Spam Fight Gains Steam

A grass-roots movement to improve the SMTP protocol that governs e-mail traffic is gaining acceptance, and its lead developer hopes to get fast-track approval by the Internet Engineering Task Force to make the emerging framework a standard.

The developing framework, known as SPF (Sender Policy Framework), would prevent the spoofing of e-mail addresses and hijacking of SMTP servers, common tactics used by spammers today to remain anonymous. The group behind SPF, known as SMTP+SPF, published its Internet draft earlier this month, the first step on the road to IETF approval, according to Meng Weng Wong, who's spearheading the effort.

Wong, chief technology officer of e-mail forwarding service Pobox.com, in Philadelphia, plans to attend the 59th IETF Meeting next week in Seoul, South Korea, to make his case for the IETF to form a working group to study SPF. But Wong said he's hoping for more than that. He wants the IETF to adopt SPF, bypassing the workgroup stage.

Wong said he has run a shadow workgroup for the past eight months, with 500 people on an e-mail list exchanging ideas about SPF. He claims most of the work an IETF workgroup would do has already been accomplished by the SMTP+SPF group.

SPF is a white- listing system that, in order to work, requires domain owners to publish the IP addresses from which they send e-mail. Mail transfer agents, such as Sendmail, Qmail and Postfix, would then have to match the client IP address with the domain the message is coming from. SPF would also provide this "read" technology, which the SMTP+SPF group is close to completing, Wong said.

If the client IP address doesn't match the published IP addresses for the domain, the message is rejected before it ever gets to the in-box. Under the existing SMTP protocol, domains cannot limit the use of their names to a set of trusted servers, which SPF would provide.

Today, blacklists work by IP address. In an SPF world, anti-spam activists would blacklist by domain name, knowing that a spammer was not misusing the domain. Existing anti-spam filters can easily be tuned to support SPF, Wong said. Anti-spam technology providers, such as CipherTrust Inc., InboxCop Inc. and Sophos plc.'s ActiveState division, have thrown their support behind SPF.

CipherTrust has incorporated SPF into its IronMail anti-spam appliance, using the SPF domain registry as a data point in IronMail's Enterprise Spam Profiler correlation engine. CipherTrust's FirstAct service will provide the company's customers with automatic updates from the SPF registry on an ongoing basis, as well as assistance in registering their more than 1,500 domains with SPF, said officials in Alpharetta, Ga.

SPF would be free and voluntary, according to Wong, with its effectiveness dependent on the number of domain holders that register their sender IP addresses. Nearly 7,000 domain holders have registered their IP addresses at the SMTP+SPF Web site (spf.pobox. com), including America Online Inc., SAP AG, Mail.com and the World Wide Web Consortium.

Support for modifying SMTP is growing within the e-mail industry.

"The only way to stop spam on a permanent basis is to change the SMTP protocol," said John Davies, CEO of e-mail server software developer Rockliffe Inc., in Campbell, Calif. "If SMTP protocols are enhanced to provide the capability to validate the sending server, it becomes impossible for spammers to send spam anonymously."

While no one wants to replace SMTP, there seems to be little debate that the protocol has flaws.

"Spammers spoof a lot," said Mark Wegman, a researcher at IBM's T.J. Watson Research Center, in Hawthorne, N.Y., describing spammers' tactics to forge legitimate e-mail addresses. "They pretend to be ... other people, and SMTP protocols let them do that."

Encyclopedia Britannica Inc., of Chicago, is dealing with spam at two levels—blocking spam and trying to keep its legitimate e-mail marketing messages, which require double opt-in, from being blocked as spam.

Encyclopedia Britannica blocks 20,000 to 30,000 spam messages a day from its 600 to 700 mailboxes using MailSite, which in turn uses Sophos' anti-spam technology, in combination with its Microsoft Corp. Exchange mail server. While the technology works well, Encyclopedia Britannica IT staffers said spammers are continually finding new ways around it.

Ashley Wainwright, lead systems engineer at the encyclopedia publisher, said an SPF registry seems promising. "It sounds like it could save us a lot of time," Wainwright said. "We have to go to AOL now and register a valid IP address there so they won't block our e-mails, then go to EarthLink [Inc.] and do the same thing, then go to every other ISP our customers use. Keeping everything up-to-date is difficult."

comments dic