Sunday, February 19, 2012

Anti-Spam Plan Forged by E-Mail Providers.

     Jun. 23--An alliance of some of the world's largest e-mail providers unveiled a plan Tuesday to slow the torrent of spam that now accounts for well more than half of all e-mail.
      At the heart of the proposal are two technological solutions that would help verify that e-mail is actually coming from the people who appear to be sending it. About half of all unsolicited e-mailed advertising pitches, nicknamed "spam," are sent with forged return addresses, according to Microsoft.
     Microsoft, America Online, Yahoo and EarthLink said they would test the two methods for the rest of this year, with a goal of implementing one or both after that.
"The bet is we're going to find that both strategies work very well together," said Miles Libbey, anti-spam product manager for Yahoo Mail.
     One method, backed by Microsoft, AOL and EarthLink, involves checking the address of an incoming e-mail against its numerical Internet identifier. It's the digital equivalent of the post office matching people's names with their registered home addresses -- if there's no match, the e-mail doesn't go through.
     The other method, backed by Yahoo, adds a unique digital signature, or key, to each outgoing message. The recipient's e-mail provider then matches the signature against another key to make sure it is authentic.
     "If we really want to make some real progress here, the first thing we have to solve is the identity issue," said Ryan Hamlin, general manager of Microsoft's anti-spam technology and strategy group.
     The companies, which formed the Anti-Spam Technical Alliance in April 2003, said they are committed to finding better ways to block spam from ever reaching customers.
It's a constant battle. As technology and federal legislation make life more difficult for the senders of unwanted e-mail pitches, many of them are turning to new technology tricks. They "spoof," or forge, e-mail addresses to avoid detection.
     They also use special software, often spread via infected e-mails, to hijack individual computers and turn them into "zombies" that send out thousands of pitches for everything from cheap mortgages to Viagra.
     "Spammers are quickly evolving and changing their strategies for not only sending mail...but also strategies for changing their identity and forgery," said Libbey of Yahoo.
Tuesday's proposal includes 21 recommendations for Internet service providers, e-mail marketers and consumers to help stop unwanted e-mail. For ISPs, the alliance recommended that they close common security holes and limit the amount of e-mail a user could send. (Thousands of e-mails coming from a home user is a common sign that computer is being used as a zombie.)
     The alliance urged consumers to install firewalls and anti-virus software and use spam filters to stem the tide. And legitimate e-mail marketers were urged to make it easy for recipients to opt out of pitches.
The guidelines were the first recommendations put out by the alliance, which was founded in April 2003. In March of this year, members of the group sued some spammers under the federal CAN-SPAM law.
     Some e-mail experts saw little new in Tuesday's announcements.
     " It is sort of the biggest players coming together to endorse a set of common principles, but there is certainly nothing controversial about these principles," said Ray Everett-Church, chief privacy officer of ePrivacy Group, which sells anti-spam technology.
He added that there still is no agreement on the key issue of a standard method for accurately identifying e-mail senders, which affects not only spam but also the e-mail fraud known as "phishing." In a phishing scam, an e-mail sender tries to trick a recipient into giving up sensitive financial information by pretending that the e-mail is coming from a bank or other legitimate business.
     "There are some deep divisions with regard to what is the most effective way to take on the identity issues that are so much a part of the spam and phishing problem," Everett-Church said. EPrivacy is developing an authentication standard of its own.
Spammers gain access to zombie computers through backdoor programs left behind by viruses. The increased use of "always on" high-speed home Internet connections has given spammers a ready supply of machines that can be easily taken over, said Michael Osterman, president of research and consulting firm Osterman Research.
Microsoft has said that about 40 percent of the spam it monitors is sent from zombie machines.
       "If the ISPs do make some headway into the best practices, we're going to radically reduce the amount of machines that the spammers can use," Libbey said

No comments:

Post a Comment