Stopping Spam - The Low-Tech Alternative

David MacQuigg,  9 Sept 2005

In spite of our best efforts with sophisticated statistical filters, law-enforcement, public education, and many technical measures, email abuse has become a persistent disease.  Current countermeasures are an ineffective anti-biotic, killing only the simplest strains, and giving the more virulent strains a bigger population in which to spread and mutate into forms ever more difficult to treat.  Examples of this mutation are the techniques now used by criminals to establish "botnets" with thousands of "zombie" computers they secretly control.  This is some of the most sophisticated programming ever seen on the Internet.

Eventually these abuses could grow beyond subversion of email protocols to include subversion of lower-level protocols like DNS and IP Routing.  If that happens, we will face a tough choice - abandon the Internet to criminals, or spend billions on fixing the core infrastructure.  Abandonment will mean we cannot use the Internet for anything involving money, personal identity, or confidential communication.  Criminals will be able to route data anywhere they want, and catching them will be near impossible.  An enormous DoS attack (Denial of Service) with no purpose other than damage to our national economy, is not unthinkable.

Many believe that there is a "low-tech" solution to the email abuse problem - email authentication.  By providing a reliable sender's identity on every email, we could eliminate a critical piece of the Internet criminal's toolkit.  Techniques now exist to allow an email receiver to verify the domain-name of the sender.  That should stop most of the high-volume abuses, like "phishing scams", and spam.  It will also aid law-enforcement in locating individuals where they can get access to the records of the domain owner.  Authentication will not replace the other countermeasures, but it is the one new measure which could finally stop most of the abuse.

Stopping email abuse now could slow the development of new abusive techniques and avoid the nightmare scenarios where criminals control the infrastructure of the Internet.  We stopped abusive phone calls and faxes.  We have no problem with hidden TV and radio transmitters, and that would be a much more difficult problem technically than identifying the source of an email.  This article will explain how email authentication works, and suggest a Registry of Public Email Senders that could facilitate the worldwide adoption of email authentication methods.  All that is needed now is the political will to make it happen.

Registry of Public Email Senders

Here is the recommended placement of the ID check in a typical mail flow:

 

The major benefit of using the Registry is that mail from reputable senders can bypass the blacklists and filters that inevitably cause false rejects.

A second major benefit is having an authenticated return address that will allow legitimate senders to be notified of a possible false reject.

A third benefit is in greatly reducing the need for recipients to review their spam rejects.  If the sender is not on my whitelist, and not on a worldwide list of reputable senders, and my spam filter says the message looks like spam, I can safely ignore it.

A fourth benefit is in enabling a really effective feedback system to generate domain ratings.  Most of the feedback will come automatically from the spam-filter stage, but direct feedback from the recipient will catch those few where the spammer is clever enough to run this entire gauntlet.