The SMTP Authentication Failure

By Larry Seltzer  |  Posted 2006-01-17 Print this article Print

We know from the efforts of the last couple of years to implement SMTP authentication that even modest technical improvements to SMTP that act to restrict peoples use of the system will meet extreme resistance. See John Levines discussion of the politics of authentication on CircleID for more. Johns right about why the problem hasnt been solved: "Its a complicated problem."

About this time last year I was waxing incredulous over the resistance to the authentication movement. Why were people making trouble for such an obviously (to me) great idea? The answer is, just as with social policies, everybodys got his own idea of the right way to do it; nobody wants his own interests damaged. Some of these interests are reasonable ones, involving privacy, for example. On the other hand, some have observed that many ISPs make money off of spam, however indirectly; its not clear they have a real interest in stopping it, but clearly ISPs are legitimate stakeholders.

E-mail phishing attacks are growing more directed. Click here to read about an attack targeting credit union employees.

And its not like theres some group in charge of the Internet who can declare that theres a new standard and everyone has to follow it. The Internet isnt really under any authority, with the limited exceptions of such groups as ICANN and IANA, neither of which can tell anyone what e-mail standard to use. To reach the moon, Kennedy only needed to declare the goal to be important, then to spend the money and gather the (mostly German) expertise.

But the Internet is just a series of private and public networks connected through private agreements and using a set of agreed-upon protocols. And worse than that, its international. Lets say you got Congress and all 50 states to agree to a new e-mail standard (dont think too deeply about this, its just for the sake of argument). Youd still have the rest of the world to contend with.

So is Internet e-mail so broken that it needs to be torn up and thrown away? Its a solution nobody would responsibly propose. I agree with Dave Crocker, one of the people who designed the Internet mail system in place today, that as a matter of retrofitting the existing system, we just dont know what will work. And "work" is not just a technical requirement; its what will be acceptable to enough parties to be accepted systemwide.

But just as things like crime and poverty never really go away, I think spam will never go away.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog. More from Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel