Spam-Fighting Theories Far From Practice

WASHINGTON — Filters and sender authentication protocols are not likely to do much to stem the spam flood around the world, at least for the time being, according to Gartner analysts.

Maurene Caplan-Grey, Gartner’s research director, told attendees at the company’s 10th annual IT Security Summit here that filters are in the “embryonic stage” and sender reputation-authentication services are, at this point, little more than theories.

Caplan-Grey said filters work fairly well as long as the majority of spam is generated in the United States since “they [filters] understand American English. Not just the words, but the meaning behind the words.” But as
unsolicited e-mail starts to “proliferate from outside the United States and
in different languages” that effectiveness seriously declines.

Another problem with existing filters, Caplan-Grey said, is that they look
at an e-mail message’s origin to determine whether it is spam, although
there is no guarantee that an e-mail comes from whom it says it did. The
vulnerability has prompted spammers to forge the origin of the e-mail in a
process known as spoofing.

Two of the newer anti-spam proposals — Microsoft’s Caller ID for E-Mail and
Yahoo!’s DomainKeys — aim directly at the spoofing efforts.

Microsoft is proposing to eliminate spoofing by
verifying what domain a message comes from by requiring e-mail senders to
publish the Internet protocol (IP) addresses of their outbound e-mail
servers in the Domain Name System (DNS) in a standardized format. The
recipient e-mail systems then query the DNS for the list of outbound e-mail
server IP addresses of the purported responsible domain.

The next step is for the receiving systems to check whether the IP address
from which the message was received is on that list. If no match is found,
the message has most likely been spoofed.

The Yahoo! approach combines public-key cryptography
with the DNS. The domain name owner uses the private key to generate a
digital signature that’s added to the header of every message that goes out.
The owner also places the corresponding public key on his server.

When the message is received, the e-mail system extracts the digital
signature and the claimed sending domain. It then fetches the public key
from the domain name owner’s server and determines whether the signature was
generated by the corresponding private key, thereby verifying the sender’s
relationship with the domain.

Caplan-Grey, with tongue firmly in cheek, said sender authentication systems
will work well as long as “everyone belongs to the same organization” and
follows the same rules. Gartner analyst Betsy Burton added, “Sender
authentication and reputation initiatives will not, by themselves, fix the

Meanwhile, Burton said, 60 billion e-mails a day are likely to be sent in
2005 and that enterprises are “adding to the problem.” According to Burton,
80 percent of all businesses engaged in some form of direct marketing will
conduct at least one e-mail campaign next year.

Despite the inherent flaws in filters, Burton said, the systems will block a
majority of those e-mails and a “great many of the enterprises will achieve
no customer results. Buyers tend to view their e-mails as spam.”

To overcome customer objections to receiving e-mail solicitations, Burton
recommended combining user education with best business practices that
include permission-based mailings.

“The mailings need to be very focused, very targeted,” Burton said. “You
need to work with ISPs (Internet service providers) to avoid blacklists.”

News Around the Web