False Hope for Stopping Spam

Continued from page 2

By Simson Garfinkel

February 4, 2004

A competing system that's gaining ground is called Sender Permitted From, or SPF. This system, currently making its way through the Internet Engineering Task Force, lets mail administrators publish the IP addresses of their outgoing mail servers. I can publish a notice for a domain that tells people receiving e-mail the IP address of my mail server. Then, if a recipient of an e-mail message sees mail that claims to be from my domain but that is coming from a different IP address, they know that the e-mail is not legitimate. Publishing these so-called SPF records is a kind of Internet self-defense. Unfortunately, SPF breaks some mail-forwarding schemes. Consider MIT's "e-mail forwarding for life" system, which lets alumni use @alum.mit.edu addresses for their outgoing mail. MIT couldn't publish an SPF record for the alum.mit.edu domain, because the alumni aren't sending their e-mail through MIT's mail servers.

Because SPF is going through the Internet standardization process, its kinks will more than likely be worked out in a manner that's systematic and fair to most of the people who are involved.

Neither SPF nor Domain Key is perfect. Neither can stop spam from new domains that have never been registered before and don't have associated Domain Keys or published SPF records. And neither can stop spam that comes from legitimate Yahoo! and Hotmail customers-spam that's sent out by computer worms and viruses. That's why the SPF Web site emphasizes that "SPF is primarily an anti-forgery effort." SPF's main result will be to prevent spammers from using e-mail addresses ending with @aol.com and other well-known domains. But forcing spammers away from these domains and to fly-by-night domains will in turn make the spam easier to filter out.

The Spam Conference gave me lots of good ideas for short-term technical fixes that I can use to help deal with my spam problem-at least for the next few months. I went home and published an SPF record for my home domain. Then I reconfigured my e-mail server to bounce suspected spam back to the sender, rather than dropping it into my spam box. The reason for this change is that I wasn't looking inside my spam box, and mail was getting lost. At least this way the senders will know that their mail isn't getting through, and they can call me on the phone.

And so today my spam problem is once again under control.

In the long term, however, these fixes are sure to fail. And there's a worrisome lesson here. E-mail and Internet-based communications are powerful tools-and just a few people have figured out ways to turn them against the vast majority of Internet users, at a cost to businesses that is now estimated at over a billion dollars. What will happen when the new powerful tools of biotechnology and nanotechnology become widespread? If we can't tackle the spam problem, then the future may be quite bleak.