E-Mail Authentication Will Not End Spam, Panelists Say

Thu Nov 11 16:20:59 EST 2004

<http://www.washingtonpost.com/ac2/wp-dyn/A41460-2004Nov10?language=printer>

The Washington Post

washingtonpost.com
E-Mail Authentication Will Not End Spam, Panelists Say

By Jonathan Krim
 Washington Post Staff Writer
 Thursday, November 11, 2004; Page E01

 For consumers and businesses increasingly shaken by the growing onslaught
of unwanted e-mail and the computer viruses and other nefarious hacking
spam can bring, any hope for quick relief was soundly dashed yesterday
during a government-hosted gathering of technology experts.

Several executives and academics speaking at a forum sponsored by the
Federal Trade Commission said criminals are already steps ahead of a major
initiative by e-mail providers to counter those problems by creating a
system to verify senders of e-mail.

 In theory, such an authentication system would make it harder for spammers
to disguise their identities and locations in an attempt to avoid being
shut down or prosecuted.

 But a majority of spam is launched by "zombies," or infected personal
computers that are controlled by remote spammers. E-mail from a zombie
looks as if it is coming from a legitimate source -- because it is. The
owner of that source is simply unaware that his or her computer has been
commandeered.

"We'll be lucky if we solve 50 percent of the problem" with e-mail
authentication, said Pavni Diwanji, chairman of MailFrontier Inc., a
Silicon Valley provider of e-mail security systems.

 By some estimates, the problem is rapidly becoming a crisis. In the first
half of this year, an average of 30,000 computers a day were turned into
zombies, according to the computer security firm Symantec Corp. In addition
to serving up unwanted or fraudulent messages, spam is used to deliver
viruses and other malicious software code that can allow hackers to capture
private data such as credit card or bank account numbers from personal
computers.

Hackers and spammers also have been able to exploit a lack of awareness
among many computer users, tricking them into providing their passwords or
account information in response to e-mails that appear to be coming from
legitimate financial institutions or retailers, a tactic known as phishing.

 The information is then rapidly sold on a black market heavily populated
by elements of organized crime in Eastern Europe, Asia and elsewhere.

 As incidents of the resulting identity fraud mount, "we're losing consumer
confidence in this medium," said R. David Lewis, vice president of Digital
Impact Inc., which provides bulk e-mail marketing services to large
companies.

 Lewis and others said that if the public reaches a tipping point at which
Internet commerce is no longer trusted, the economic consequences will be
severe.

Despite the authentication effort's shortcomings, none of yesterday's
speakers suggested abandoning it, because it is seen as an essential
building block for other solutions.

 But the forum demonstrated in stark terms the depth and complexity of the
problem.

Any e-mail authentication system, for example, would check that the block
of Internet addresses assigned to an e-mail provider includes the specific
numeric address of a sender of a piece of e-mail.

Thus, a red flag would go up if a message seeming to come from
bob at xyz-123.net is actually not coming from a computer that uses the
xyz-123.net mail service.

 But Scott Chasin, chief technology officer of e-mail security firm MX
Logic Inc., said the underlying Internet system that houses the necessary
data is insecure and can be tricked by hackers. Chasin said the problem has
been known for 10 years, but industry and Internet standard-setters have
been unable or unwilling to fix the problem by encrypting the data.

 Getting agreement on an authentication system has been similarly difficult
and is partly why the FTC held the summit.

 The major e-mail providers, America Online Inc., Microsoft Corp., Yahoo
Inc. and EarthLink Inc., are still testing and pushing various plans. The
Internet group assigned to endorse a standard disbanded recently, unable to
resolve discord and uncertainty over whether licensing rights asserted by
Microsoft would cut out a broad swath of organizations that use so-called
open-source software.

 Chasin and other panelists also said the basic operating systems that
power computers -- the most dominant of which is Microsoft Windows --
remain too vulnerable to hackers.

He said a worm was recently discovered that lodges itself in Windows files
and goes to work when a computer user tries to access the Web site of his
or her bank. The malicious code automatically redirects the Web browser to
a fake page that looks like the real thing.

In this scenario, the user has not been duped by a fake phishing e-mail.
Instead, the vulnerability in the operating system has allowed the code to
redirect the user's browser to a phony page where a hacker can capture the
user's name and password.

Still, panelists insisted authentication is a vital first step. After that,
they said, could come a system that evaluates the "reputation" of senders,
perhaps using a process that marks good e-mail with an electronic seal of
approval.

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com