News Stay informed about the latest enterprise technology news and product updates.

In the dark about solutions for spam?

Proposed standards and technology may be the light at the end of the tunnel.

The spam situation is bad and only getting worse. A judge yesterday cited insufficient evidence and dismissed a North Carolina woman's felony spamming conviction, according to the Washing ton Post.

Loudoun County Circuit Judge Thomas D. Horne said he overturned the conviction of Jessica DeGroot, 28, because the jury got "lost" in a mire of technological evidence and a new Virginia antispam law, the article said. DeGroot had been convicted of flooding tens of thousands of America Online e-mail accounts with unsolicited bulk advertisements.

This case is just one more reason why the antispam movement has had little to brag about lately. CAN-SPAM, Bayesian filters, blacklists and whitelists -- none have done much to stem spam traffic. It seems the spammers have an answer to every algorithm and network security appliance hackers and vendors throw at them.

"We've been playing whack-a-mole with the spammers," said Meng Weng Wong, founder of the e-mail forwarding service, and a visiting fellow at Earthlink Inc.

Wong and other experts are calling on enterprises to support their proposed standards for e-mail sender authentication, which will underscore new, so-called reputation services that rate messages against thousands of criteria. The idea is to identify trusted elements and turn away spammers at the gateway by treating all as "guilty until proven innocent."

The standards, which have been bogged-down by political infighting within the Internet Engineering Task Force, are supported by services such as CipherTrust Inc.'s TrustedSource reputation service, which works with the company's IronMail e-mail security appliance.

Sound off!
Share your thoughts on which antispam standard you'd back and why. Will they help stem the onslaught of spam?
The proposed standards are the Sender Policy Framework and Microsoft's Sender ID Framework [SIDF]. SPF is an SMTP extension that rejects messages whose senders' "From" field domain names don't match a list of authorized IP addresses for that domain. SIDF combines SPF with Microsoft's former Caller ID for E-mail draft proposal for its e-mail applications -- part of a so-called "embrace and extend" strategy.

But the proposals deserve the immediate support of enterprise users, said an e-mail security analyst. And, Burton Group's Dan Golding said, security execs should consider only those reputation services that base their information about domains on SPF, which is free and in the public domain. "Without that basis on SPF records," said Golding, "they're useless."

There is a problem, however. While companies like Microsoft, Inc. and eBay Inc. are on board with the proposed standards, many major Internet players, including Yahoo Inc., oppose them.

Yahoo has run a ferocious campaign against SPF and SIDF. The Web search engine company is offering a rival proposal called DomainKeys, which use public key encryption technology, something that has failed to gain widespread support in the past.

SPF and SIDF have the potential to largely prevent the spoofing of legitimate domain names and phishing scams launched by zombie PCs.

Is your e-mail server ripe for harvesting?

New security survey reveals directory theft remains corporate America's "silent killer" and a spammer's greatest heist.

They may also be much easier to implement than DomainKeys. "SPF and [SIDF] are easier to understand than DomainKeys, by several orders of magnitude," said Andrew Newton, who edits the antispam blog, grumpOps.

Newton was the co-chair of an antispam IETF working group on SPF and SIDF. The group disbanded last year, partly over what Newton called political disputes between vendors and "open source zealots."

SPF and SIDF will only work if a critical mass of large enterprises participate, by registering records of their domain names and IP addresses at sites like

Appliances and services that support SPF and SIDF, such as those from CipherTrust and IronPort Systems Inc., can then use the data to catch spoofers.

For SPF to foil domain name spoofing attempts, big name enterprises must contribute their SPF records, said the Burton Group's Golding. "For enterprises, creating an SPF record is as important a security measure as being able to check them." He lamented the absence of SPF records created by major banks.

Few major U.S. banks, save BankAmerica and one or two others, have created SPF records, although their domains are regularly spoofed in phishing attacks.

Dig Deeper on Email and Messaging Threats-Information Security Threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.