honoluluadvertiser.com

Sponsored by:

Comment, blog & share photos

Log in | Become a member
The Honolulu Advertiser
Posted on: Tuesday, July 20, 2004

Companies test spam-fighting method

By Chris Gaither
Los Angeles Times

Be liberal in what you accept and conservative in what you send.

That was the philosophy when computer scientists sent the first electronic-mail messages over the Internet more than 30 years ago.

At the time, the Internet was in its infancy, used by a few hundred researchers at universities, government labs and high-tech companies.

Today, hundreds of millions of people have e-mail addresses, and junk e-mailers send out billions of messages every day. And Internet service providers are racing to figure out how to force spammers to abide by that old golden rule.

Microsoft Corp., Yahoo Inc. and other companies are taking different approaches, but they all have the same objective: finding a way to verify that people who send e-mail are who they say they are.

That would plug the biggest hole in Simple Mail Transfer Protocol, the system that has been shuttling messages around the Net since 1983.

The designers of SMTP knew their protocol didn't have a built-in authentication system. But they saw no reason to worry.

"There was very little attention paid to nasty people because we all knew and trusted each other," said David Farber, an Internet pioneer who is now a professor of computer science and public policy at Carnegie Mellon University. "It was understood that it was easy to forge mail, but who would forge mail among your friends?"

Fakes abound

Spammers have taken full advantage of that oversight. They falsify their names and reply-to addresses to bypass junk e-mail filters and trick recipients into opening messages. They copy corporate logos to send fake messages purporting to be from companies such as eBay and Citibank to fool people into handing over their credit card numbers and other personal information in so-called "phishing" attacks.

"Accountability is really the missing link for many of the problems we have on the Internet," said Phillip Hallam-Baker, principal scientist for VeriSign Inc., the company that maintains the master list of commercial Internet addresses.

The Federal Trade Commission last month cited the lack of authentication standards when it declined to create a "do-not-e-mail" registry modeled after the "do-not-call" list for telemarketers. Without knowing for sure who is sending a message, the FTC said, Internet service providers and other spam fighters wouldn't be able to punish violators.

New approaches

The big Internet service providers don't agree on how to best fix the authentication problem. Two systems being tested now are Yahoo's DomainKeys standard and Sender ID, which is backed by Microsoft and the Pobox.com e-mail service.

Sender ID has attracted the most interest. It counts on the fact that though e-mail headers are easy to forge, IP addresses — the unique set of numbers attached to every Internet domain — are not.

Here's how it works: A company like Amazon.com Inc. publishes its IP address in a public database. When a message arrives that claims to be from the online retailer, the recipient's e-mail program automatically checks the information in the header and compares it with the information in the database. If it matches, the message goes through. If it doesn't match, the message is quarantined or blocked.

ISPs including EarthLink Inc. and Time Warner Inc.'s America Online are testing a component of Sender ID called SPF, or Sender Policy Framework. AOL has started publishing the list of IP addresses from which it sends its members' e-mail so that other e-mail service providers can block messages from spoofed AOL addresses.

By the end of the summer, the country's biggest ISP hopes to begin blocking e-mail that purports to come from companies often impersonated in phishing attacks — such as eBay's PayPal division — but that can't be verified as legitimate.

Legitimate E-mail

Authenticating e-mail "is the single most important thing we can do to enhance the SMTP," said Carl Hutzler, AOL's director of anti-spam operations.

If the ISPs succeed, e-mail marketers will have no choice but to authenticate their messages to prevent them from being blocked. And if they authenticate, ISPs and other spam fighters will be able to keep track of senders and their reputations.

Companies would be held accountable for the sending habits of their employees, and ISPs would be responsible for their customers' e-mail. Those that developed a reputation for generating spam could find their e-mail blocked — a situation that could force e-mail providers to ensure that their customers' computers are secured so spammers couldn't hijack them to send junk mail.

Legitimate e-mail marketers that allow recipients to remove themselves from mailing lists and that obey other professional codes of conduct would have their messages whisked around spam filters instead of getting blocked.