The SMTP Authentication Failure
We know from the efforts of the last couple of years to implement SMTP authentication that even modest technical improvements to SMTP that act to restrict peoples use of the system will meet extreme resistance. See John Levines discussion of the politics of authentication on CircleID for more. Johns right about why the problem hasnt been solved: "Its a complicated problem." About this time last year I was waxing incredulous over the resistance to the authentication movement. Why were people making trouble for such an obviously (to me) great idea? The answer is, just as with social policies, everybodys got his own idea of the right way to do it; nobody wants his own interests damaged. Some of these interests are reasonable ones, involving privacy, for example. On the other hand, some have observed that many ISPs make money off of spam, however indirectly; its not clear they have a real interest in stopping it, but clearly ISPs are legitimate stakeholders.And its not like theres some group in charge of the Internet who can declare that theres a new standard and everyone has to follow it. The Internet isnt really under any authority, with the limited exceptions of such groups as ICANN and IANA, neither of which can tell anyone what e-mail standard to use. To reach the moon, Kennedy only needed to declare the goal to be important, then to spend the money and gather the (mostly German) expertise. But the Internet is just a series of private and public networks connected through private agreements and using a set of agreed-upon protocols. And worse than that, its international. Lets say you got Congress and all 50 states to agree to a new e-mail standard (dont think too deeply about this, its just for the sake of argument). Youd still have the rest of the world to contend with. So is Internet e-mail so broken that it needs to be torn up and thrown away? Its a solution nobody would responsibly propose. I agree with Dave Crocker, one of the people who designed the Internet mail system in place today, that as a matter of retrofitting the existing system, we just dont know what will work. And "work" is not just a technical requirement; its what will be acceptable to enough parties to be accepted systemwide. But just as things like crime and poverty never really go away, I think spam will never go away. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
More from Larry Seltzer
E-mail phishing attacks are growing more directed. Click here to read about an attack targeting credit union employees.