Another Year of Spam?
David MacQuigg
I hope I'm wrong, but it looks like email authentication is stalled, and without authentication we lose a critical new tool in the war on email forgery and spam. The two organizations that could provide leadership, the Federal Trade Commission (FTC) and the Internet Engineering Task Force (IETF) seem to have given up.
In 2003 Congress asked the FTC to solve the problem, expecting something like their earlier success with the Do Not Call Registry. The FTC quickly discovered the critical missing piece - no way to authenticate the sender of an email. They are now expecting the industry to solve that problem first. The industry, via the IETF, appointed a working group, but it was disbanded in September 2004 when the rival methods couldn't agree on a compromise. Each group is now pursuing its own method, polishing it to perfection, assuming it will be the one and only, and paying no attention to how it will inter-operate with other methods.
The problems now are not technical, but organizational. The few domains that have tried enforcing authentication are having little success. That's because the number of domains using each method is so small, that a lack of authentication means nothing. Even when a domain does authenticate, it is likely to be a disposable domain name set up for the sole purpose of spamming. That's because another critical new tool, a domain-reputation service, is also missing. Spam blocking companies won't invest in such services until it is clear that the industry is really going to use it.
Why is participation so small? What will it take to reach the "tipping point" where every legitimate domain wanting to operate a Public Mail Server feels the need to authenticate its emails? Of all the logs in this jam, which one will be easiest to move?
I believe the easiest, most effective thing we could do right now, is establish a simple neutral standard that allows each of the authentication methods to work, even in an Internet where multiple methods are in use. Removing some of the more frivolous incompatibilities between one and another method is all it will take. These are simple things, like how one Mail Transfer Agent (MTA) should declare its Identity to another.
Having a simple standard will not favor any one method, but it will allow the rest of the industry to move forward. Reputation services will know exactly what is expected in responding to a query. Spam filter companies will know exactly how to read the header information they need. Internet Service Providers will know that upgrading their software will not be a wasted effort. When these things happen, we will finally reach a "critical mass" of participating MTA's, and the rest will follow quickly.
The technical community cannot solve this problem by itself. We need some organizational leadership, and we need it now. This is not a difficult technical problem.
1) A procedure for MTA's to declare their Identity at the start of every email session.
2) A procedure for MTA's to pass authentication results to downstream MTA's.
3) A voluntary Registry of domains operating Public Mail Servers. For each name in the Registry, list the following information:
a) The IP Addresses of their Public Mail Servers.
b) Ratings of the domain by independent rating services.
c) Any additional information the domain wants to provide (public keys, etc.).
A common Registry, with fast network of DNS servers, should provide the ultimate rapid-response to any spammer who tries the "nuclear option", hijacking a reputable name, buying access to a major pipeline, and pumping as much spam as possible in the minutes after spam detectors sense the leading edge.
Existing DNS technology is perfectly suited for a fast, efficient, and secure Registry, with servers widely distributed, resistant to denial-of-service attacks, and not loading any DNS servers performing other vital functions on the Internet.
Updating of the Registry should be done remotely by the domains and rating services, with very little need for technical support. A convenient web interface should be available for any domains that don't have their own DNS servers.
The Registry is voluntary, so it will require no new laws or regulations. Enforcement will be done by the recipients of emails, who will reject mail from any domain that isn't in the Registry or doesn't have a good rating from an acceptable service.
The Registry should be self-supporting, based on a small fee, maybe $200 the first year. That fee would cover all costs, including management, and would discourage spammers from registering disposable names.
Control of the Registry should be with an organization that can ensure it always works in the best interest of email recipients. Eventually, a listing in the Registry will be as important to a Public Mail Server as is a broadcast license for a radio station.
The Registry should not get involved in the technical debates over authentication methods. By keeping the Registry and its requirements neutral, each domain can decide for itself which methods are appropriate.
The Registry should not get involved in the rating of domains. The rating services should handle disputed ratings the same way they now handle complaints of unfair spam blocking. All domains are welcome to register, but there are no refunded fees for domains that become useless due to bad ratings.
The Registry should include ratings from services that are the most preferred by email recipients. Compensation to the services should be enough to offset any loss of subscriptions.
Many believe that the problems with email are insoluble. This negativism is promoted mainly by those who don't understand the technology, and a few who are making money from the status quo. If spam were to suddenly stop, email carriers would lose 80% of their traffic, and many other businesses would have to make major adjustments.
The negativism should not stop us from moving forward. Compare the cost of establishing a Registry of Public Mail Servers to the cost of email abuse, estimated at $22 billion per year. Even a small chance of success should be more than enough reason to give it a try.
Email abuse continues because domains that allow the abuse have no incentive to change. It will stop only when it costs them money, or when the government steps in with licensing regulations and penalties. We can avoid the burden of regulations. An effective Registry will allow blocking by recipients to put some of the cost of abuse back on the domains that allow it. If spam-tolerant domains had losses from email rejection even 10% of the cost of spam, it would go away.
==== End of File ====