Authentication Is Not an Anti-Spam System

 
 
By Larry Seltzer  |  Posted 2004-09-07 Email Print this article Print
 
 
 
 
 
 
 

Opinion: Already we're hearing it, that spammers are beating SPF and the other authentication systems. But the truth has always been that authentication is only a tool for anti-spam systems to use.

Even though Ive already declared Sender ID dead, I maintain that some form of e-mail sender authentication is inevitable and necessary. Now we hear that spammers are embracing authentication, with the implication that theyre so smart theyll undermine it by being part of the system. But its always been important to understand that authentication is not a solution for the spam problem or the phishing problem; its a means toward the solution.

I like the analogy that Meng Wong, the designer of SPF, uses. He says that Sender ID is not an anti-spam system in the same way that flour is not food. It doesnt end spam; it ends forgery. (Actually, some people argue whether Sender ID ends forgery effectively, but lets assume theres no such argument for the sake of this other argument.) The same issues basically apply to SPF, which is what everyone, including the spammers, are using now.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.
Far from showing how clever spammers are, adopting SPF or other authentication standards plays right into the goals of the system. Nobody in their right mind would allow messages in just because they authenticated. The next steps— the other ingredients to mix with the flour—are reputation and accreditation systems.

Reputation systems are rating systems that tell subscribers whether an authenticated source of e-mail is a known good source, a known spammer, an unknown source or whatever. An accreditation system, such as IronPort with its Bonded Sender Program, involves a third party that vouches for the senders reputation as opposed to passively tracking it. A site certified with IronPorts Bonded Sender must adhere to a specific set of practices and post a bond to be debited whenever they are determined to be in violation of the terms.

So its no trick at all for spammers to register a zillion throwaway domains like getrichwithherbalviagra.com, but these domains wont obtain a good reputation and it wont be long after they start spamming that they obtain a bad one. The best they can hope for is to get some mail through for the brief period during which they have no reputation to speak of, and any intelligent mail system, even in the authentication era to come, will treat such mail with increased scrutiny. And, of course, recipients could whitelist domains that dont necessarily have a satisfactory reputation.

This is why Ive tried to say all along that authentication systems dont replace filters, they make them work more effectively. Reputation systems, along with white- and blacklists, work as a triage filter, removing large amounts of mail that is known to be good or bad, and let the filters look only at the mail that is truly unknown.

Reputation systems have existed for a long time and dont have a good reputation themselves. Spam blacklists are not well-respected because of an unacceptable level of false positives (I know, Ive been an innocent victim of them myself). But authentication will make reputation a more reliable characteristic to track. I need to spend more time in future columns looking at the issue of reputation and the enormous role it will play in the future.

In the short term, recipients have to treat senders with no authentication records in their DNS as suspicious, but not an automatic block. In the long term one might be able to automatically block all mail that comes from unauthenticated domains. At that point spammers will have to include authentication records. In the short term, I think authentication only makes them easier to track down.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:   More from Larry Seltzer
 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel