With both the US CAN-Spam Act and the EU Directive on spam proving to be failures in stemming the flow of unsolicited emails, attention has turned once again to technology and standards in the battle against spam.
Given the intense level of scrutiny directed at Microsoft's security record in recent months, it is hardly surprising that Bill Gates has sought to position the Redmond giant at the forefront of the anti-spam movement. Only recently Microsoft was advocating the introduction of email payment or stamp systems to counter illegal bulk emailing. This month, it has proposed the so-called Caller-ID system.
The Caller-ID proposal specifically targets spam originating from false addresses, otherwise known as spoofing. The proposal aims to authenticate the sender's identity by verifying the validity of the IP address of the mail server. The process involves senders of email publishing the IP addresses of their outbound email servers in the DNS and having receiving servers configured to cross-check domains with these IP addresses before accepting incoming mail. This would require a policy document to be published in the TXT field of a domain's DNS record to establish the reputation of email senders.
This proposal is certainly not without merit, but it is a premise that requires such a radical overhaul of internet messaging systems that its chances of success are limited.
To be effective such a system requires substantial industry-wide adoption. While Microsoft has already rallied the support of a number of industry third parties, it may take months or even years to ensure widespread adoption considering the pervasive role of email around the world and the numerous technology solutions currently in use, all of which would need to be upgraded to incorporate this standard.
Another fundamental problem with the Caller-ID approach is that it seems tailored to address the concerns of larger organisations, to the detriment of smaller companies. As part of Microsoft's Coordinated Spam Reduction Initiative (CRSI), Caller-ID is just the first stage in a long-term strategy to establish a 'trusted' relationship between senders of email. It advocates the development of 'reasonable behaviour' policies, which may require specific procedures for adding someone to a mailing list, or limiting the number of messages that can be sent to a user in a given period. Such a system requires the creation of independent email trust authorities (IETAs) to monitor high-volume email senders to ensure compliance with such policies. Microsoft admits that ensuring IETA accreditation is likely to be an expensive process and smaller organisation may fall through the cracks, potentially creating an economy of email 'haves' and 'have nots'.
Implementing a new standard requires time, money and IT expertise. Not a problem for large ISPs and enterprises, but a strain on the resources of already overstretched SMEs. However, if such a system was to become widespread, SMEs may have no choice but to comply or go without authenticated email. Similarly, with a system based on reputation involving companies setting themselves up as 'clearing houses' offering trustworthiness, how long before corruption creeps into the equation? Spam is big business, linked to organised crime and the stakes are high. Will a backhander ensure a bulk mail sender gets a higher rating than a hard up SME?
In addition, the Caller-ID system is not designed to be a stand-alone response to spam but rather to work alongside content filtering systems to block the bulk of unwanted emails. The implementation of the Caller-ID initiative will do nothing to alter the fact that the underlying Windows operating system has major security problems.
Stopping spam has become a lucrative business and Microsoft, like many others, has sought to hop on the bandwagon and make some money in the process. The problem with the majority of these so-called spam solutions is that the vendors themselves are not sole messaging specialists, but are nevertheless positioning themselves as experts on the problem of unwanted emails.
Microsoft's contributions to the spam debate are of course to be welcomed. As an industry giant it has an enormous scope of influence and can play a vital role in highlighting both industry and end-user concerns about spam. However, the Caller-ID email authentication approach is currently dependent on too many other factors to be truly effective.
If and when an email authentication approach becomes a true internet standard, it would indeed have the potential to cut the number of unsolicited emails reaching our inboxes. But until that time, those seeking a respite from spam would be better off sticking with purpose-built appliance-based solutions, designed by messaging experts, deployed at the edge of the network to filter out unwanted mail.
Jamie Cowper, senior technical consultant, Mirapoint
Mirapoint were an exhibitor at Infosecurity Europe which is Europe's number one IT Security Exhibition. The event brings together professionals interested in IT Security from around the globe with suppliers of security hardware, software and consultancy services.