Can E-Mail Authentication Kill Spam?
Feb 20, 2008 4:00 AM PT
A study by the Authentication and Online Trust Alliance (AOTA) shows that more than half of all e-mail is authenticated. However, the Alliance wants the industry to push for higher adoption. AOTA has issued a call to action to implement e-mail authentication at the top level corporate domain within the next six months.
Those brands that adopt higher standards will be taking a step forward in protecting their consumers, brands and stockholders. Those that fail will realize a competitive disadvantage and expose their brands to an unacceptable level of potential exploits, according to the AOTA.
The Alliance issued the call for further implementation of authentication standards as part of its "2008 State of E-Mail Authentication and the Internet Trust Ecosystem" report. This group found that e-mail authentication adoption has surpassed the tipping point across all top-level of e-mail authentication adoption metrics.
E-mail authentication is a process that attempts to identify the sender of a message by verifying the domain name. Industry watchers hoped early on that e-mail authentication would bring an end to spam. But some network experts argue that authentication technology is not strong enough to eliminate all types of spam.
"We are already seeing a big impact. With adoption at 7 percent several years ago, the current adoption rate is helping to foster consumer confidence," Sam Masiello, director of threat management at MX Logic, told the E-Commerce Times. He served as a member of the steering committee for this report.
The AOTA study found that 55 percent of legitimate e-mail sent worldwide is authenticated. Adoption has reached 51 percent by Fortune 500 consumer-facing brands. Adoption has reached 52 percent of the Fortune 500 consumer-facing financial services brands, and it's reached 54 percent by the top 300 brands of Internet retailers.
The report also found that more than 1,300 FDIC (Federal Deposit Insurance Corporation) member banks have adopted e-mail authentication, demonstrating growing commitment by the financial services industry. In addition, more than 100 marketing and technology vendors support DomainKeys Identified Mail (DKIM) and/or SenderID Framework (SIDF).
The report concluded that e-mail authentication adoption is on the rise across all key business segments, ISPs and governmental agencies.
Unlikely Spam Killer
MailChimp, an e-mail marketing services provider, has done extensive research on the impact of e-mail authentication on e-mail marketing. The company's founding partner, Ben Chestnut, is convinced that authentication technology will not kill spam. However, he thinks it will help curb phishing and spoofing scams.
"Nothing will kill spam. So long as there are stupid people to send spam, and stupid people to buy stuff from spam, there will always be spam," Chestnut told the E-Commerce Times. "Theoretically, ISPs (like Hotmail, Gmail, Earthlink, etc.) can tell their users if an e-mail campaign is a fake."
Two factors stand in the way of authentication's ability to kill spam. One is the nature of spam. The other is the nature of computer users.
"To me, the question is similar to asking if human identification can stop crime. Spam is constantly changing, and users are not computer experts. The combination of these two facts results in an existing and future situation where e-mail and Web-based fraud will stay even if authentication measures are introduced. Other, non-phishing spam will also continue to thrive, since it can be any service or product that someone might want to sell," Ofer Elzam, director of product management for the Aladdin eSafe Business Unit of Aladdin Knowledge Systems, told the E-Commerce Times.
The goal of AOTA is more than pushing for the demise of all spam, according to Masiello. If consumers cannot trust e-mail from credible senders, e-comerce and marketing will continue to suffer.
"Because of spam, legitimate e-mail isn't getting read. Consumers are just deleting everything that has a brand name out of concern that it is a phishing message," he explained. "Reputation scores from e-mail authentication is a big part in defeating spam."
It is unlikely that the industry will ever get 100 percent adoption of authentication, but the more adoption that does occur, the more visibility for trust will occur, he said.
Authentication No Cure-all
Authentication puts temporary hurdles in the paths of hackers, but hackers are already finding ways to get around authentication-checking schemes.
"As far as spam goes, ubiquitous e-mail authentication will probably increase the costs of sending spam somewhat and force the spammers to change their tactics. With authentication everywhere, a spammer would not be able to constantly send spam from one server and one e-mail domain," said Chad Morris, lead engineer at MailChimp.com.
Unfortunately, this just means that sophisticated spammers will use networks of hacked computers or a large number of servers to send spam, coming from many different domains. This will only force unsophisticated spammers to buy access to these networks, said Morris.
E-mail authentication will not have a lasting impact on spammers unless the openness of the Internet changes. As long as spammers can send e-mail from any computer in the world to any e-mail address, spam will exist, according to Morris.
"Our best bet will be to keep adding more costs and more layers to the system so that it is unprofitable to send spam without hurting everyone else," he explained.
Another reason authentication may never kill spam is that spammers can easily circumvent it, according to Elzam. Spammers can hack into authenticated mail servers and can obtain valid certification of their spam servers. Spammers can also sponsor authenticated marketing companies to send spam, he explained.
Also, users cannot validate the senders even if there is authentication, noted Elzam. The e-mail can arrive from a gray source and not be marked as suspicious, he explained.
"[E-mail] might even completely avoid the use of text strings containing the name of the spoofed organization. The sender's e-mail could be obfuscated, but normal users not necessarily can realize that," said Elzam.
E-mail authentication falls short as a fully reliable anti-spam system, asserts the head of e-mail marketing service vendor JangoMail. It wasn't designed to block all facets of e-mail abuse.
"Authentication was designed to prevent only one kind of spam, and that is phishing e-mail, or e-mail that purport to be from one particular organization but are actually sent by another organization impersonating the first organization," Ajay Goel, president of JangoMail, told the E-Commerce Times. "So in that sense, e-mail authentication is effective in blocking phishing e-mail. Non-phishing spam, however, cannot be prevented by authentication measures since spammers can just as easily authenticate their e-mail as can legitimate e-mail marketers."
Part of this short reach might be the lack of one clear technology standard. With more than one authentication method, ISPs and bulk e-mail handlers have to deal with more than one method -- and might possibly choose none.
"The bigger challenge in my mind is that there are two competing strategies, with Microsoft pushing SenderID and Yahoo going for DKIM (DomainKeys Identified Mail). Ideally, the industry would move to a uniform standard, making it easier for all involved to implement and track," Neil Bainton, MailChimp's marketing director, told the E-Commerce Times.
If e-mail authentication only shines against phishing, is there a more complete solution to killing spam?
"It's difficult to say. Spam exists today because it is profitable for the spammer. Spam will only be killed if it becomes unprofitable, illegal or both. E-mail authentication is not the complete solution, but e-mail authentication plus tougher laws and penalties is the solution," said Goel.
Holding network operators responsible might also help. Since the original sender of spam is sometimes difficult to track down, the laws need to allow both the e-mail sender and the network owner to be punished, since one can always determine from which IP network an e-mail message has been sent, he concluded.