ASSURING AUTHENTICATION

Long before commercial spam filters were available, ISP administrators and other uber-geeks created so-called "blacklists" of Internet Protocol (IP) addresses used to send spam. Individuals, ISPs and corporations would then set their email servers to reject any messages coming from these addresses. Once the spam merchants discovered their mail was being automatically rejected, they resorted to devious methods: spoofing, or imitating, legitimate email addresses by faking the return address in the message's "From" field; rerouting email through so-called open relays that forward messages while obscuring where they originally came from; and hijacking other machines, so the spam looks like it came from somewhere else. In the dark underbelly of the Net, malware authors do a brisk trade in renting out their networks of zombie PCs better known as botnets to spammers.

So the first step in solving the spam problem is verifying that the message that says it came from "mom@yourisp.com" really did come from dear old mom and not some vile spammer living in a doublewide in Del Ray Beach, Florida. The process is called authentication essentially Caller ID for your email. There are various ways to accomplish this, but the technologies with the most momentum behind them are Sender Policy Framework (SPF) and Yahoo DomainKeys.

With SPF, Internet service providers and corporations publish their IP addresses on their domain name servers. When mail arrives at your ISP, its servers check the message's actual IP address against the address given in the "From" field. If the two don't match, your ISP can block the message or send it on to you with a warning. Besides identifying phisher emails, this can solve a problem that has flummoxed nearly every spam filter I've tested: junk email that pretends to be sent from your own email address. (For more on SPF, visit http://spf.pobox.com/).

DomainKeys is similar to SPF but it sends an encrypted digital signature along with each piece of mail. Mail servers at the recipient's ISP unlock the encrypted signature to verify the identity of the sender. (For more on DomainKeys, see http://antispam.yahoo.com/domainkeys.)

The problem is that today most corporations and ISPs don't use either technology yet. According to a November 2004 survey by security firm CipherTrust, roughly 50 of the Fortune 1000 publish their IP addresses via SPF. Yahoo invented DomainKeys and uses the technology for all its web mail, but it's virtually the only company that did at press time. In February 2005, Qurb released a spam filter for Outlook and Outlook Express that uses SPF to verify email domains; in my experience, Qurb could only identify senders for about 1 out of 10 messages. But that number will surely grow over time (see Figure 7-2).

annoyances 7-2. Qurb 3.0's spam filter tells you whether that email really is from who it says it's from provided the legit sender makes its IP addresses available.