Earthweb
Images Events Jobs Premium Services Media Kit Network Map E-mail Offers Vendor Solutions Webcasts
 SUBJECTS:
 FEATURES:
IT Management Webcasts:
The Role of Security in IT Service Management

Preparing for an IT Audit

More Webcasts


Search EarthWeb Network

internet.commerce
Be a Commerce Partner
Televisions
Condos For Sale
Remote Online Backup
Home Improvement
Boat Donations
KVM Switch over IP
Career Education
Shop
Best Price
Laptops
Logo Design
Online Education
Imprinted Gifts
Dental Insurance

Linked Data Planet Conference & Expo

IT Management : Columns : Executive Tech: Proposals Offer Small Steps to Stop Spam

Install What You Need with Windows Server 2008
Windows Server 2008 is Microsoft's most full-featured server operating system yet, so it's ironic that one of its most exciting new features is an install option that cuts out most of the other features. Paul Rubens explores why a Server Core installation makes a great deal of sense in many instances. »

 
Identify Hardware and Software That Meet Microsoft Standards
The "Certified for Windows. Server 2008" logo identifies hardware and software solutions that meet Microsoft standards for compatibility and best practices with the Windows Server 2008 operating system. »

 
Windows Server Catalog: Certified Hardware Devices
Search the Windows Server 2008 catalog to find solutions to deploy with confidence. »

 
Windows Server Catalog: Certfied Servers
Search the Windows Server 2008 catalog to find servers you can deploy with confidence. »

 
Download the Windows Server 2008 Trial
With Windows Server 2008 you can develop, deliver, and manage rich user experiences and applications, provide a secure network infrastructure, and increase technological efficiency and value within your organization. »

- ITSMWatch Newsletter -
Tech Focus: Security

Cybersecurity: Laws Only Go So Far

Mozilla Firefox vs. Internet Explorer: Which is Safer?

Is Your Blog Leaking Trade Secrets?

The Las Vegas Counterfeiting Story: Is Your Privacy Worth More Than a Poker Chip?

Stopping Spammers at The Point of Sale

Product Watch
PacketLogic - Packet Inspection Platform Provides Traffic Shaping and Filtering Features
VMware Infrastructure - Core Components for Data Center Virtualization
Small Business Publisher - Print Flyers, Letterheads, Envelopes and More
IOGEAR KVM - Includes Audio/Peripheral Sharing
Coverity Prevent / Coverity Thread Analyzer - Analyze Source Code For Defects, Security Vulnerabilities

more products >>

Datamation Definitions
data mining
ERP
extranet
grid computing
intranet
network appliance
outsourcing
storage
VPN
virus
FREE Tech Newsletters

Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers. Download this whitepaper now and get a chance to receive FREE XenServer HP Select Edition Software. Sponsored by HP, Citrix, and Intel.

Proposals Offer Small Steps to Stop Spam
April 26, 2004
By Brian Livingston

Brian Livingston As I said in this space last week, spam has grown to dominate legitimate e-mail to such an extent that leaders of the computer industry might actually be forced to make significant changes to the worldwide e-mail system as early as this year.

There's no agreement as yet on what the new standard will be, however.

I examined the three leading proposals that offer systemic e-mail changes. My findings? None of the changes would eliminate spam completely. But one of them would make an excellent first step.

A Problem That's Grown Worse Year After Year

A basic flaw that has haunted e-mail since its very beginnings is that it's trivially easy for anyone to make any e-mail message look like it came from any e-mail address.

Spammers use this fact to falsify the From lines of their unsolicited bulk e-mails. This means you can't simply block a few "bad" addresses to filter out spam.

In addition, computer users are suffering from a new wave of "phishing" e-mails. These messages falsely claim to come from financial institutions and instruct innocent people to "re-enter" their credit-card numbers and passwords — at look-alike sites that are controlled by criminals.

Each of the proposed e-mail fixes would require better identification of who the "sender" of an e-mail message is.

The Contenders for a Systemic E-Mail Fix

The following three proposals, in order from least to most effective, represent various ways to alter the sender-recipient relationship:

SPF. Sender Policy Framework is currently an "Internet-draft" that's being considered by international standards bodies. It would require the owners of domain names to publish the IP addresses of their outbound mail servers. Any message from, say, PayPal.com that didn't come from one of PayPal's published IP addresses would be assumed by any receiving server to be a fake that should be discarded.

SPF would still allow forgery, however. Malicious hackers could set up a new domain name at a new, temporary IP address. E-mail messages with a From line saying, for example, "PayPal.com" would pass right through an SPF test. All the hackers would have to do is set the unseen Bounce address of the messages to their own IP address, which they'd abandon as soon as it had done its job.

"That is correct," responded Meng Weng Wong, a chief proponent of SPF and the founder of Pobox.com, when I asked him about this. "SPF solves part of the puzzle. The scenario you describe needs to be solved using other technologies, such as Yahoo's DomainKeys or Caller ID."

Caller ID for E-Mail. The so-called Caller ID scheme is the brainchild of Microsoft Corp. Its proposal would examine the domain name in the visible From address of an e-mail message. This domain would be queried to see if it held an "E-Mail Policy Document." This document, a file up to 2048 bytes in length, would be written in XML format and would, like SPF, specify a list of legitimate IP addresses for outgoing mail.

Caller ID, however, would demand changes to the installed software of most portable devices that send mail from outside a corporate network. It would also require updates for mailing list services, forwarding services, e-greeting sites, outsourced e-mail providers, and users of personal domain names who send their e-mail through a separate ISP account. This would certainly slow the adoption of the scheme.

DomainKeys. Yahoo.com, one of the world's largest e-mail services, is the chief advocate of DomainKeys. This proposal envisions that legitimate e-mail senders will digitally sign their outgoing messages. The signature would ensure that no one could modify the From line or the body of a message in transit without the receiving e-mail software detecting the tampering.

The owner of a domain name would post a "public key," which would be checked by any mail server that received a message purporting to be from that domain. If the key lined up with the signature of the message, the receiver would be assured that the mail, in fact, did originate from a sender at that entity.

To implement the RSA-style encryption required by DomainKeys, bulk e-mail senders would have to install a new signing module and corporate mail servers would optionally have to begin checking incoming e-mail for validity. Consumer ISPs, such as Verizon and Qwest, would sign all outgoing mail and check all incoming mail on behalf of their legitimate subscribers, so end users wouldn't have to understand any technical details.

Calculating a digital signature for an entire e-mail message consumes a lot of processing power. So mass senders could calculate just a 128-bit "hash," which is easy.

What These Standards Would and Would Not Do

"The first question to ask about all three of them is what problem they're trying to solve," says John Levine, the co-chair of the Antispam Research Group, a committee of the Internet Research Task Force of the IAB. "It's not 'spam,' for any normal definition of spam."

That's true. The new schemes would merely make it more likely that an e-mail message with a certain domain name in its address, such as Qwest.net, would actually have some connection to someone at that domain name. This wouldn't end spam — but it would make the sources of it much easier to track and therefore filter out.

This alone would help to identify at least 65% of spam. This is the percentage that Spamhaus.org, a major antispam service, says is now being sent from PCs infected with "Trojan horse" programs that relay unsolicited bulk e-mail for spammers.

"The spam [from Qwest subscribers] will all say it's coming from Qwest.net, which is something," Levine agrees.

Signing All Mail As a Much-Needed Step

If positive identification of senders is to be the first step in stopping spam, many computer experts feel that digital signatures, such as those required by the DomainKeys proposal, are the way to go.

"The one [proposal] I like the best, but that will probably take the longest to implement, is DomainKeys," says Eric Allman, the CTO of Sendmail.com, a provider of e-mail software to 70% of the Fortune 1000. Signed-mail proposals, he feels, best lend themselves to "reputation services" that can say which senders are spammers and which are legitimate businesses.

As a result, Sendmail is working with Yahoo to test the DomainKeys spec, but the company has also endorsed Microsoft's Caller ID plan.

Even if DomainKeys is adopted, a great deal of spam will continue because some spammers are perfectly happy to identify themselves. Many well-known corporations have been caught spamming — they call it "communicating our advantages to potential customers" — and only negative reactions from recipients limit the flow.

Conclusion

Until the U.S. and other countries ban spam as a theft of services, as the European Union did last year, sender-identification plans such as DomainKeys look promising. At the least, they'll help you sort bulk mail broadcasters into the "good guys" and the "bad guys."

Brian Livingston is the editor of WindowsSecrets.com and the co-author of Windows Vista Secrets and 10 other books. Send story ideas to him via his contact page. To subscribe free and receive Executive Tech via e-mail, visit our signup page.

Tools:
Add itmanagement.earthweb.com to your favorites
Add itmanagement.earthweb.com to your browser search box
IE 7 | Firefox 2.0 | Firefox 1.5.x
Receive news via our XML/RSS feed

Executive Tech Archives

Click Here



JupiterOnlineMedia

internet.comearthweb.comDevx.commediabistro.comGraphics.com

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info


Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers

Solutions
Whitepapers and eBooks
Microsoft Article: Will Hyper-V Make VMware This Decade's Netscape?
Microsoft Article: 7.0, Microsoft's Lucky Version?
Microsoft Article: Hyper-V--The Killer Feature in Windows Server 2008
Avaya Article: How to Feed Data into the Avaya Event Processor
Microsoft Article: Install What You Need with Windows Server 2008
HP eBook: Putting the Green into IT
Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 1
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 2--The Future of Concurrency
Avaya Article: Setting Up a SIP A/S Development Environment
IBM Article: How Cool Is Your Data Center?
Microsoft Article: Managing Virtual Machines with Microsoft System Center
HP eBook: Storage Networking , Part 1
Microsoft Article: Solving Data Center Complexity with Microsoft System Center Configuration Manager 2007
MORE WHITEPAPERS, EBOOKS, AND ARTICLES
Webcasts
Intel Video: Are Multi-core Processors Here to Stay?
On-Demand Webcast: Five Virtualization Trends to Watch
HP Video: Page Cost Calculator
Intel Video: APIs for Parallel Programming
HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind
Microsoft Silverlight Video: Creating Fading Controls with Expression Design and Expression Blend 2
MORE WEBCASTS, PODCASTS, AND VIDEOS
Downloads and eKits
Sun Download: Solaris 8 Migration Assistant
Sybase Download: SQL Anywhere Developer Edition
Red Gate Download: SQL Backup Pro and free DBA Best Practices eBook
Red Gate Download: SQL Compare Pro 6
Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS
Tutorials and Demos
How-to-Article: Preparing for Hyper-Threading Technology and Dual Core Technology
eTouch PDF: Conquering the Tyranny of E-Mail and Word Processors
IBM Article: Collaborating in the High-Performance Workplace
HP Demo: StorageWorks EVA4400
Intel Featured Algorhythm: Intel Threading Building Blocks--The Pipeline Class
Microsoft How-to Article: Get Going with Silverlight and Windows Live
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES