Authentication takes a bite out of spam

Article

Authentication takes a bite out of spam

SAN DIEGO -- Disguised as innocent offers to save 80% on discreet prescription shipments and opportunities to earn a genuine college diploma in two weeks, spam e-mails are generating a widespread technology arms war.

However, speakers at the recent 2005 Burton Group Catalyst Conference said thwarting spam isn't a lost cause.

    Requires Free Membership to View

    Login

    By submitting your registration information to SearchNetworking.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchNetworking.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Trent Henry and Daniel Golding, senior analysts with the Midvale, Utah-based research firm, suggested antispam strategies for both inbound and outbound e-mail.

Golding said enterprises should vigilantly work to control spam because it's ultimately a drain on company resources and a negative reflection on corporate reputations.

To better control inbound spam, the analysts suggested combining malware protection and spam prevention, enforcing policies such as keyword and content outbound filtering, as well as adding confidentiality and encryption.

While an absolute resolution to all unsolicited e-mail issues isn't possible, according to the analysts, Sender Policy Framework (SPF) is the most effective solution for controlling inbound and outbound fraudulent spam.

SPF is an extension to Domain Name System in which the Internet domain of an e-mail sender can be authenticated for that sender. It can help spot an inbound e-mail claiming to be from a particular organization but originating elsewhere, reject it or queue it for closer inspection.

"Nothing we're talking about is perfect, but spam is about percentages," Golding said. "SPF takes one hour [to implement], it's reasonably effective and not terribly complex."

The analysts said SPF and other e-mail authentication initiatives -- such as Sender ID and Domain Keys, Yahoo's authentication specification that was recently merged with Cisco Systems Inc.'s Identified Internet Mail spec -- work together to better determine if a message originated from a domain other than the one claimed.

For more information

Learn more about defeating spam in the enterprise.

Check out our white paper on fighting spam defensively.
Attendee Bob Hart, manager of network services with Kent, Ohio-based Kent State University, said this conference was the first time he'd heard of sender-based authentication, but he now plans to discuss it with his DNS engineer to see if it's necessary.

"I've always wondered how someone can send e-mails without the server knowing who you are," Hart added. "If I get regular mail without a return address, I'm suspect. So why wouldn't I want the same kind of security for our e-mail systems?"

Golding and Henry listed the following as immediate action items for attendees: utilize sender-based e-mail authentication, update e-mail servers or antispam firewall services to support inbound SPF checks and publish SPF records.

But even with these precautions in place, Henry warned, spam will continue to grow both in volume and delivery paths. He said enterprises should prepare for SPIM and SPIT -- spam over instant messaging and IP telephony, respectively -- as emerging battlegrounds.