Authentication takes a bite out of spam

SAN DIEGO -- Disguised as innocent offers to save 80% on discreet prescription shipments and opportunities to earn a genuine college diploma in two weeks, spam e-mails are generating a widespread technology arms war.

However, speakers at the recent 2005 Burton Group Catalyst Conference said thwarting spam isn't a lost cause.

Trent Henry and Daniel Golding, senior analysts with the Midvale, Utah-based research firm, suggested antispam strategies for both inbound and outbound e-mail.

Golding said enterprises should vigilantly work to control spam because it's ultimately a drain on company resources and a negative reflection on corporate reputations.

To better control inbound spam, the analysts suggested combining malware protection and spam prevention, enforcing policies such as keyword and content outbound filtering, as well as adding confidentiality and encryption.

While an absolute resolution to all unsolicited e-mail issues isn't possible, according to the analysts, Sender Policy Framework (SPF) is the most effective solution for controlling inbound and outbound fraudulent spam.

SPF is an extension to Domain Name System in which the Internet domain of an e-mail sender can be authenticated for that sender. It can help spot an inbound e-mail claiming to be from a particular organization but originating elsewhere, reject it or queue it for closer inspection.

"Nothing we're talking about is perfect, but spam is about percentages," Golding said. "SPF takes one hour [to implement], it's reasonably effective and not terribly complex."

The analysts said SPF and other e-mail authentication initiatives -- such as Sender ID and Domain Keys, Yahoo's authentication specification that was recently merged with Cisco Systems Inc.'s Identified Internet Mail spec -- work together to better determine if a message originated from a domain other than the one claimed.

Attendee Bob Hart, manager of network services with Kent, Ohio-based Kent State University, said this conference was the first time he'd heard of sender-based authentication, but he now plans to discuss it with his DNS engineer to see if it's necessary.

"I've always wondered how someone can send e-mails without the server knowing who you are," Hart added. "If I get regular mail without a return address, I'm suspect. So why wouldn't I want the same kind of security for our e-mail systems?"

Golding and Henry listed the following as immediate action items for attendees: utilize sender-based e-mail authentication, update e-mail servers or antispam firewall services to support inbound SPF checks and publish SPF records.

But even with these precautions in place, Henry warned, spam will continue to grow both in volume and delivery paths. He said enterprises should prepare for SPIM and SPIT -- spam over instant messaging and IP telephony, respectively -- as emerging battlegrounds.

This article originally appeared on SearchNetworking.com, a sister site of SearchSMB.com.