The spam situation is bad and only getting worse. A judge yesterday cited insufficient evidence and dismissed a North Carolina woman's felony spamming conviction, according to the Washing ton Post.
Loudoun County Circuit Judge Thomas D. Horne said he overturned the conviction of Jessica DeGroot, 28, because the jury got "lost" in a mire of technological evidence and a new Virginia antispam law, the article said. DeGroot had been convicted of flooding tens of thousands of America Online e-mail accounts with unsolicited bulk advertisements.
"We've been playing whack-a-mole with the spammers," said Meng Weng Wong, founder of the e-mail forwarding service Pobox.com, and a visiting fellow at Earthlink Inc.
Wong and other experts are calling on enterprises to support their proposed standards for e-mail sender authentication, which will underscore new, so-called reputation services that rate messages against thousands of criteria. The idea is to identify trusted elements and turn away spammers at the gateway by treating all as "guilty until proven innocent."
The standards, which have been bogged-down by political infighting within the Internet Engineering Task Force, are supported by services such as CipherTrust Inc.'s TrustedSource reputation service, which works with the company's IronMail e-mail security appliance.
But the proposals deserve the immediate support of enterprise users, said an e-mail security analyst. And, Burton Group's Dan Golding said, security execs should consider only those reputation services that base their information about domains on SPF, which is free and in the public domain. "Without that basis on SPF records," said Golding, "they're useless."
There is a problem, however. While companies like Microsoft, Amazon.com Inc. and eBay Inc. are on board with the proposed standards, many major Internet players, including Yahoo Inc., oppose them.
Yahoo has run a ferocious campaign against SPF and SIDF. The Web search engine company is offering a rival proposal called DomainKeys, which use public key encryption technology, something that has failed to gain widespread support in the past.
SPF and SIDF have the potential to largely prevent the spoofing of legitimate domain names and phishing scams launched by zombie PCs.
Newton was the co-chair of an antispam IETF working group on SPF and SIDF. The group disbanded last year, partly over what Newton called political disputes between vendors and "open source zealots."
SPF and SIDF will only work if a critical mass of large enterprises participate, by registering records of their domain names and IP addresses at sites like Pobox.com.
Appliances and services that support SPF and SIDF, such as those from CipherTrust and IronPort Systems Inc., can then use the data to catch spoofers.
For SPF to foil domain name spoofing attempts, big name enterprises must contribute their SPF records, said the Burton Group's Golding. "For enterprises, creating an SPF record is as important a security measure as being able to check them." He lamented the absence of SPF records created by major banks.
Few major U.S. banks, save BankAmerica and one or two others, have created SPF records, although their domains are regularly spoofed in phishing attacks.