization" and follows the same rules. Gartner analyst Betsy Burton added, "Sender authentication and reputation initiatives will not, by themselves, fix the problem."

Meanwhile, Burton said, 60 billion e-mails a day are likely to be sent in 2005 and that enterprises are "adding to the problem." According to Burton, 80 percent of all businesses engaged in some form of direct marketing will conduct at least one e-mail campaign next year.

Despite the inherent flaws in filters, Burton said, the systems will block a majority of those e-mails and a "great many of the enterprises will achieve no customer results. Buyers tend to view their e-mails as spam."

To overcome customer objections to receiving e-mail solicitations, Burton recommended combining user education with best business practices that include permission-based mailings.

"The mailings need to be very focused, very targeted," Burton said. "You need to work with ISPs (Internet service providers) to avoid blacklists."