IETF to lead anti-spam crusade

The Internet’s premier standards-setting body is making its first attempt to develop messaging technology aimed at reducing the amount of spam flooding corporate e-mail servers.

Having researched spam for more than a year, the IETF this month formed a working group that will develop a standard mechanism to eliminate spam that uses a spoofed sender address.

“Identifying the sender of e-mail won’t eliminate 100% of the spam problem, but [it] may get 50% to 80%,” says Paul Mockapetris, a former IETF chair and the inventor of the Internet’s DNS.

“Sometimes spam is sent from a machine where someone has installed a worm. Then the spam is coming from a trusted source so authentication doesn’t help,” Mockapetris says. “However, if I have a reasonable identification of the sender, I can at least be sure that I do get legitimate e-mail from repeat correspondents.”

The IETF’s new working group plans to develop a DNS-based mechanism for storing and distributing information that authorizes an e-mail server to send messages from a particular domain or network. The group is dubbed MARID because it will create message transfer agent (MTA) authorization records in DNS.

By targeting spam, MARID has set its sights on one of the biggest headaches facing corporate network managers. In March, 68% of all Internet e-mail was spam, according to anti-spam vendor Brightmail. Brightmail says it filtered 2.93 billion fraudulent e-mails in March, up 25% from the previous month.

“Everyone realizes this is a really big problem,” says Andy Newton, co-chair of the MARID working group and a network engineer with VeriSign. IETF participants don’t “want to spend a lot of time on infighting and political bantering. They’re just focused on fixing the problem,” he says.

The MARID technique will be most successful at eliminating spam when it is widely deployed across the Internet’s e-mail servers, experts agree. However, corporations might choose to be early adopters of this technology to prevent spammers from spoofing their domains and eliminate outbound spam.

“A company like Citibank would probably like to make sure every bit of e-mail that comes from their domain is their e-mail,” says John Levine, co-chair of the Anti-Spam Research Group run by the IETF’s sister organization, the Internet Research Task Force (IRTF). “Companies can set policies that say if e-mail has this characteristic, it’s really from us. If it doesn’t, don’t accept it. In some ways, MARID may help corporate networks more than it will help consumer ISPs because they have more control over their users.”

MARID could be controversial, as it is expected to choose between authentication schemes backed by e-mail giants Microsoft, Yahoo and others.

The IETF already has received several proposals outlining ways to reduce spam by authenticating e-mail servers. Microsoft says it will submit to the IETF its Caller ID for E-mail Specification, which outlines a scheme for thwarting e-mail address spoofing. Yahoo is expected to submit an alternative proposal called DomainKeys, which use digital signatures to authenticate e-mail servers.

Despite market pressure, IETF officials say they are unlikely to adopt a proposal from Microsoft or Yahoo without making significant changes to it.

“The MARID work must take a step back and agree on what the problem is to be solved,” says Patrick Faltstrom, a member of the IETF who directed the group’s discussion in March on whether to establish a working group in this area. “After this has happened, [the group] can measure the proposals against the goal.”

MARID plans to select a proposal by June and finish its specification by August.

Challenges galore

This will be a tough schedule to meet given that MARID faces more challenges than navigating the politics between Microsoft and Yahoo.

“Things are moving ahead, but we still have to resolve some fairly deep issues,” says Levine, who is best known for writing the book Internet for Dummies and, more recently, Fighting Spam for Dummies. “What is the problem we are trying to resolve? Is it spoofing? Is it authentication? Is it forged spam? Are we attempting to make all e-mail more accountable?”

Levine says one challenge for MARID is defining legitimate and illegitimate senders of e-mail. As an example, Levine mentions popular Internet services such as greeting card and newspaper Web sites that let users send e-mail to someone else using personal e-mail addresses. This e-mail could be classified as coming from a spoofed address.

Whatever proposal selected, the working group has vowed not to make significant changes to either the DNS or the Simple Mail Transfer Protocol.

Newton says companies that want to improve their spam filtering to reject unauthorized e-mail coming into their organizations likely will need to upgrade their e-mail server software to support MARID. “The general feeling of the working group is to make this [an upgrade] to the mail server, not the client,” he says.

MARID promises to be a high-profile effort within the IETF community.

The IETF held a preliminary meeting in early March in Korea to see if there was enough interest to form a working group to develop MTA authentication records. More than 100 network engineers attended the meeting. After the meeting, advocates of MARID set up a mailing list, and hundreds of comments about the MARID proposals have been posted in the last three weeks.

Even MARID supporters say this approach is not likely to be the ultimate solution for spam. MARID only addresses spam that comes from a spoofed e-mail address. And it will only work when e-mail servers activate new features that would let them determine the source of e-mail that contains spam.

That’s why the IRTF’s Anti-Spam Research Group is exploring other ways to eliminate spam, including real-time exchange of spam filters and e-mail abuse reporting standards and publishing best practices for network managers.