The best way to can spam

It’s a security risk, a productivity drain, and just plain annoying. Put a lid on unwanted e-mail with a multi-layered strategy

These legitimate bulk mailings are classic DNSBL “false positives” from probably legitimate bulk-mail senders who got blacklisted. To certify such legitimate senders and to avoid incorrect identification, another set of checks and balances is helpful. IronPort, for example, has created a Bonded Sender program that inverts the DNSBL idea. In this scheme, a high-volume sender (for example, CNET) puts up a bond that’s forfeited if one or more of its registered IP addresses violates a list’s opt-in policy or otherwise engages in spam.

This strategy is a DNSWL (DNS-based white list) from which a positive response means “trustworthy sender.” How an anti-spam system makes use of that judgment is, again, a matter of policy; skipping content checks would be a reasonable and likely policy.

Another new strategy for certifying the sender’s identity is the RMX (Reverse Mail eXchange) proposal. A DNS MX record creates a mail route for a domain name. A domain owner would use RMX records to identify those hosts within the domain that are specifically authorized to send mail, and a server receiving mail would check to see whether the sender’s IP addresses were so identified. Mail from an unauthorized host can be rejected or quarantined.

This is a nice idea that can be rolled out incrementally to combat forged From: addresses. The IP address of the mail server that delivers a message is nearly impossible to forge, but the address in the From: header is easy to rewrite. Spammers do that routinely, playing havoc with white lists or blacklists that depend on those addresses.

RMX is a bit problematic for road warriors who lack remote access to company mail servers and consequently transmit directly from their laptops. But once again, a missing or negative RMX response can be used as just one component of a message’s overall score.

“It’s like caller ID,” says Jesse Dougherty, Vancouver, B.C.-based ActiveState’s director of development. “If I don’t recognize your number, that’s one strike against you, but I may still choose to take the call.”

These approaches deal with organizational identity, and so they cut a wide swath. Ideally, they should be complemented with finer distinctions based on the identity of individual senders. One possible addition is the challenge/response protocol offered by EarthLink and other e-mail providers. In this scheme, an unknown sender is challenged to read digits embedded in an image on a Web page; if successful, the sender is then exempt from future challenges. It’s highly effective, but it’s inappropriate and rude in a customer-service-oriented business setting.

Another candidate is the S/MIME (Secure MIME) digital signature. Although all the major e-mail clients have supported that scheme for years, most enterprises opt not to deploy the client certificates that would enable digital signing and encryption.

Were such policy implemented now, it would simplify spam prevention in one way but complicate it in another: A digital signature, in and of itself, wouldn’t mean that a message was good, because spammers would sign their messages, too. But it would enable the anti-spam engines to look up the spammers’ signatures in online databases in a more granular way than using DNSBLs.