A few technologies to fight the unsolicited and sometimes unsafe e-mail known as spam have emerged since the volume of the junk mail has increased beyond annoyance, but a Microsoft-backed effort to identify the senders of spam appears to be moving fastest of all the contenders.
Joined by other spam fighters including Sendmail, Symantec, IronPort, Cloudmark, Tumbleweed, VeriSign and others, Microsoft has promoted its Sender ID — a fusion of Microsoft’s previous Caller ID for e-mail technology, the Sender Policy Framework (SPF) and another specification known as Submitter Optimization — as a collaborative effort to combat spam.
Sender ID also is under consideration before the Internet Engineering Task Force (IETF), which has put the Sender ID specification on the fast track toward standardization while recommending a combination of other spam-defense measures from others, such as Yahoo and Cisco.
Industry analysts and spam fighters agree that it is far too easy with today’s Internet architecture and protocols to fake the “from” address of spam or other e-mail messages.
While the rising tide of spam has lead to greater use of e-mail filtering, there has been little work done to ensure e-mail origin and identification are accurate. At the same time, the use of phony from addresses has become more prevalent in so-called phishing schemes, which direct users to fraudulent or malicious Web sites that can steal personal information.
To stop the spoofing, the Sender ID technology — which requires two levels of authentication as an e-mail goes from sender to receiver — prevents messages that have not been authenticated from reaching inboxes.
Bogus ID Makes Bad Business
Industry analyst Joyce Graff told TechNewsWorld that the inability to be sure of an e-mail’s origin has become an increasingly significant issue for businesses.
“When you have to start worrying to the extent that you don’t trust something from a colleague, that is not healthy for business,” Graf said. “The bigger problem is do you really know who you’re talking to? That’s a large problem.”
Graf, who said accurate identification of e-mail senders is key for continued reliance on Internet communication, indicated that the partnership of Microsoft, Sendmail and others is also key as they are the ones with the power to promote widespread adoption.
Basex chief executive officer and chief analyst Jonathan Spira, whose New York research and consulting firm blames spam for more than US$20 billion in annual losses and is conducting a survey on interruptions such as spam, said the Sender ID technology is an important piece of the spam solution puzzle.
Spira told TechNewsWorld that the ability to spoof an e-mail’s origin is more serious in phishing and other scam or scheme e-mails, which the analyst categorized differently than unsolicited offers for actual products or services.
Spira added that Microsoft and its partners have taken moves to stop spam after coming to the realization that e-mail might be abandoned for other forms of communication if it is not cleaned up.
“There’s been no attempt in any government agency to really regulate the origin of phishing attacks, so I think the industry is trying to respond before something less desirable is forced upon it,” Spira said.
While he said the proposed standards are a potential part of the solution to spam, Message Labs chief information security analyst Paul Wood told TechNewsWorld there are still issues to be worked out with the proposed Sender ID technology.
Wood explained that even if the approach, which is not yet an IETF standard and is not yet widely deployed, were adopted, it might require a “bulking up” of servers and software for e-mail.
Wood, who indicated Message Labs would implement the technology if it became a more solid standard, also warned that “spammers are already ahead of the game,” indicating that those sending spam might simply use “disposable domains” that will be able to circumvent Sender ID measures.
“It really is an arms race,” Wood said.