It seems like forever since the great battles of the standards bodies last year when the effort to institutionalize SMTP authentication broke down. Since then, just as beforehand, there has been no serious work done in the standards community to address spam, mail worms and other abuse.
The only option left has been for private industry to step in and try to fix the infrastructure of Internet e-mail. Theyre not doing it to be nice; theyre doing it because allowing e-mail to descend into even greater chaos than it now suffers would be contrary to their interests. Its not an ideal situation, but at least their interests generally coincide with ours.
Its in this spirit that Microsoft announced a series of measures Thursday, some for end users and some for the rest of the Internet community. Hotmail users will notice a new icon for each message indicating if the sender is authenticated based on the From: address and Sender ID data for the site. Unfortunately, much as I might like Sender ID, this is one of those technologies that isnt all that useful until its widely adopted. A positive confirmation isnt proof that the sender is beneficent, just that they are who they say they are.
For the near future Hotmail users can expect to see a large majority of their real mail with “Unknown Sender” icons next to them. There just arent a lot of domains out there with Sender ID records. In theory it should at least help users feel confidence in the ones that do, such as Microsoft themselves. For example, every now and then a mail worm (like Swen) pretends to be a patch mailed out by Microsoft and forges a From: address of email@example.com or something similar. I remain to be convinced; will a user who would fall for a “patch” mailed out by Microsoft know how to interpret the Sender ID queue?
You can see Im pessimistic and cynical about users. Perhaps the industry consensus about SPF and Sender ID last year was right, and they werent all that compelling. They cant even work the way they are supposed to without elaborate reputation systems to determine whether you want to trust a sender, irrespective of the content of the message you are receiving.
There is also a site and a series of tools heavily inspired by AOLs Postmaster site. The main point of both sites is to help other heavy e-mail players, from “legitimate” bulk senders to ISPs to mail admins of large sites, have their legitimate mail get through to Hotmail, and have Hotmail not block those other sites mail.
This is more along the lines of what we need, although it too is depressing in that it shows that what we need is a lot of hard work, mostly by ISPs. They need to do a lot of things they clearly dont want to do, such as responding to abuse complaints, shutting down abused ports, shutting down customers who are abusing their own and other ISPs customers, and in general paying attention to what is going on on their networks.
The industry is developing products to assist ISPs in these goals. Look at companies like MX Logic, Port25 Solutions and Senderbase. Once established solutions are available and easier to implement I hope ISPs wont drag their feet like they do now.
How bad are some ISPs? Look at the “Top Senders by Domain: Last 24 hours” table on the Senderbase home page. As I read it the top entry is Comcast.net indicating that it sent 403.2 million messages in the last 24 hours. Consider that Comcast is far from the largest ISP out there. Obviously a massive percentage of that mail is spam, and Id bet almost all of it is from zombie spam bots on their network. Conversely, looking at the amount of mail coming out of aol.com its clear they are not a major source of spam.
Comcast needs to do the sorts of things that AOL and Microsoft are doing, but that doesnt seem to be its style, and I is the more typical case. If the Comcasts and Road Runners and Verizons of the world dont clean up their networks, its hard to see how the overall situation will improve.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer