The State Of Spam

Taking On PhishingOne of Microsoft's latest tactics to tackle spam, particularly phishing attacks, is Sender ID, an authentication technology protocol that validates the origin of e-mail by verifying the IP address of the server sending the message against a registered list of servers that the domain owner has authorized to send e-mail. The ISP or recipient's mail server automatically performs the verification before delivering messages.

"We're paying more attention to reputation of the sender," Scarrow says. "That has been a really big deterrent for phishing. We're seeing people who really want to protect their brands -- eBay, PayPal, banks, e-marketers -- using Sender ID." Nearly one-third of Hotmail traffic has Sender ID attached to it, says Scarrow.

However, Sender ID is just one of three approaches to sender authentication -- along with Sender Policy Framework and Domain Keys Identified Mail -- under review by the Internet Engineering Task Force, an international standards organization.

Sender ID is the least useful of the three, according to Arabella Hallawell, a research vice president at Gartner. She says that DKIM is the most comprehensive of the three authentication methods and is gaining the fastest adoption rate among financial services companies and other spoofing victims.

Hallawell adds that e-mail authentication standards in general are much better at preventing phishing than spam. She believes that an arsenal of spam detection also should include connection-management techniques, which examine the traffic patterns and history of a domain-sending e-mail. This is an important step because not all spammers hijack domains.

A Bleak Outlook
The constant back and forth between spammers and the programmers trying to stop them seems to have no end. Spammers have even called in to AOL's Postmaster (a team that works with e-mailers to be sure their mailings do not constitute spam), posing as legitimate mailers and asking about the company's practices, according to Jones.

"You can't just put a spam rule in place and expect it to work forever," Jones says. "If we weren't constantly adjusting those rules we wouldn't be able to block as much because the spammers adapt quickly."

So what's the next step in stopping spammers? Not everyone believes more spam-fighting software is the answer. "The technological cat-and-mouse game does little to solve the problem; rather, it just masks it," says Geist, who would like to see more international cooperation between law enforcement and governments.

It's unlikely that any help will arrive soon in the form of tougher legislation. "There isn't the outcry that there was a few years ago, telling legislators to get this done," says CAUCE's Mozena. His organization has pushed for state legislators in Michigan to make it illegal to send spam to any computer network owned by a governmental or educational entity that is supported by taxpayers, but interest is tepid.

With no public outcry against spam today, legislators are more concerned with identity theft. "You'd think that voting against spam would be like voting in favor of Mom and apple pie," Mozena says. "You'd think that would be a slam dunk legally and politically, but it's not."

This could all change, of course, if spam-captured zombies are used in conjunction with a terrorist attack, as CAUCE's Schwartzman predicts. But in the end, it is our choice as to whether spam becomes an issue for our leaders to pay attention to, or simply another modern (and expensive) irritant to be tolerated.