IBM on Tuesday introduced a new anti-spam technology that its developer says will nab eight out of ten spams off the bat, and fill the gap until more robust sender authentication schemes, such as Sender ID, SPF, or DomainKeys, are widely adopted.
Dubbed FairUCE (Fair use of Unsolicited Commercial E-mail), the technology hit IBM's alphaWorks section Tuesday. alphaWorks is where IBM typically debuts under-construction and untried technologies to customers.
Like other sender authentication protocols, FairUCE is aimed at stopping the "spoofing" of e-mail, the common practice by most spammers and all phishers of forging their From: addresses in an attempt to hide their whereabouts. In many cases -- some analysts estimate as much as one-half -- spoofed spam is sent from so-called "zombies," or previously-compromised PCs not owned, only controlled, by the spammer.
Unlike other schemes, however, FairUCE doesn't rely on domain owners "publishing" records authenticating that mail from their domain is, in fact, coming from their servers. Instead, it tries to find a relationship between the sender's domain and the IP address of the client delivering the mail using a series of cached DNS look-ups.
"Emerging identity systems such as SPF, Sender ID, and DomainKeys can tell us for sure [if a sender address is spoofed], but they require each domain to publish new information," wrote Mathew Nelson, an IBM researcher and the creator of FairUCE, in an introductory message posted to a forum on alphaWorks. "Until every domain does this, we need something else. The FairUCE best-guess system fills that gap by taking an educated guess. Incoming mail is marked as either AUTHORIZED, meaning very likely the address is not spoofed, or NOTAUTHORIZED, meaning the address is probably spoofed."
If a relationship is found, FairUCE checks the recipient's whitelist and blacklist -- which are dynamically updated after an initial "seeding" by a database provided by IBM -- as well as a reputation score to determine whether to accept, reject, or challenge.
That latter is likely the most controversial part of FairUCE. Usually called "challenge/response," it's a universally-disliked anti-spam technique that requires senders to manually reply to queries from recipients to verify their addresses.
Nelson stressed that the query FairUCE generates if it doesn't find a match between address and domain isn't a challenge/response per se. "I say 'inquiry' rather than 'challenge,' because we're not asking if the sender is human, just if they are who they say they are, at least to the domain level."
Such inquires, he claimed, would only be sent to spoofed spam coming from zombies, to power users who specify a different e-mail address for bounces, and a few other "rare exceptions."
Some have taken the inquiry or challenge/response mechanism to mean that FairUCE will be returning spam to the sending system in a tit-for-tat counter-attack. Not true, said Marc Goubert, the manager of alphaWorks. "That's not what 'challenge' is about," he said. "We're returning inquiries for the domain to identify itself, not the spam."
The inquiry, added Nelson, is initiated by making a connection to the sending IP address, which is often met immediately with a "connection refused" error. Most times, Nelson said, no actual data is returned to the sender, and if some is, he said it's very small.
"And if a domain doesn't want to receive inquiries for spoofed mail, they can simply publish an SPF record saying so," he said.
Rather than send an inquiry, FairUCE can be administrator-configured to simply mark the unmatched -- and likely spoofed and thus spammed -- messages, or even discard them, although there the false-positive problem rears its head, admitted Goubert.
Nelson claimed that FairUCE would identify all the mail coming from zombies, about 80 percent of the spam according to his numbers, almost immediately.
"That's a huge tool spammers have, and provides incentive for writing viruses to sell banks of compromised computers for cash. We can take that away from them with sender identity. Lacking that, with FairUCE we can take it away for the cost of a few delivery attempts," he said.
"For the vast majority of legitimate mail, from AOL to mailing lists to vanity domains, this is a snap. If such a relationship cannot be found, FairUCE attempts to find one by sending a user-customizable challenge/response. This alone catches 80 percent of unsolicited commercial e-mail and very rarely challenges legitimate mail."
"This sounds really interesting," said Richi Jennings, an analyst with messaging research firm Ferris Research. "There might still be some false-positive problems, and possibly problems for companies doing e-mail campaigns and transaction e-mails using third-party outsourcers, but the good news is that this doesn't require any domain records published."
One other problem that Jennings noted -- as did at least one poster to the forum following Nelson's opening message -- was that technology like FairUCE might simply drive spammers to go semi-legit.
"Although I can see this identifying the bulk of spam today, that's not necessarily true in the future," said Jennings. "Spammers may say, 'I'll just stop spoofing.' We saw some indication in the early days of SPF, when spammers were publishing their domain records.
"Spammers have a great ability to play with the arms race between spammers and anti-spammers," he added.
Nelson, however, says that since his creation works now, it deserves a try.
"FairUCE isn't perfect. It's a first iteration," he said. "But it's stopping 99+ percent of spam from reaching my inbox, the other 1 percent will never spam me again, it's not challenging any of the bulk mail I want, it's not challenging my friends or family, it's not challenging any of the mailing lists I'm on."
While not open-source -- although that's not outside the realm of possibility down the road, said alphaWorks' Goubert -- FairUCE can be downloaded free of charge from IBM's site. For now, it runs only on Linux and requires the Postfix mail server software.