MY SAY: Spam weapons of tomorrow

ISPs are on a mission: They're trying to craft the online equivalent of caller ID so they can figure out who is sending spam to their customers and more easily block junk e-mail and prosecute spammers.

Right now, spammers can easily shield their identities to get through your ISP's front door and clutter your in-box. The recently enacted Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) law is supposed to address the spam problem. But ISPs and law enforcement are having a hard time figuring out whom to prosecute.

America Online, Microsoft, and Yahoo are all working on technologies that would enable an ISP to verify that an incoming e-mail message was actually sent from the domain in its return address--and if not, reveal the real source. In addition to helping authorities track down offenders, these technologies would give ISPs the power to block e-mail with forged source information.

The e-mail authentication systems these companies are developing would keep spammers from covering their tracks by hacking into e-mail servers and unprotected computers on the Internet and falsifying data in a message's sender field. Today, half of all spam is routed through computers that mask the sender's identity, according to e-mail security firm MessageLabs.

Research in Progress

America Online is testing technology called Sender Permitted From, which can verify that an e-mail with an AOL return address originated from an AOL user. (AOL hasn't yet broadened it to cover other ISPs). SPF works by verifying domain name system records with a service provider's IP addresses.

For example, if a spammer faked a return e-mail address as being from, an ISP could tell if the message didn't originate from a matching IP address used by AOL. Any ISPs that adopt the SPF technology could easily trace AOL e-mail back to AOL. Currently, no automated process can do this.

Yahoo's DomainKeys plan would place a digital key, which could not be forged, on outbound Yahoo e-mail. When the message reaches its destination, the recipient's e-mail server would check the Yahoo key and deliver only messages that are verified as coming from Yahoo.

Last week, Microsoft proposed a spam weapon in the form of an open industry standard described in the draft specification titled "Caller ID for E-Mail: The Next Step to Deterring Spam." Like AOL's and Yahoo's proposals, Microsoft's approach looks to revamp the way all e-mail is sent and require messages to have the correct return e-mail address.

The difference among these proposals involve the type of format used to embed data in an e-mail message header, and how an ISP would use that information.

Pay-to-Spam Model

Another antispam approach builds on the fact that spammers have no financial incentive to pare their lists. There's no extra cost in sending as many e-mail pitches as possible. If a price is put on bulk e-mail, the volume of junk e-mail sent might subside.

Microsoft's approach is called Penny Black. The technology would delay delivery of incoming e-mail until the sender's computer solves a complicated math equation that would tie up that PC for about 10 seconds. The presumption is that spammers who send millions of messages would need a supercomputer to stay in business. But it's a solution for the future; the Penny Black technology would need to be built into PCs or operating systems.

Microsoft and other organizations are also exploring technologies that would force spammers to pay a small charge to either ISPs or to a central authority for each piece of unsolicited e-mail, thereby motivating them to trim their mailing lists.

Goodmail Systems is developing an e-mail postage technology that would do just that. Its electronic stamps would be free to individual users and available at a reduced price to nonprofits. Richard Gingras, Goodmail's president and CEO, says this would not only cut spam but also enable ISPs to generate revenue from spammers--which they could then use to fight spam.

Goodmail's solutions wouldn't cut off unsolicited e-mail entirely. But advertisers would have to pay an ISP to ensure their commercial e-mail message hits customer in-boxes. Any bulk e-mail message lacking a paid electronic stamp would be subject to the ISP's spam filters, with no guarantee of the message's delivery. Theoretically, spam filters could be much more restrictive if they could identify e-mail that comes from a trusted source. Personal e-mail with an e-stamp would never be blocked by accident, and an advertiser's e-mail with an e-stamp would have to identify itself.

"Every spam-fighting option is on the table for consideration right now," says Dale Malik, director of product management at BellSouth. He estimates that spam costs ISPs like BellSouth about US$3 per in-box yearly. The costs come from paying for filtering technology, e-mail storage for customer in-boxes, and the network bandwidth that spam uses.

Despite these varied antispam efforts in progress, don't ditch your desktop spam filter quite yet. All of these technologies are still only being researched and undergoing limited testing.