Scott Chasin, CTO for MX Logic, had some interesting comments on spam and authentication at last week’s FTC/NIST Email Authentication Summit.

Here’s some of what he had to say:

* Spammers can quite easily publish their own Sender Policy Framework (SPF) record. In September, MX Logic reviewed 10 million spam messages that flowed through its network, representing more than 400,000 unique domains, and found that one in six of these domains had SPF records.

* Spammers can leverage throwaway domains quite easily. New domains can be registered quite easily and propagated throughout the Internet within a matter of hours. Domain registrars are plentiful and compete heavily on price, often not even requiring a credit card to register a domain. As a result, a spammer can register a domain, publish an SPF record for it and then discard the domain just as easily.

* The same self-publishing rules exist for accreditation services, meaning that spammers can run their own accreditation servers.

* A new spamming technique is for spammers to use authenticated sources that are thought not to be spamming conduits and send spam via bot networks to send spam at a low throughput rate, rendering the spam virtually undetectable.

What does this all mean for the future of authentication and spamming? First, it means - as its proponents have always maintained - that authentication is not a panacea for the spam problem, but is merely one strategy in the continuing battle against spam. While authentication of domains using SPF and other schemes is important, it probably will have relatively little impact on the overall flow of spam.

Secondly, Scott’s comments highlight the fact that the spam battle is far from over and probably never will be. The need to aggressively address the problem of spam will continue indefinitely and will require continually updated approaches to solving the problem, as well as proactive maintenance and upgrading of spam-blocking systems.

Michael Osterman is principal analyst of Osterman Research.