By Stefanie Olsen, 18 June 2004 09:30
NEWS Making mass emailers identifiable is the first step toward curing the epidemic of spam, said Vint Cerf, one of the architects of the internet.
Cerf, who co-created the TCP/IP (Transmission Control Protocol/Internet Protocol) of the internet and now works as chief corporate strategist for MCI, delivered opening remarks at the first inaugural Email Technology Conference.
The chief topic of debate at the conference was spam. Cerf said that standardising methods for authenticating email senders would ultimately lead to successful filtering - technologies that many companies that attended the conference are developing.
"Getting to critical mass with those sorts of mechanisms will be really interesting," Cerf said to an audience of technology executives attending the two-day conference.
"Starting from that angle will be more productive than anything," he added. Previously, Cerf had jokingly suggested that the industry hold public floggings of spammers as a deterrent.
Spam has skyrocketed to epic proportions since the first e-mail was sent in 1971. Back then, there were just a few geeks sending email, as Cerf put it in his presentation on the history of the Internet, so there was no one to send unsolicited commercial email.
In 1989, when the first commercial Iiternet service providers emerged, including UUnet and PSINet, the opportunity unfolded. Now, as much as 64 per cent of all email is unwanted bulk mail, according to estimates from spam-filtering company Brightmail.
Spam has risen to such heights partly because of a fundamental weakness in the Simple Mail Transfer Protocol, or SMTP, the messaging protocol that has defined email for more than two decades. Using SMTP, email recipients have no way of determining whether senders are who they say they are.
As a result, momentum is building for an email authentication standard. The Federal Trade Commission in its report on the proposed federal Do Not Email registry said the industry needs to develop a common system for verifying e-mail senders before it could work. Many major companies are also helping foster the checks and balances necessary to ID those sending unwanted email.
For example, Microsoft recently brokered a deal to consolidate Sender Policy Framework and Microsoft's Caller ID for Email - two antispam authentication schemes that look at DNS (Domain Name System) records to determine senders. Others, including Yahoo!, are testing key encryption protocols to verify senders.
Cerf touched on digital signatures as a means to encrypt and verify senders, which his company MCI has used effectively. The digital signatures, or unique codes given to each individual, are attached to email and must be authenticated to deliver the message. The system would run into problems in a public forum, he said, because of a lack of a central authority from country to country or state to state to govern the technology.
Several anti-junk mail companies announced new wares to fight the problem this week.
Cloudmark introduced a system for filtering spam that can be customised for individual corporations and improve on what's blocked. The system, called Cloudmark Immunity, builds up a spam "immunity" based on input on what is unwanted email from employees, according to the company.
Earlier this week, IronPort Systems unveiled a virus-protection filter to be integrated with its own email security appliance. The technology, called Virus Outbreak Filters, is used to detect and quarantine suspicious email or viruses before they can infect the entire network.
For consumers, Cerf suggested that everyone adopt a regimen of "cyberhygiene" to protect themselves from spam, viruses and spyware. Running filters and anti-spyware programs like Ad-aware should be a regular habit, he said, because active HTML (Hypertext Markup Language) and XML (Extensible Markup Language) have made receiving unwanted software to the PC dangerous.
"Like brushing our teeth, we need to train ourselves to run those kinds of filters often," he said.
Stefanie Olsen writes for CNET News.com
Comments
There are 9 comments. Join the discussion
1. Reg Fitzpatrick
You are wrong to suggest that Cerf is the father of the internet!
The one and only father (and creator) of the internet is Sir Tim Berners-Lee and no american will be allowed to hijack this honour!
2. Craig
Sir Tim Berners-Lee invented the World Wide Web. That is an entirely different thing from the Internet Reg!
3. Mike Alexander
Sorry, but in response to the comment from Reg Fitzpatrick: Cerf IS the father of the Internet (or can certainly lay claim to be one of the founding fathers)!
Vint Cerf was key in developing the TCP/IP protocols that the Internet uses in order to function, and still takes a great interest and involvement in the continued development of aspects of the Internet.
Tim Berners-Lee developed the HTML language that is used to create web pages - the World Wide Web. He did not "create" the Internet - the Internet existed long before the Web did. So don't confuse WWW with Internet - WWW is but one facet of the Internet.
Whilst patriotism may be an admirable trait it shouldn't blind people to the true facts.
4. Andy L
Ahem, back to the issue... ,
Technical fixes for spam are only one side of the solution. Law needs to catch up with the use of new technologies.
To send bulk (physical) mail, or send out leaflets, or put up posters in the "real" world, publishers need to include a *genuine* name and contact details. The same should apply to mass mailings on the Internet.
This way if anyone sends mail to people without genuine identification they are committing an offence - which may be additional to offences included in the content of the email.
A $1 fine per unsolicited email sent would be quite a good deterrent, and an incentive for the authorities to track people down.
Without this kind of provision technical fixes to reduce spam lack teeth for dealing with people who find their way around the technology.
This kind of solution also protects bona fide companies with a genuine commercial operation and who enable people to remove themselves from mailing lists.
Safeguards can also be built in to protect people sending individual emails whose identity genuinely needs to be kept secret (e.g. whistle-blowers and people acting in the public interest)
These principles are easy to incorporate into the law of any nation, and do not conflict with the basic right to free speech. They are a pre-requisite for any kind of enforcement action.
5. Darrall Pullen
I recently found that my spam filtering software from ******** was not filtering out the messages that were being generated from a whitelisted person who had a secuiryt threat on one or more of their company computers. 4500+ messages an hour being dumped into my admin boxes from spoofed SMTP senders with no patterns. Ok so the SMTP header proved the culprit party but to my disgust upon confrontation of the respective IT manager he admited that a Virus/Virii/Threat were on his LAN and VPN circuits and that he didn't have up to date security to protect his systems/users. This was not bulk e-mails, rather singular messages generating massive amounts of traffic from both sides either as sent SMTP or NDRs. Blocking the domain was not an option as we do legitimate business with this organisation daily and so could not just cut the off. My answer was to write a script bombarding(400-1) their entire SMTP domains with email for every message they sent me that was spoofed SPAM email from their domain. It took a few days to get the message but now they have a decent AV and spam protection policies. Luckily we had 400% more bandwidth to waste in this instance but how else can you block the SPAM that comes from legitimate businesses that have security breaches. I understand how you could use identification to block SPAM using blacklists but how could this be adressed by what is being dicussed here?
6. Shriver
You're at least a year late to the party (spam debate), Sir Tim, but welcome. Last year I suggested to silicon.com in one of these 'replies' that if Microsoft, AOL et al stopped giving SMTP email addresses for free to anyone and if all ISPs required proven ID (ie credit card name, billing mailing address etc) then all email address owners could be identified. And if all ISPs traced all outbound email by sender address, then all the sources of all spam could be identified, and therefore spammers could be identified, and jailed, if need be. When will the IT industry wake up to some common sense?
7. Andrew Yeomans
SPF and Caller ID only move the problem.
Andy L is totally correct in stating we need laws against deceptive addresses. All that SPF and the like do is authenticate *email postmarks*.
So if SPF/Caller-ID/etc became commonplace, the response of the spammers is simply to stop forging sender addresses and run their own domain, with completely legitimate SPF markers, all in some TLD that allows them to do so. And use false contact information in the domain registration.
Result - very little difference in spam volume. Maybe you could filter by the domains used - but these will also come and go rapidly.
I'd add that the laws need to target the advertisers at least as much as the immediate senders of spam email, to make it unprofitable to misuse email, while permitting legitimate commercial use.
8. Jennifer
Internet has a capital I! (Ed note. Thank you for your grammar advice. We'll not be changing our house style because of it, but thanks anyway. Good luck with your studies.)
9. A Michelle Caldwell
Since when is capitalization of a proper noun a house style issue? Internet is a proper noun, and proper nouns in the Engligh language are capitalized. Look it up in the dictionary.
(Ed note. We'll not be changing this. We are perfectly aware of the grammatical point you make, but we're also perfectly aware that you obviously still understood what the word meant - even without the capital letter - 'if it ain't broke...'. These messageboards are for people to discuss the stories, not the grammar.)