December 16th is the five year anniversary of the passage of the CAN-SPAM Act of 2003. For some, the act has been measured as a success as it has been used to successfully prosecute a number of cases. Unfortunately, it has not had a visible impact in protecting us from the ever increasing spam problem.
The Act mostly served to keep honest people honest and did not do anything to solve the spam problem. It made it easier for consumers to find contact information and opt-out of commercial e-mail sent by legitimate, law abiding, companies operating in the United States. However, the majority of the spam received is not from legitimate, law abiding, US companies. Because of this, laws will provide little protection against the junk mail problem.
In order to do that and make these laws enforceable, we need to invest in technical solutions. Some of those solutions are available today but aren’t yet widely practiced:
- Requiring Sender Authentication on all outbound mail
DomainKeys Identified Mail (DKIM) can be used to both validate the sender of the e-mail as well as verify the integrity of the contents against any tampering. Sending sites should begin DKIM signing all outgoing mail to provide proof of identity. Receivers can then be assured of the identity of the sending domain and prevent forgery. For this to work, receiving sites need to perform DKIM verification and end-user mail clients (e.g., Thunderbird, Outlook, etc) need to show the results of that verification. There are also other Sender Authentication methods available (SPF, SenderID, etc) that provide some protection against mail forgery. Having a verifiable sender is a vital requirement for making legal requirements enforceable.
- Domain-based reputation
Once Sender Authentication has provided a verified sender, the next step in fighting spam will be a domain-based reputation service to help identify “good” senders vs “bad” senders. Since even spammers can provide Sender Authentication on the mail they send (though without forgery), sites need to be able to separate the good from the bad based on that verified sender.
- Proper network etiquette
ISPs (both network connection providers and service providers, e.g., webmail providers) need to enforce outbound mail sending practices. This comes in two forms. For network connection providers, the first is to make sure they act as a mail and network gateway for outbound mail from their customers and block attempts to access other SMTP servers on the network. This will prevent zombies from flooding the Internet from machines that shouldn’t be sending out mail directly. Once this is in place, all providers then need to start providing anti-spam, anti-virus, and malware scanning on the messages they are sending out to the Internet just as they do today for inbound messages. This is similar to what they did years ago for egress routing to prevent customers from sending forged IP packets out on to the Internet. Proper network etiquette will be even more important with domain-based reputation in place as ISPs will need to protect their reputation so bad users don’t have a negative impact in their overall reputation.
