Whether or not a standards group rubber stamps the proposed Sender ID authentication protocol, IT executives know...
its adoption is only part of a greater effort against spam.
Many administrators are girding for a long fight with spam. They are developing their own strategies, and the industry battles that take place behind closed doors at the Internet Engineering Task Force (IETF) or any other standards group don't matter so much.
"I think turning on reverse lookup DNS will help a lot," said Scott Saunders, director of systems technology at Paxson Communications Corp., a West Palm Beach, Fla., broadcasting company. "If you get rid of the … spoofing, it will reduce a lot of the spam."
Everyone needs to be responsible for what runs on their own network, including the cable and DSL providers, who need to clamp down on their clients, he said. That's because zombie machines that have been taken over by viruses are serving as spam transports.
A combined approach works best
Other IT executives agreed that having an antispam standard won't change much. "If I were just getting into detection, I would care a lot more because it would level the playing field," said Paul Edwards, a Windows administrator at PHH Arval, a Sparks, Md.-based fleet management company.
Today, PHH Arval uses a combination of gatekeepers to fight spam, including SpamAssassin, an open source tool, as well as some content management tools and a second tier on the SMTP gateway. Combined, they help catch more than 90% of the spam that enters corporate inboxes. "We have methods in place to fight spam and we have an idea of what works and why," he said.
The need to add authentication and security to e-mail is something that was never considered when early e-mail systems were created. There was no online identity theft, no spoofing and no phishing. In attempting to respond to customer complaints about spam, Sender ID was proposed by Microsoft, and endorsed by IBM, Symantec Corp., and other influential vendors as a common authentication method for products and services.
After the open source community balked at signing free licenses for the Microsoft-patented technology in Sender ID, the effort to make it a standard was crippled and the IETF disbanded the committee working on it.
'Reputation' services part of the equation
Now some of the technology's initial supporters are taking stock in the situation. Many don't believe the idea of having an authentication standard has gone away, only that the IETF's decision is a "hiccup" in the process.
"I think Sender ID will be part of a solution, but what [customers] also need is the notion of reputation," said Enrique Salem, a senior vice president at Symantec, Cupertino, Calif. "A combination of authentication and reputation will go a long way."
Reputation services are technologies that identify senders of spam based on a sender's behavior.
Nathaniel Borenstein, a distinguished engineer at IBM, said his company does not promise customers a solution to spam, but a steady effort to fight spam. "This is a problem that we will be jockeying with for a long time," Borenstein said.
Borenstein advised IT managers to choose technologies that have long-term effectiveness, not just something that will slow down the amount of spam they receive today.
Note: This article originally appeared on SearchExchange.com.
Dig Deeper on Email and Messaging Threats (spam, phishing, instant messaging)