News & Events - MAAWG Release
ISPs Report Success Authenticating E-Mail; Key Way To Slow Spam; Messaging Anti-Abuse Working Group leading industry's junk mail fight
By Donna Howell
Investor's Business Daily
Spam sleuthing is stepping up.
"We were optimistic that these authentication protocols would help. The test results showed they are helping," said Stephen Currie, a product management director at ISP EarthLink..
"It definitely looks like signing mail through one or more authentication protocols is a good indicator of whether that e-mail is spam or not," Currie said.
MAAWG lists 37 corporate members, making it the messaging field's main group working on this huge problem..
The sender authentication technologies in use go by names such as SPF (for sender policy framework), Sender ID and DomainKeys. Each method aims to tell where an e-mail originated -- if the sending ISP or domain outfits the message with a special data record.
Six Firms Rollin.
Such methods are a way to tell a legitimate sender from a possible sender of unwanted, unsolicited e-mail, known as spam. So ISPs can more efficiently filter out junk mail.
Tests continue, but six MAAWG members are in the process of actually rolling out such methods, says Rich Wong, MAAWG chairman and a general manager at messaging technology provider Openwave Systems. Ten others have plans to roll out such technology, he says.
Yahoo has been applying sender authentication records on outbound mail since November. And it's been checking inbound mail for the presence of DomainKeys records, its favored flavor of the technology, since late 2004.
Sender authentication is one of the major efforts of the past year for e-mail providers and ISPs, says Miles Libbey, anti-spam product manager for Yahoo.
"Today, most spammers use forgery as one of the tools in their arsenal: trying to send from a domain they don't own or control," Libbey said. "A phisher might use security@citibank.com. Sender authentication methods are trying to address that problem..
31,000 Phishing Attack.
Phishing is a type of scam in which identity thieves send e-mails that pretend to come from a well-known e-commerce firm or bank, such as Citibank. They try to lure recipients into divulging account details and passwords, sometimes at Web sites they've built to look like a bank's. Some 31,000 phishing attacks took place last year, and they cost an estimated $137 million in fraud losses, according to TowerGroup.
The consulting firm predicts the number of phishing attacks will top 86,000 this year.
If or when ISPs put sender authentication methods into full use, it's unlikely that an e-mail would be blocked as spam just because it lacked a sender authentication record, Currie says. But those e-mails might be subject to further screening by other kinds of spam filters that ISPs use.
The methods might let IT administrators see a green or red light on incoming e-mail, a visual indicator of which messages to more closely monitor and perhaps filter, Currie says.
After such labeling, a next logical step would be for sender authentication to play a role in "weighting" an e-mail, Currie says. That is, judging how spammy it is.
But directly filtering out a message just because it isn't signed with a sender authentication record? That won't happen unless, as Currie puts it, there's "a really credible, reliable reputation system in place.".