Since Congress passed the Controlling the Assault of Non- Solicited Pornography and Marketing Act--known as Can-Spam--in 2003, the government has had a few small successes, including prosecutions of a handful of spammers and a drop in the amount of pornographic spam. But overall spam has increased, from about 60% of all e-mail in 2003 to more than 90% of e-mail today.

Perhaps the act's most positive effect was the guidance it provided to companies on how to send e-mail ads and correspond with customers. But that only goes so far in an industry dominated by fraudsters and criminals.

In fact, even before the measure was passed, it was derided as the "You Can-Spam Act" because, rather than outlawing spam, it merely prohibited certain deceptive practices, effectively making all other spam legal. The act also pre-empted more stringent state and local laws.

More than five years after Can-Spam was passed, anti-spam companies continue to search for the right combination of technical measures that will rid customers' in-boxes of unwanted commercial e-mail. Greg Shapiro, CTO and VP of messaging vendor Sendmail, lists three such measures: First, have Internet service providers block outgoing port 25 and scan customers' outgoing e-mail; second, authenticate senders; and third, build reputation systems for senders and domains.

Return To Sender
The Sender Policy Framework, an open standard, aims to provide sender authentication. SPF, which specifies a technical method to prevent sender-address forgery, has gained steam in the last few years.

Domain Keys Identified Mail (DKIM) extends the concept of sender authentication beyond SPF, adding cryptographic signatures to outgoing e-mail. Receiving servers verify that the message is legitimate by looking up the public key in DNS (see diagram, below).

By proving that an e-mail is authorized to come from a particular domain, DKIM enables the use of more advanced reputation systems. Current systems track the reputation of IP addresses, deciding how to handle messages based on the sending IP's track record. Vendors are now working to develop systems that track the reputation of the domain included in the "From" header, eliminating the inaccurate results that IP reputation provides when mail is forwarded or companies use shared-hosted mail servers.

Domain reputation can even combat phishing, because look-alike domain names (substituting similar-looking characters for letters in URLs of well-known companies) could receive poor reputation scores and have their e-mail dropped in the bit bucket.

The groundwork for these new technologies is in place, and more innovations are on the way. Many anti-spam vendors have added sender-IP reputation systems to their arsenals, for example. In addition, the Internet Engineering Task Force is looking into standardizing protocols for querying reputation databases, enabling interoperability. Reputation firms are developing techniques to score domains, with some major e-mail hubs moving forward. For example, AOL this year will start using domain reputation to filter messages for domains that use DKIM.