IETF Conference Debates Antispam Proposals

The recent rush to adopt technologies for countering e-mail abuses like spam and phishing could pose a dangerous threat to freedom on the Internet.

"These proposals are extremely dangerous," Eric Johansson, a networking consultant for the TriArche Research Group in Cambridge, Massachusetts, told TechNewsWorld.

"We're at the decision point right now of whether or not we're going to have a relatively free and open Net for e-mail or [whether it is] going to be centrally controlled," he added.

Johansson explained that the prominent e-mail authentication technologies being pushed in the online community at the moment attempt to identify a sender and create a mechanism for shutting off that sender should he or she misbehave. "That's a threat to free speech because if you can shut off a spammer, you can shut off anybody," he said.

Johansson is working on his own decentralized authentication scheme that involves electronic "franking" of e-mail.

Authentication Desperation

Dangerous or not, the movement to adopt authentication technologies is rapidly gaining momentum. And in the rush to attack e-mail malpractitioners, corners are being cut.

At a conference of the Internet Engineering Task Force in Seoul, South Korea, this week, supporters of a technology called Sender Policy Framework (SPF) -- designed to counter common ploys used by unscrupulous spammers, including e-mail address spoofing and mail-server hijacking -- will push for expedited approval of that technology as an Internet standard.

"The spam issue has created enough urgency and even desperation, so rather than following traditional standard-setting practices where different proposals are hashed out at lengthy and infrequent meetings with standards bodies, instead there's been a rush to market to get solutions into place and experiment with them and let their strengths and weaknesses come out through real-world trials," Gail Goodman, CEO of Constant Contacts of Waltham, Massachusetts, an e-mail marketing service and charter member of the Email Service Provider Coalition, told TechNewsWorld.

Proposal Proliferation

This experimental approach already has led to a proliferation of announced solutions. In addition to SPF, there's "Caller ID" backed by Microsoft (Nasdaq: MSFT), DomainKeys being developed by Yahoo (Nasdaq: YHOO), and PostX, another antispam authentication technology.

Although SPF and Caller ID have been characterized as potential competitors, that's not the case, according to Meng Weng Wong, chief technology officer of Pobox.com, an e-mail service firm in Philadelphia.

"Caller-ID and SPF are not actually in competition, despite what the media say," Wong told TechNewsWorld via e-mail.

Different Problems

Wong explained that the technologies try to solve two different problems. The problem Caller-ID targets is phishing. In phishing, spammers forge authorship of a message to convince readers that the message is from, for example, eBay (Nasdaq: EBAY) or PayPal -- and to get their hands on a user's credit card number.

The problem SPF tries to solve is joe-jobbing. When spam e-mails, worms and viruses send malicious payloads, they do so using a forged envelope sender or forged return-path, which is where bounces go. When millions of spam e-mails go out, some of them go to undeliverable addresses, and those bounces end up in the mailboxes of innocent third parties because the reply-to addresses have been forged.

"Both are real problems, and both deserve solutions," said Wong. "There is no one solution to spam; the approaches are complementary and will work together."

Immediate Action Needed

Any widespread change to e-mail will take years to implement, noted Sean Eldridge, director of product marketing strategy at PostX Corporation in Cupertino, California.

"In the meantime, something must be done to address the problem today because it is an epidemic that's growing month by month," he told TechNewsWorld.

PostX will pull the wraps off its e-mail authentication technology in the second quarter of this year.

Asked if Internet authorities should consider junking the existing e-mail protocol -- SMTP -- and creating a more secure one, Eldridge responded: "No. I still believe e-mail is the killer app.

"E-mail is such a part of our daily way of life, right behind the telephone as our most popular form of communication, I think it would be virtually impossible to destroy it," he continued. "But if this problem keeps escalating, there will be an impact on e-mail as a mode of communication."