Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Development

    Why We Havent Stopped Spam

    By
    Larry Seltzer
    -
    September 10, 2007
    Share
    Facebook
    Twitter
    Linkedin

      Why We Havent Stopped Spam

      Several years ago when Bill Gates declared that the spam problem would be solved within two years, he appeared to be thinking of SMTP authentication as the heart of that solution. I wouldnt have said what he said, but I was pretty optimistic too. Not anymore. The overwhelming power of inertia seems too much for any solution to take on. People just wont stand for the inconveniences that fixing spam would bring.

      SMTP e-mail errors these days are much more often malicious than informative. Click here to read more.

      Bill and I may have learned our lessons, but theres a long tradition of smart people looking at the spam problem and deciding that it would be easy to fix if only they were in charge. Theres a good example of this on last weeks Wall Street Journal op-ed page, of all places.

      The article, entitled “Youve Got Spam,” is by Jonathan Koomey, Marshall Van Alstyne and Erik Brynjolfsson. (Sorry, only a stub of it is online; you need to be a WSJ subscriber to read the whole thing.)

      According to their bios at the bottom of the article, theyre all respected academics at respected institutions, but theres no indication that they know their way around e-mail. Koomeys field is energy. Van Alstyne and Brynjolfsson are involved in information studies, but not of the technology itself, and they have made an error that shows their perspective is a little too high-level: They assume that someone is actually in charge of the Internet, and specifically of e-mail.

      Their paper suggests combining two old ideas into one that they hope will be greater than the sum of the parts. One is DKIM (DomainKeys Identified Mail), a sender authentication scheme originally from Yahoo and Cisco that is widely respected, even by me. But its been around for years in usable form and is not all that widely used.

      The second idea is “sender bonds.” The idea here is that the sender of a message attaches a payment of some sort, typically pennies, to the message. Recipients can then claim the money; its sort of the flip side of those Web pages that force you to watch a full-screen ad before viewing the article. The combination idea is to say that any messages that fail authentication must have the bond.

      You could continue to send your e-mail unauthenticated and without a bond and, the authors argue, people would ignore it and technology could block it as a rule. You could use authentication at a low cost but with a loss of anonymity. You could use bonds and maintain anonymity but at a cost in dollars. You could do both for the highest level of assurance.

      Page 2: Why We Havent Stopped Spam

      Sender Bond Theory vs

      . Practice”>

      The sender bond is an old idea. It may have some beautiful economic theory behind it (look at all those integrals!) but there are a number of major technical problems with it from the standpoint of practical Internet engineering.

      Heres one technical problem that Joseph Heller would have appreciated: You cant enforce the bond through the e-mail system unless you have an authentication process. How is the system supposed to know who to pay? In fact, youd need an authentication system far stronger than DKIM, which only authenticates the domain of the sender, not the user.

      Turn on your imagination and envision sender bonds being implemented in the real world. How soon would it be before gangs all over the world enlisted botnets into harvesting bond proceeds by massively signing up for bonded e-mail, using fake bonds and other social engineering attacks? The system would need to be resistant to all of these attacks, or otherwise its just trading off one fraud system for another, and the new one would give direct remuneration to the attackers.

      Then theres the absence of a practical micropayments system. The only payments system in the world that has a chance of handling the volume the authors propose is the credit card system. The capacity of that network is possible because of transaction fees that would make micropayments impractical. Even so, we all know its not as secure as it could be, and in an effort to make it more secure, new costs are being imposed on merchants.

      Getting back to the DKIM end of this, its also mandatory in any article that touches on the subject of SMTP authentication to point out, as Koomey, Van Alstyne and Brynjolfsson did not, that any such scheme, including DKIM, is inadequate all by itself. Just because you know who the person is doesnt mean you want their e-mail. They could be a pornographer or some other such undesirable type.

      Popular Web sites are being used in a new attack thats targeting eBay accounts. Click here to read more.

      You need to combine authentication with reputation and accreditation services in order to get value out of them. Its not clear if this is a major problem for Koomey, Van Alstyne and Brynjolfssons plan: Is a bond required only if the reputation is above a certain level? These considerations could get complicated and political, the worst possible situation.

      The authors blame the slow uptake of DKIM on a standard “chicken and egg” problem, but its not really that. Its just that change is unpleasant and, unless the payoff is obvious, risky. DKIM may yet become ubiquitous now that a formal standard has been issued, but I think everyones expectations are a little lower than back when Bill and I could see the end of the spam problem.

      Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

      Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

      Larry Seltzer
      Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×