Can Private E-Mail Communities Keep Out The Spam?

 
 
By Larry Seltzer  |  Posted 2003-09-23 Print this article Print
 
 
 
 
 
 
 

The public SMTP network is lousy with abusive spammers who would ruin the experience for the rest of us. Security Center Editor Larry Seltzer wonders whether taking some of your e-mail back onto private networks is the way to cut out the spam.

People with money and influence, and who dont care for the outside element, can fence off their community from the rest of the world. Outsiders can get in, but only by passing through a security gate. A phenomenon similar to this is developing in the world of e-mail, especially corporate e-mail, and it could help limit spam for those involved. The best candidates for such an implementation are the large, hosted spam services such as Postini and FrontBridge. The way these services work is that incoming e-mail passes through their servers and is filtered before it is sent to the clients servers. Technically, they hold the MX records for the clients mail domain.

At the same time, these companies have more than one client. Consider that since the spam services already have a private, trusted relationship routing e-mail to their client companies, any mail passing between them could be considered trusted. Theres no real need to pass this mail through filters, assuming these clients are responsible organizations with some sort of internal e-mail controls.

Its sort of like a big white list, but more sophisticated because it looks at the routing of mail. Suppose I white-list the address custserv@reply.1800flowers.com because I buy my wife flowers now and then, and thats the online flower shops confirmation address (note to self: buy the wife some flowers). A spammer could get through to my Inbox by spoofing that address in the From: field. But if my gateway spam blocker would check the referring server against a white list of clean servers, my blocker wouldnt be fooled by a simple From: spoof attempt. Now, a spam message with truly-spoofed headers would be another matter. Still it would be very hard to get an outside message through this network and have it appear as of it was completely internal. In fact, I doubt anyone could do it.

At the same time, my point about responsible organizations with internal controls is really important. Some of the hosted services work with ISPs and other public mail services, the most famous being Hotmails use of Brightmail for spam filtering. When you sign up for an ISP or a service like Hotmail you typically agree not to send spam, but there are individuals who would violate such sacred agreements—shocking as this may be to some of you—with no concern for the consequences, such as the loss of their free e-mail account. This is why private e-mail networks may prefer to work with the corporate networks rather than conventional ISPs. Incidentally, Brightmail supports scanning of outbound mail, although its not something every customer would implement.

This type of private network will really only be useful in direct proportion to the number of participants, so it would only begin to make sense if the spam filtering company has lots of customers. Theyd also all probably have to consent to being part of this private community.

The point of private networks—at least intelligently designed ones—is to define safe zones for e-mail, virtual spaces where you can relax your guard, and lower the risk of false positive identifications of messages. You still have to let mail in from the outside world because thats what makes e-mail useful. But at the same time, you can apply enhanced scrutiny to that mail. Private networks may not be a solution to spam, but for some folks it certainly could help.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.

More from Larry Seltzer
 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel