Want CNET to notify you of price drops and the latest stories?

Antispam methods aim to merge

A new group will try to settle the differences among competing methods of thwarting spam with a kind of caller ID for e-mail.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
3 min read
A new group will try to reconcile competing methods to thwart spam with a kind of caller ID for e-mail.

The Anti-Spam Research Group (ASRG) of the Internet Research Task Force (IRTF) early this month formed a subcommittee to hammer out differences between a number of competing protocols that all aim to do the same thing: verify that e-mail senders are who they say they are.

With the way things work now under the Simple Mail Transfer Protocol (SMTP), there is no widespread method for that kind of verification. That has led some to calls for the revision or replacement of the ubiquitous protocol.

Proposals for how to achieve e-mail verification without scrapping SMTP abound, and many of those proposals have found their way to the IRTF, which is affiliated with the Internet Engineering Task Force.

These include Sender Permitted From (SPF), the Designated Mailers Protocol (DMP) and Reverse Mail Exchange (RMX). The ASRG's new subcommittee is charged with blending them into a single standard.

The idea behind the related schemes is to change the Domain Name System database so that e-mail servers can publish what IP addresses are associated with them. Internet service providers receiving e-mail can instantaneously verify whether an e-mail originates where it says it does.

The system, if successful, would protect e-mail server and individual address owners from having their addresses falsely suspected of sending spam.

Some efforts to attack the problem, such as the Trusted E-mail Open Standard, have already launched. But so far, they have failed to gain widespread adoption.

The problem of e-mail address spoofing is a fundamental obstacle to curbing spam, say ISPs and antispam companies. Spammers typically cover their tracks by hacking into unprotected e-mail servers, or open relays; by hijacking other e-mail servers; and by falsifying names and e-mail addresses in the e-mail sender field.

ASRG members sounded an optimistic note about the new unification subcommittee and the prospect of solving the spam problem with protocols, rather than legal curbs or economic disincentives that would force people to pay to send e-mail on a per-message basis.

"We can solve spam with a technical solution, rather than by going through the Congress or by implementing micropayments," said Meng Wong, founder and chief technology officer of Philadephia-based e-mail service provider Pobox.com, a backer of SPF and a member of the ASRG subcommittee. "We're all trying to come together on this. Because I think SPF offers a superset of functionality, we're probably going to wind up with something very similar to it by the end of the process."

Earlier this year, Pobox.com estimated that more than 70 percent of the e-mail it processed was spam.

Wong said sender verification systems would have to work in conjunction with some type of reputation system that would help recipients recognize known spammers' domains.

"Once you have reputation systems that work on the basis of domains, which spammers cannot forge, then no matter how many machines you hack into, you still have to use the spammer's domain," Wong said. "And that's how we'll get you."