A Cure for Malware

Opinion: Corporate e-mail managers are urged to employ Sender Policy Framework.

Imagine being able to stop most spam, viruses and fraudulent e-mail messages—and easily detecting those few that get through. How much would you pay and how much work would you be willing to put in to achieve that?

Most of us would welcome a solution that could get those results at any price—and we would find it astonishing that it could be done at negligible cost and with only a small amount of management configuration work. Yet, just that is the case, thanks to a new industry proposal called Sender ID.

The main way spam, viruses and phishing attacks succeed is by spoofing senders addresses in e-mail messages. This is evident as our mailboxes have filled with spam and viruses sent by family, co-workers and even ourselves. A recent study by the Anti-Phishing Working Group (www.antiphishing.org) found that 95 percent of all spam and e-mail fraud is propagated through forged e-mail addresses.

The key problem is that the design of SMTP—and of all e-mail, for that matter—makes it easy to pretend to be anyone when sending e-mail. Unfortunately, proposed solutions, such as charging for e-mail messages sent, would impair the open, free nature of e-mail, if indeed they could be implemented.

Fortunately, there are simpler and more elegant approaches. Two of the most prominent proposals recently were combined into one proposed standard for the Internet Engineering Task Force. The best part is that some of the technology can be deployed now without the need for companies to change users mail clients or implement new mail servers.

Sender ID (www.microsoft.com/senderid) combines Microsofts Caller ID proposal and SPF (Sender Policy Framework), developed by Meng Weng Wong, founder of Pobox.com. The united technologies will make it possible to halt many spam, virus and phishing attacks before they are launched, greatly reducing the network loads these menaces cause. Sender ID works by inspecting e-mail at the SMTP level to ensure it comes from where it claims to come from and inspecting it at the header level to look for domain spoofing.

If spammer@wespamalot.net, for example, tried to send spam that looked like it came from eWEEK@ziffdavis.com, mail servers on the Internet would reject it because they could detect that it was not being sent from a licensed ziffdavis. com server. The spammer would have to use made-up sender names, which are relatively easy to filter out.

Sender ID was only recently proposed, but companies and ISPs can begin to implement SPFs capabilities, with which Sender ID is fully compatible. Several large ISPs, including America Online and EarthLink, are already implementing SPF. We urge corporate e-mail managers to look immediately into implementing SPF and readying for Sender ID. By following the instructions at the SPF site at spf.pobox.com, companies can take an important first step in eradicating spam, viruses and e-mail fraud.

eWEEK is interested in your opinion. Send your comments to eWEEK@ziffdavis.com.

To read more editorials, subscribe to eWEEK magazine.


Check out eWEEK.coms Messaging & Collaboration Center at http://messaging.eweek.com for more on IM and other collaboration technologies.


Be sure to add our eWEEK.com messaging and collaboration news feed to your RSS newsreader or My Yahoo page