Searching for Ways to Fight Junk E-Mail
Be liberal in what you accept and conservative in what you send.
That was the philosophy when computer scientists sent the first electronic-mail messages over the Internet more than 30 years go.
At the time, the Net was in its infancy, used by a few hundred researchers at universities, government labs and high-tech companies.
Today, hundreds of millions of people have e-mail addresses, and junk e-mailers send out billions of messages every day. And Internet service providers are racing to figure out how to force spammers to abide by that old golden rule.
Microsoft Corp., Yahoo Inc. and other companies are taking different approaches, but they all have the same objective: finding a way to verify that people who send e-mail are who they say they are.
That would plug the biggest hole in Simple Mail Transfer Protocol, the system that has been shuttling messages around the Net since 1983.
The designers of SMTP knew their protocol didn’t have a built-in authentication system. But they saw no reason to worry.
“There was very little attention paid to nasty people because we all knew and trusted each other,” said David Farber, an Internet pioneer who is now a professor of computer science and public policy at Carnegie Mellon University. “It was understood that it was easy to forge mail, but who would forge mail among your friends?”
Spammers have taken full advantage of that oversight. They falsify their names and reply-to addresses to bypass junk e-mail filters and trick recipients into opening messages. They copy corporate logos to send fake messages purporting to be from companies such as EBay Inc. and Citibank to fool people into handing over their credit card numbers and other personal information in so-called phishing attacks.
“Accountability is really the missing link for many of the problems we have on the Internet,” said Phillip Hallam-Baker, principal scientist for VeriSign Inc., the company that maintains the master list of commercial Internet addresses.
The Federal Trade Commission last month cited the lack of authentication standards when it declined to create a “do-not- e-mail” registry modeled after the “do-not-call” list for telemarketers. Without knowing for sure who is sending a message, the FTC said, Internet service providers and other spam fighters wouldn’t be able to punish violators.
The big Internet service providers don’t agree on how to best fix the authentication problem. Two systems being tested now are Yahoo’s DomainKeys standard and Sender ID, which is backed by Microsoft and the Pobox.com e-mail service.
Sender ID has attracted the most interest. It counts on the fact that though e-mail headers are easy to forge, IP addresses -- the unique set of numbers attached to every Internet domain -- are not.
Here’s how it works: A company like Amazon.com Inc. publishes its IP address in a public database. When a message arrives that claims to be from the online retailer, the recipient’s e-mail program automatically checks the information in the header and compares it with the information in the database. If it matches, the message goes through. If it doesn’t match, the message is quarantined or blocked.
ISPs including EarthLink Inc. and Time Warner Inc.’s America Online are testing a component of Sender ID called SPF, or Sender Policy Framework. AOL has started publishing the list of IP addresses from which it sends its members’ e-mail so that other e-mail service providers can block messages from spoofed AOL addresses.
By the end of the summer, the country’s biggest ISP hopes to begin blocking e-mail that purports to come from companies often impersonated in phishing attacks -- such as EBay’s PayPal division -- but that can’t be verified as legitimate.
Authenticating e-mail “is the single most important thing we can do to enhance the SMTP,” said Carl Hutzler, AOL’s director of anti-spam operations.
DomainKeys takes an approach that is based on public-private key cryptography.
Sent messages include an encrypted digital signature created by the e-mail provider’s private key. When the message arrives at the recipient’s e-mail server, the server checks a database for the sender’s public key. If the public and private keys match up, the signature can be decrypted and the sender’s identity validated. If not, the message can be blocked by spam filters.
Yahoo began testing DomainKeys in March. The company said it planned to implement it for outbound messages from its Yahoo Mail customers and at least some incoming messages by the end of the year.
If the ISPs succeed, e-mail marketers will have no choice but to authenticate their messages to prevent them from being blocked. And if they authenticate, ISPs and other spam fighters will be able to keep track of senders and their reputations.
Companies would be held accountable for the sending habits of their employees, and ISPs would be responsible for their customers’ e-mail. Those that developed a reputation for generating spam could find their e-mail blocked -- a situation that could force e-mail providers to ensure that their customers’ computers are secured so spammers couldn’t hijack them to send junk mail.
Legitimate e-mail marketers that allow recipients to remove themselves from mailing lists and that obey other professional codes of conduct would have their messages whisked around spam filters instead of getting blocked.
Technologies like DomainKeys and Sender ID are needed to “take SMTP from being dangerously wide open to being much more controlled,” said Steve Jillings, chief executive of FrontBridge Technologies Inc., a Marina del Rey e-mail security company that plans to implement Sender ID.
The catch is that an authentication standard has to be widely adopted to be effective. Getting companies around the world to agree on a standard and implement it seems highly unlikely to technologists such as Carnegie Mellon’s Farber.
But the future of e-mail depends on it, said Scott Weiss, chief executive of the anti-spam company IronPort Systems Inc. “The innovation of e-mail now needs to catch up with many of the rich features that have now been rendered virtually unusable.”
