A Long Way from Junk-Free Inboxes

In the March 3, 2004, edition of Security Update, I briefly explained three proposed technologies--Sender Policy Framework (SPF), DomainKeys, and Caller ID for E-Mail--that might help curb the amount of junk mail influx most of us receive each day. You can read the article at the following URL: http://www.winnetmag.com/article/articleid/41892/41892.html

Recently Yahoo!, developer of the DomainKeys technology, submitted a draft to the Internet Engineering Task Force (IETF) that outlines the basics of the technology. As you'll learn when you read the draft, which is linked in the related news story, "Yahoo Publishes IETF Draft For DomainKeys," in this edition of the newsletter, Yahoo! still has plenty of work to do on DomainKeys.

The developers of SPF technology have also submitted a draft proposal to the IETF (see the first URL below), and Microsoft has also submitted a draft proposal for Caller ID for E-Mail. You can learn more about SPF and Caller ID at the second, third, and fourth URLs below.




In essence, DomainKeys technology works by digitally signing email messages, then attempting to verify digital signatures by communicating with the domain that allegedly sent the email message. SPF and Caller ID try to verify the alleged sending domain of a given email message, but they don't use digital signatures. At the time of this writing, both SPF and Caller ID try to verify that the mail headers of a given message haven't been forged (as is the case with a lot of junk mail) by checking particular DNS records (specially formatted TXT records) against records written into mail headers.

Although all three technologies provide reasonable ways to verify an email message's origin, they all contain problems that determined spammers could exploit. Thus none of the technologies is an end-all solution for junk mail. However, using all three technologies together might improve the ability to curb unwanted email.

As was pointed out on the IETF Anti-Spam Research Group (ARGS) mailing list, even with all three of the proposed technologies in place, domain operators can further reduce junk mail by adding other technologies--such as those that ban senders, domains, and sets of IP addresses--commonly referred to as blacklisting. But even combining all these technologies won't completely eliminate junk mail. https://www1.ietf.org/mailman/listinfo/asrg

So far, the only solutions I've seen that can eliminate nearly all unwanted email are the types that use some sort of challenge and response system. For example, some solutions require a sender to visit a Web page the first time he or she sends an email to a certain user. At the Web page, the sender might have to type in a keyword shown on the screen or perform some other type of response. Other solutions might use email to deliver and process the challenge and response. These solutions are minor inconveniences for most people, but they often present major problems for sightless individuals.

Even though many thousands of networks and software vendors, including AOL, Earthlink, Google, Symantec, and Brightmail, have already integrated SPF and thousands of others are undoubtedly slated to begin using DomainKeys or Caller ID or both, many people will continue to receive more junk mail than they care to tolerate. And because even a combined set of the current and proposed solutions won't satisfy every network's needs, we'll likely see more solutions become available.

Incidentally, Symantec recently purchased Brightmail for approximately $370 million. Brightmail provides solutions that guard against spam, spoofed email, viruses, and more. Given Brightmail's extensive client base of major corporations, including AT&T, Microsoft, Cisco Systems, Lucent Technologies, Motorola, and eBay, the deal will permit Symantec to provide an even more rounded solution for email processing. You can read about the acquisition at Brightmail's Web site. http://www.brightmail.com/pressreleases/051904_pr.html

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.