The end of spam? Unmasking the stealth spammer through Source Authentication.
Spam exists because spammers can use various methods to hide their identities. If it were easy to expose the identity of a spammer, the large majority of them would not bother to use spam as a way to make money. With new laws in place, spammers--whose Identities are revealed--may face criminal and civil penalties.
When Source Authentication is adopted as an industry standard, spam will end forever. In order for spammers to distribute spam, releasing their identity to each of the recipients of their e-mail messages will be a requirement, thereby creating a serious problem for them. Not only will we know who they are, but also we will likely know their address, phone number, place of business, how many spares they have sent and to whom. Only a few will attempt to spam in this environment. Those few, who attempt to send spam, will have their efforts thwarted, in addition to facing the consequences of their crime.
Is Your E-mail Legitimate?
Source Authentication technology provides us with a solution to spam beyond unmasking the spammer. It provides us with a secure sense that the sender of the e-mail is who he says he is. Without Source Authentication, you can receive e-mails from people who are pretending to be other people. You cannot be sure of the sender, and it is unbelievably easy for people to fool e-mail servers.
Almost every spam e-mail message uses e-mail spoofing. Occasionally, one may even receive e-mail messages that are "From" your own e-mail address! Imagine the havoc a spammer can cause with the ability to spoof one's identity, in addition to spoofing that individual. This form of identity theft must be stopped. Source Authentication achieves that goal by forcing e-mail to come from the real owner of the address that is in the "Return-Path:" portion of the e-mail header. It is good practice to view a header for this return path statement at the top of all e-mail message headers. With Source Authentication the return path cannot be falsified.
Comparison: Source Authentication vs. The Problem
One element of Source Authentication is that the senders of e-mail are asked to reply to the recipients by simply clicking on "reply" and then "send" Question: Is responding to reply inquiries as much of a problem as spam itself? Answer: Absolutely not. Consider how much effort it takes for that person (10-30 minutes per e-mail session) to deal with spam every day. Spam is the problem.
Cost of Implementation
Since Source Authentication is an e-mail server-based technology, it will often be implemented at the ISP (Internet Service Provider) level. Today, many ISPs have put spam-filtering systems in place. The cost to the typical ISP will be less in processing power than it takes to run most filtering systems. In side-by-side tests Block All Spam has found that e-mail servers that were running filters, rules and other technologies processed less e-mail per hour than the servers running Source Authentication. This results in reduced costs of equipment and resources per e-mail account.
Cost of Development
Compared to the costs of forever looking for and implementing filter-based, rules-based and AI-based technologies to solve this problem, Source Authentication offers a solution for a one-time development cost. E-mail server manufacturers will be able to redirect their energies into productive features instead of "the war on spam."
Reduces Human Error
In-boxes with zero spam are used more productively and fewer legitimate e-mails are accidentally deleted. When someone gets large numbers of spam each day, it is very likely that one or more legitimate e-mails will get accidentally deleted along with the spam.
Cost to Business and Personal Relationships
A case can be made that we don't want to put barriers in front of all senders. In these cases, the use of white lists that pre-authorize e-mail from certain source addresses is desirable. Realizing that any e-mail that is not Source Authenticated may not be from whom it says it is from; people must carefully choose which e-mail they will allow to be pre-authenticated.
Eliminates the "Dual" Inbox
In filter-based systems, we often have to check the quarantine box for valid e-mails because the system might make a mistake. It becomes almost a second inbox to many, as they still have to plow through all of the spam that the filter detected, looking for those e-mails that should have been directed to their inbox. Source Authentication has no quarantine box.
WebMail Mailbox Space
WebMail-based systems and other e-mail servers charge users for the amount of space that they use. If a user gets a lot of spam, he may end up with "mailbox full" problems, thereby preventing him from getting e-mail he really does want to read. With Source Authentication, the spam never reaches the mailbox.
A Server-Side Solution The e-mail server is the point of connection where mail is moved around the Internet. E-mail clients simply download mail from the e-mail server and do not have the same real-time capabilities, or even access to the same information as the e-mail server. This technology is and should be implemented on the e-mail server and not on the e-mail client, or desktop. There are volumes of reasons why this is the case, but to name a few:
* E-mail servers, by design, make real-time processing decisions involving e-mail on the Internet. E-mail clients simply connect to e-mail servers at a user's convenience. It is not very practical to have e-mail clients making decisions, creating e-mail messages and doing other processing that should be done in real time on the server side.
* It is entirely inefficient for e-mail clients to be downloading and processing spam mail and then simply not presenting it the software user.
* It is a far simpler approach to implementation, to simply update an e-mail server than to update all of the client software packages that connect to e-mail servers. This reason is especially highlighted by the fact that the technology belongs on the server in the first place. It is just as illogical to implement this technology on the client side as it is to consider updating all e-mail clients instead of all e-mail servers.
Mail Harvesting Fails Against Source Authentication
Source Authentication does build a white list in order to minimize the inconvenience placed on senders to reply to Source Authentication. A sender, in most cases, will only need to reply once because of this. The argument that harvesting e-mail addresses from websites or newsgroups serves to identify e-mail addresses that are "authorized" does not work since the system is designed to protect against spoofing e-mail addresses. Source Authentication uses an impenetrable defense against a harvested e-mail address attack.
Source Authentication Allows Receipt of Newsletters and eCommerce Receipts
One of the major failures of other anti-spam technologies is their inability to easily work with legitimate automated e-mail, such as newsletters and eCommerce confirmations or receipts. With Source Authentication, these are not problems.
Source Authentication Eliminates Filtering Mistakes
Filters are prone to error and the task assigned to a filter program is early impossible. A filtering system is asked to differentiate a spam e-mail from a normal e-mail based on the data the spammer himself provides. Filtering systems "read" mail, check IP addresses, check domain names, check e-mail addresses, look at headers, look for specific text or phrases, use point systems, and so on. The underlining principal is flawed: When bad data comes into an Application it means the information the application will present is going be unreliable. Filters make mistakes and delete or otherwise "hold" valid e-mail incorrectly while sometimes passing spare along to the recipient.
Source Authentication is Superior to Weighted Value-Based Systems
A spam "cocktail" approach of constantly changing parameters as to what weight to assign what technique or portion of the e-mail requires going through endless trial and error. This technique usually ends up with no resolution of the problem and it is not a scientifically sound approach.
What weighted value-based systems really are is a compilation of many techniques that don't work by themselves. Therefore, the solution is to give each one a partial weight in factoring a total decision. On the surface this seems ideal, because AI systems use this concept. In fact, even the inventor of Source Authentication used the weighted value technique to attempt to block spam at many points over the last six years.
The problem is that, regardless of how many individual incomplete solutions are thrown at a problem, there still is no answer because of the pure volume of solutions and the weight analysis of each solution. Source Authentication is the only solution capable of putting an end to spam.
Source Authentication is Not Challenge Response
Source Authentication stays within the SMTP protocol and only requires that the sender reply to the e-mail. Source Authentication does not require the e-mail sender to go to a website to confirm that he is human, by being able to visually see something on the website and, in some cases, enter a code. Source Authentication has the advantage that computers may also reply and thus authenticate the e-mail as being legitimate, without forcing the sender to be a human being. Human source e-mails are not the only valid e-mails.
There needs to be a clear distinction in name between other similar technologies and this technology. For those who are extremely technical, there is a "challenge response" characteristic of Source Authentication. One can make a rational point that the reply e-mail is a "challenge" and the computer or human reply to that e-mail is the "response."
While it is technically correct to say Source Authentication uses a challenge and a response to authenticate a source e-mail, there is more to Source Authentication than the term "challenge response" implies. But, for the differences seen at the user level, it is clear that we should not label "Source Authentication" a "Challenge Response" system simply because some of the characteristics found in the two technologies have some similarities. For example, VHS and DVD systems can both be used to play a movie on your TV but they are given different names because they are different technologies. They could be called "movie players" because they both do that--but no one does.
Source Authentication Works for All Networks
Unlike other solutions, Source Authentication works across all networks, and can be implemented by any e-mail server manufacturer, for use by all. Source Authentication is designed to recognize itself when sending and receiving replies from other e-mail servers. This is critical, because the solution to spam must be one that is compatible with all e-mail servers. If other solutions are implemented, "mail loop" problems will be more frequent on the Internet.
The entire Internet needs a solution that is as self-compatible as the SMTP protocol itself Source Authentication accomplishes this by staying within the SMTP layer for handling replies and recognizing itself.
"We must solve the spam problem now," says Way. "We cannot let spam bring the Internet to a screeching halt."
Gregory Way is the inventor of Block All Spam, Inc. (West Hills, Calif.)
|Printer friendly Cite/link Email Feedback|
|Publication:||Computer Technology Review|
|Date:||Jul 1, 2003|
|Previous Article:||Disk-based backup: is LAN-based or SAN-based the fairest mirror of them all?|
|Next Article:||Getting the most from broadband connectivity with wireless networking.|