Install What You Need with Windows Server 2008 Windows Server 2008 is Microsoft's most full-featured server operating system yet, so it's ironic that one of its most exciting new features is an install option that cuts out most of the other features. Paul Rubens explores why a Server Core installation makes a great deal of sense in many instances. »   Identify Hardware and Software That Meet Microsoft Standards The "Certified for Windows. Server 2008" logo identifies hardware and software solutions that meet Microsoft standards for compatibility and best practices with the Windows Server 2008 operating system. »   Windows Server Catalog: Certified Hardware Devices Search the Windows Server 2008 catalog to find solutions to deploy with confidence. »   Windows Server Catalog: Certfied Servers Search the Windows Server 2008 catalog to find servers you can deploy with confidence. »   Download the Windows Server 2008 Trial With Windows Server 2008 you can develop, deliver, and manage rich user experiences and applications, provide a secure network infrastructure, and increase technological efficiency and value within your organization. »

- ITSMWatch Newsletter -

Tech Focus: Security Cybersecurity: Laws Only Go So Far Mozilla Firefox vs. Internet Explorer: Which is Safer? Is Your Blog Leaking Trade Secrets? The Las Vegas Counterfeiting Story: Is Your Privacy Worth More Than a Poker Chip? Stopping Spammers at The Point of Sale

Product Watch •PacketLogic - Packet Inspection Platform Provides Traffic Shaping and Filtering Features •VMware Infrastructure - Core Components for Data Center Virtualization •Small Business Publisher - Print Flyers, Letterheads, Envelopes and More •IOGEAR KVM - Includes Audio/Peripheral Sharing •Coverity Prevent / Coverity Thread Analyzer - Analyze Source Code For Defects, Security Vulnerabilities more products >>

Datamation Definitions data mining ERP extranet grid computing intranet network appliance outsourcing storage VPN virus

FREE Tech Newsletters Instant Messaging Planet HTML CIO Update CodeGuru Update Practically Networked HTML Enterprise Storage Forum HTML Optically Networked HTML Intranet Journal Update Datamation IT Management Careers Datamation IT Management Update Executive Tech HTML Developer.com Update Gamelan Java Update Goodies to Go Javascript Weekly HTML JARS Java Update OpenSource Update SysOpt Tech Notes Grid Computing Planet HTML E-Security Planet HTML Virtual Dr. Text

Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers. Download this whitepaper now and get a chance to receive FREE XenServer HP Select Edition Software. Sponsored by HP, Citrix, and Intel.

Proposals Offer Small Steps to Stop Spam
April 26, 2004
By Brian Livingston

As I said in this space last week, spam has grown to dominate legitimate e-mail to such an extent that leaders of the computer industry might actually be forced to make significant changes to the worldwide e-mail system as early as this year.

There's no agreement as yet on what the new standard will be, however.

I examined the three leading proposals that offer systemic e-mail changes. My findings? None of the changes would eliminate spam completely. But one of them would make an excellent first step.

A Problem That's Grown Worse Year After Year

A basic flaw that has haunted e-mail since its very beginnings is that it's trivially easy for anyone to make any e-mail message look like it came from any e-mail address.

Spammers use this fact to falsify the From lines of their unsolicited bulk e-mails. This means you can't simply block a few "bad" addresses to filter out spam.

In addition, computer users are suffering from a new wave of "phishing" e-mails. These messages falsely claim to come from financial institutions and instruct innocent people to "re-enter" their credit-card numbers and passwords — at look-alike sites that are controlled by criminals.

Each of the proposed e-mail fixes would require better identification of who the "sender" of an e-mail message is.

The Contenders for a Systemic E-Mail Fix

The following three proposals, in order from least to most effective, represent various ways to alter the sender-recipient relationship:

• SPF. Sender Policy Framework is currently an "Internet-draft" that's being considered by international standards bodies. It would require the owners of domain names to publish the IP addresses of their outbound mail servers. Any message from, say, PayPal.com that didn't come from one of PayPal's published IP addresses would be assumed by any receiving server to be a fake that should be discarded.

SPF would still allow forgery, however. Malicious hackers could set up a new domain name at a new, temporary IP address. E-mail messages with a From line saying, for example, "PayPal.com" would pass right through an SPF test. All the hackers would have to do is set the unseen Bounce address of the messages to their own IP address, which they'd abandon as soon as it had done its job.

"That is correct," responded Meng Weng Wong, a chief proponent of SPF and the founder of Pobox.com, when I asked him about this. "SPF solves part of the puzzle. The scenario you describe needs to be solved using other technologies, such as Yahoo's DomainKeys or Caller ID."

• Caller ID for E-Mail. The so-called Caller ID scheme is the brainchild of Microsoft Corp. Its proposal would examine the domain name in the visible From address of an e-mail message. This domain would be queried to see if it held an "E-Mail Policy Document." This document, a file up to 2048 bytes in length, would be written in XML format and would, like SPF, specify a list of legitimate IP addresses for outgoing mail.

Caller ID, however, would demand changes to the installed software of most portable devices that send mail from outside a corporate network. It would also require updates for mailing list services, forwarding services, e-greeting sites, outsourced e-mail providers, and users of personal domain names who send their e-mail through a separate ISP account. This would certainly slow the adoption of the scheme.

• DomainKeys. Yahoo.com, one of the world's largest e-mail services, is the chief advocate of DomainKeys. This proposal envisions that legitimate e-mail senders will digitally sign their outgoing messages. The signature would ensure that no one could modify the From line or the body of a message in transit without the receiving e-mail software detecting the tampering.

The owner of a domain name would post a "public key," which would be checked by any mail server that received a message purporting to be from that domain. If the key lined up with the signature of the message, the receiver would be assured that the mail, in fact, did originate from a sender at that entity.

To implement the RSA-style encryption required by DomainKeys, bulk e-mail senders would have to install a new signing module and corporate mail servers would optionally have to begin checking incoming e-mail for validity. Consumer ISPs, such as Verizon and Qwest, would sign all outgoing mail and check all incoming mail on behalf of their legitimate subscribers, so end users wouldn't have to understand any technical details.

Calculating a digital signature for an entire e-mail message consumes a lot of processing power. So mass senders could calculate just a 128-bit "hash," which is easy.

What These Standards Would and Would Not Do

"The first question to ask about all three of them is what problem they're trying to solve," says John Levine, the co-chair of the Antispam Research Group, a committee of the Internet Research Task Force of the IAB. "It's not 'spam,' for any normal definition of spam."

That's true. The new schemes would merely make it more likely that an e-mail message with a certain domain name in its address, such as Qwest.net, would actually have some connection to someone at that domain name. This wouldn't end spam — but it would make the sources of it much easier to track and therefore filter out.

This alone would help to identify at least 65% of spam. This is the percentage that Spamhaus.org, a major antispam service, says is now being sent from PCs infected with "Trojan horse" programs that relay unsolicited bulk e-mail for spammers.

"The spam [from Qwest subscribers] will all say it's coming from Qwest.net, which is something," Levine agrees.

Signing All Mail As a Much-Needed Step

If positive identification of senders is to be the first step in stopping spam, many computer experts feel that digital signatures, such as those required by the DomainKeys proposal, are the way to go.

"The one [proposal] I like the best, but that will probably take the longest to implement, is DomainKeys," says Eric Allman, the CTO of Sendmail.com, a provider of e-mail software to 70% of the Fortune 1000. Signed-mail proposals, he feels, best lend themselves to "reputation services" that can say which senders are spammers and which are legitimate businesses.

As a result, Sendmail is working with Yahoo to test the DomainKeys spec, but the company has also endorsed Microsoft's Caller ID plan.

Even if DomainKeys is adopted, a great deal of spam will continue because some spammers are perfectly happy to identify themselves. Many well-known corporations have been caught spamming — they call it "communicating our advantages to potential customers" — and only negative reactions from recipients limit the flow.

Conclusion

Until the U.S. and other countries ban spam as a theft of services, as the European Union did last year, sender-identification plans such as DomainKeys look promising. At the least, they'll help you sort bulk mail broadcasters into the "good guys" and the "bad guys."

Tools:

Add itmanagement.earthweb.com to your favorites Add itmanagement.earthweb.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.x Receive news via our XML/RSS feed