The tools have been here for years now to address the root of the spam problem, but we're not using them. It seems it's not compelling enough.
The reason there is spam is because there's money in it, or at least
spammers think so. The technical reason there is spam is that the SMTP
protocol used to transport e-mail on the Internet is unauthenticated. A
few years ago a solution to this problem was put in place, but it
doesn't seem to have made a difference.
DKIM (DomainKeys Identified Mail) emerged from a battle several
years ago as the leading standard for SMTP domain authentication. It
uses public key encryption to sign messages with a domain's private
keys and stores the public keys for domains in the DNS. Receiving
e-mail servers can use that public key and the digital signature in the
message to confirm that a message does indeed come from the domain it
purports to come from. This doesn't prove that the domain it comes from
is trustworthy. For that, you need reputation data, which you either
gather and manage internally, or acquire from a public reputation
Click here for a more detailed paper from the Messaging Anti-Abuse Working Group on authentication and trust.
I've also been inspired to this by a recent series of articles on DKIM on CircleID
This is the way it was all supposed to work. It's years now since DKIM was effectively finalized and almost two years since the DKIM standard
was published. DKIM is definitely out there, but not in the way I had
hoped. It's implemented and used by several large e-mail providers,
such as Gmail and Yahoo Mail. Many bulk e-mail senders, both large and
small, sign their e-mail because it helps to get their mail into the
inbox of users on those systems, But DKIM in the real world so far
seems to be much more about preventing false positives than blocking
To use DKIM to allow a good sender in, you merely have to have some
reputation data about them and track abuse complaints to keep that data
current. Then new mail comes in, the signature matches, and zoom, it's
in (you might still want to spam-filter it and certainly you should
malware-scan it). To use it to prevent spam you have to deal with
senders who either have no signature or who have no reputation, and
both these questions are difficult ones. If you're Gmail you can, over
time, develop a pretty extensive reputation database, especially since
you also own Postini which hosts enterprise e-mail security. If you're
Acme Average Enterprise and you're doing your own e-mail you need
access to a public e-mail reputation service.
This service business hasn't developed in the way it might have, and
even to the extent that it has, you can't always use the reputation in
the way it's intended. If verizon.net has a lousy reputation are you
going to block e-mail coming from it? This is one reason why domain
reputation can't displace IP-based reputation systems such as Spamhaus
any time soon.
Perhaps the answer is to push more e-mail processing into the cloud.
It's seemed to me for a while that large, institutional e-mail
processors such as Google were in a better position to implement
solutions such as DKIM for large numbers of users, and indeed GMail
Cloud-based e-mail security is increasingly in style, too, as evidenced by Sendmail's recent announcement of cloud-based e-mail services
. Sendmail has long been a proponent of authentication and has long-supported DKIM
, so you can use their products to sign your outbound mail as well.
Sendmail argues that cloud-based e-mail security has become
commoditized, but the actual catch and false positive rates are
probably still more important to customers than price. So if DKIM
positively affects catch rates it's a winning strategy. I just doubt
that it's much of a factor in catching spam, even in the large clouds.
So unfortunately, it seems that this is as good as e-mail is going
to get. It's disappointing, but it gets enough of the job done, and
that's why it's not going to get any better. I mean, how much more time
and money were you really willing to take it to the next level anyway?
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.