September 9th, 2004
Spam standard critcs err with glass is half emtpy attitude
Last week, purveyors of e-mail security solutions — particularly those that operate in the anti-spam ecosystem — started making hay over the alleged failure of the most prevalently deployed defacto standard for combatting spam: Meng Weng Wong’s Sender Policy Framework (SPF) specification. SPF is not an anti-spam standard. It’s a sender authentication standard that strips spammers of one of their favorite techniques — lying about where their mail is coming from (aka "spoofing"). If our e-mail servers and services interrogated inbound e-mail for SPF-compliance (so far, most don’t), then, theoretically, our power to accurately filter e-mail (on the basis of who it claims to be from) would be signficantly improved.
The aforementioned "hay" cited the way spammers are actually using SPF to authenticate themselves. Ciphertrust’s CTO Dr. Paul Judge was the first to call me with news of the revelation. However, as a long-time advocate of royalty-free standards as the most promising means to the end of spam, I’m dismayed by the sky-is-falling position. The study that these naysayers are citing comes from anti-spam solution provider MX Logic and it concludes that, of some 10 million bulk e-mail messages that MX Logic filtered on behalf of its clients in late August, nearly a sixth of the sources of the junk messages were using the SPF specification in a way that portrayed them as legitimate senders. Imagine that? If our e-mail servers and technologies were capable of making a decision based on SPF-compliance alone, then they would have denied passage to the remaining, unauthenticated 5/6th’s of bulk e-mail. That could equate to an 83 percent reduction in spam. Then, of the remaining sixth that support SPF, we could choose which of those to allow or deny safe passage into our inboxes on the basis of their authentic credentials. So, the newsflash that SPF isn’t stopping spam is grossly misleading. Sender authentication standards don’t stop spam and never will. They’re just the first step. Now, what we’re waiting for are the tools that empower us as users to act on that authentication data. For example, imagine if Outlook gave us the ability to check e-mails for authenticated sender data.
