Verizon's weird antispam science

In particle physics there's some really cool stuff called antimatter, which is exactly the same as everyday matter except it's not; it is oppositely charged. There's also another type of matter that is less well known: mirror matter, otherwise called Alice matter or shadow mirror.

Mirror matter is just like everyday matter (and for that matter, antimatter), except it is as if it has been reflected in a mirror and consequently has some weird properties.

Here in the IT world, we have spam technologies and we have their opposite: antispam technologies. Then we have what Verizon is apparently doing, using mirror antispam technology -- what I shall henceforth call Alice-spam technology.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In particle physics there's some really cool stuff called antimatter, which is exactly the same as everyday matter except it's not; it is oppositely charged. There's also another type of matter that is less well known: mirror matter, otherwise called Alice matter or shadow mirror.

Mirror matter is just like everyday matter (and for that matter, antimatter), except it is as if it has been reflected in a mirror and consequently has some weird properties.

Here in the IT world, we have spam technologies and we have their opposite: antispam technologies. Then we have what Verizon is apparently doing, using mirror antispam technology -- what I shall henceforth call Alice-spam technology.

Alice-spam technology relies on doing something that looks like antispam technology but actually achieves something weirdly different. I was told the story of Verizon's weird science by reader Stephen Canale of e-mail integrity assurance company OnlyMyEmail.

Here are the details: Verizon has a big spam problem, and its solution has been to use a technique called Sender Call-back (or Call-out) Verification (SCV).

SCV works like this: When you send e-mail to someone at a Verizon address your SMTP server will connect to the Verizon server to transfer your message. The Verizon server will keep the incoming SMTP connection open while it simultaneously opens another connection to your SMTP server to see if it will accept a message addressed to you.

If your SMTP server confirms within 30 seconds that it will accept the message -- in other words, that you exist -- then Verizon's server will accept your e-mail. If your SMTP server doesn't confirm that you exist or fails to respond in time your e-mail will be rejected, thus guarding against spoofing.

Sounds reasonable but . . . well, there's a lot of "buts."

First, the fact a server confirms an address doesn't mean that was who sent the message. Second, if the server being used for verification is overloaded then the 30-second window could be easily exceeded, which would cause the message to be rejected. Third, many servers handle multiple domains and are configured to verify any address, which defeats the whole purpose.

Another big concern is that SCV also allows the Verizon servers to become "joe job" servers - a way of executing a spam denial-of-service attack using a co-opted third party server - in this case, Verizon's.

It also seems that Verizon doesn't apply SCV to mail from AOL or MSN. This means because you aren't one of the big services, you run the risk of Verizon blocking you simply because you fail the SCV test and you get an extra load on your mail servers from all of the extra verification connections.

In the early days of spam fighting SCV made sense, but as the spammers became more sophisticated SCV became a well-known liability, so why is Verizon still using SCV?

One reason Verizon can claim zero false positives is that it doesn't reject mail because of content; it just doesn't accept mail that SCV fails. Sneaky. Moreover, Canale suggests that it is because SCV is less expensive than the more reliable but computationally expensive filtering as well as reducing Verizon's internal bandwidth use (see Canel's discussion of Verizon's use of SCV).

Verizon has been struggling rather poorly with the problem of how to deal with spam for many years. In 2004 the company was roundly castigated for its incredibly broad blocking of all connections from Europe, China and New Zealand. The resulting class-action suit resulted in a decision against Verizon that will cost the company millions of dollars. This foray with Alice-spam technology could cost them even more.

Read more about security in Network World's Security section.