REGARDING REPUTATION

Of course, there's nothing to keep spammers particularly quasi-legit ones distributing ads for things like cut-rate mortgages and pasta pots from using sender authentication schemes. In fact, they've already started doing it. So the second piece of the puzzle is a reputation system that lets your ISP or email software know what kind of mail the sender is spewing out.

The largest email reputation system is run by IronPort, which publishes some of its data at a free site called SenderBase (http://www.senderbase.org). IronPort analyzes millions of messages every day, then generates a reputation score for each sender, similar to a person's credit score (see Figure 7-3). The score factors in parameters such as the sender's geographical location, how long the address has been active, whether it can receive mail (most spammers won't), and if ISPs have received abuse complaints about the sender. This lets IronPort differentiate between high-volume but legit senders like AOL or Comcast and sites that spring up overnight and begin spewing millions of messages per hour a likely sign they're a spam house.

annoyances 7-3. Reputation systems like IronPort's SenderBase give you the scoop on who's spamming who.

Email administrators can check SenderBase and manually set their servers to accept or reject messages based on the sender's reputation. IronPort also sells network appliances that let ISPs and corporations automatically access its reputation system, check a sender's score, and throttle down the volume of email they receive from suspect IP addresses. Legit mail will eventually get through (albeit slowly), but spammers generally give up and go elsewhere.

However, longtime anti-spam activist and privacy consultant Ray Everett Church says ideas like SPF and DomainKeys are a good beginning, but only a beginning. "SPF and DomainKeys don't tell you anything about the content of the message or its permission basis," he says. "They don't give you the kind of information you need to make a better decision about whether you want that piece of email." And while reputation systems may help block the sleaziest of spammers, Church believes they're a smokescreen that will ultimately allow commercial e-marketers to flood your inbox with ads.

A longer-term solution? Rewriting the simple mail transfer protocol (SMTP) that governs Internet email so that each message comes with information regarding its authenticity, the type of email it is (transactional, commercial, or personal), and whether the sender has been given permission to send it to you. In October 2004, Church, John Levine, and Vincent Schiavone published a draft memo outlining these concepts with the Internet Engineering Task Force one of several proposed plans for overhauling the 30-year-old email protocols. But overhauling a system that shuttles 20 billion messages a day is not going to happen soon, if it happens at all.