Spam Slayer: Spam Weapons of Tomorrow
Internet firms turn to technology, not law, to fight the avalanche of spam.
Tom Spring,
PC World
Monday, March 01, 2004

Tip of the Month

Keep Your Numbers Private. Think twice before submitting your mobile phone number to a contest or sweepstakes. Marketing firms are now targeting mobile phones with text-messaging advertisements. By dangling discounts and prizes, firms hope you'll give them your cell phone number so they can spam you there as well. The fine print in Sweepstakes Online's marketing message says it will send event reminder messages, coupons, and other incentives. That's spam!

High-Tech Weapons
ISPs are on a mission: They're trying to craft the online equivalent of caller ID so they can figure out who is sending spam to their customers and more easily block junk e-mail and prosecute spammers.

Right now, spammers can easily shield their identities to get through your ISP's front door and clutter your in-box. The recently enacted Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) law is supposed to address the spam problem. But ISPs and law enforcement are having a hard time figuring out whom to prosecute.

America Online, Microsoft, and Yahoo are all working on technologies that would enable an ISP to verify that an incoming e-mail message was actually sent from the domain in its return address--and if not, reveal the real source. In addition to helping authorities track down offenders, these technologies would give ISPs the power to block e-mail with forged source information.

The e-mail authentication systems these companies are developing would keep spammers from covering their tracks by hacking into e-mail servers and unprotected computers on the Internet and falsifying data in a message's sender field. Today, half of all spam is routed through computers that mask the sender's identity, according to e-mail security firm MessageLabs.


Research in Progress
America Online is testing technology called Sender Permitted From, which can verify that an e-mail with an AOL return address originated from an AOL user. (AOL hasn't yet broadened it to cover other ISPs). SPF works by verifying domain name system records with a service provider's IP addresses.

For example, if a spammer faked a return e-mail address as being from [email protected], an ISP could tell if the message didn't originate from a matching IP address used by AOL. Any ISPs that adopt the SPF technology could easily trace AOL e-mail back to AOL. Currently, no automated process can do this.

Yahoo's DomainKeys plan would place a digital key, which could not be forged, on outbound Yahoo e-mail. When the message reaches its destination, the recipient's e-mail server would check the Yahoo key and deliver only messages that are verified as coming from Yahoo.

Last week, Microsoft proposed a spam weapon in the form of an open industry standard described in the draft specification titled Caller ID for E-Mail: The Next Step to Deterring Spam. Like AOL's and Yahoo's proposals, Microsoft's approach looks to revamp the way all e-mail is sent and require messages to have the correct return e-mail address.

The difference among these proposals involve the type of format used to embed data in an e-mail message header, and how an ISP would use that information.


Pay-to-Spam Model
Another antispam approach builds on the fact that spammers have no financial incentive to pare their lists. There's no extra cost in sending as many e-mail pitches as possible. If a price is put on bulk e-mail, the volume of junk e-mail sent might subside.

Microsoft's approach is called Penny Black. The technology would delay delivery of incoming e-mail until the sender's computer solves a complicated math equation that would tie up that PC for about 10 seconds. The presumption is that spammers who send millions of messages would need a supercomputer to stay in business. But it's a solution for the future; the Penny Black technology would need to be built into PCs or operating systems.

Microsoft and other organizations are also exploring technologies that would force spammers to pay a small charge to either ISPs or to a central authority for each piece of unsolicited e-mail, thereby motivating them to trim their mailing lists.

Goodmail Systems is developing an e-mail postage technology ..............................
More at PCWorld