Goodbye spam – but at what price?

In a column a few months ago, I looked at the range of anti-spam measures that were being developed. It seems appropriate to review how things have progressed since then. Although the graph of spam as a percentage of total email appears to be flattening it is still rising: even if it flattens further, Internet users are still faced with a future where the vast majority of their email is unwanted, to say nothing of offensive and downright dangerous.

As many predicted, anti-spam legislation – both in the US and European Union - has proved a damp squib. It is true that lawsuits have been filed (and some even won), but these are mainly to make the companies concerned look good Internet citizens. The effect on the thousands of small-scale, anonymous spammers operating from faraway countries is zero.

More promising are moves on the technical front to combine two similar approaches to dealing with one aspect of spam, that of address spoofing. The idea is simple – which makes it more likely to succeed. Those sending email register lists of their servers that can legitimately do so; when a message is sent, recipients can check whether the purported email address corresponds to the real server of origin. If it does not, it is likely to be spam.

The idea seems to have surfaced first in a 2002 memo from Paul Vixie, the principal architect of the BIND program. It was picked up later by Pobox.com's Meng Weng Wong, who formulated what became Sender Policy Framework (SPF). There is an explanation of how it works as well as a FAQ.

Around the same time, Microsoft too was much exercised by the challenge of spam. One of the counter-measures outlined by Bill Gates in a speech dealing with the subject was originally dubbed Caller ID for Email. Since this worked in a very similar way to SPF, both parties were under pressure from the industry to combine their efforts. The result was Sender ID: there is an executive background document, deployment overview and an “apology for Sender ID”.

Sender ID has been submitted to the IETF as a draft. An IETF working group known as MARID (MTA Authorization Records in DNS) has a page with some related work, including a paper describing an extension to the the basic Simple Mail Transport Protocol (SMTP) service, one of whose authors is the creator of the popular Sendmail software, Eric Allman.

Sender ID is certainly not a panacea. For example, it could be circumvented by a spammer who registered servers using the free SPF Wizard. More problematic still, zombie networks could be built up from computers with valid Sender ID records. One suggestion is that the mass mailings from such zombie machines could be prevented if it were mandatory to equip high-speed Internet access devices with firewalls.

Technical issues aside, there is another problem with Sender ID. Although Microsoft is offering to licence its Caller ID approach under liberal terms, for some, they are not liberal enough. Richard Stallman, the obdurate conscience of the computing world, has pointed out that adopting Sender ID as an anti-spam standard implicitly aids Microsoft in its increasingly strenuous tussle with free software. In his view, backing Sender ID would mean losing rather more than the annoyance of a few spam messages.

Glyn Moody welcomes your comments.