Survey Finds Spammers Embracing Sender Authentication
"We've always known that spammers are not as stupid as everyone thinks they are," CipherTrust Research Engineer Dmitri Alperovitch told TechNewsWorld. "They adapt to most counter measures that we throw at them," he continued, "so we pretty much expected they would do something to evade this new tool, and these results confirm that."
Sep 2, 2004 8:19 AM PT
Sender authentication might work as a club to beat down phishing attacks on Web denizens, but it does little to fight spam. That's the finding of a study released this week by CipherTrust, a messaging security firm in Atlanta.
On the basis of analyzing some two million messages received between May and August by more than 1,000 CipherTrust customers worldwide, the study focused on the deployment and effectiveness of a technology known as the Sender Policy Framework (SPF).
The technology allows the holder of an Internet domain to publish a list of IP addresses associated with legitimate e-mail from that domain. Mail server operators that have installed SPF can check the addresses to the SPF list to determine if an incoming message is genuine or its origin has been "spoofed."
According to CipherTrust, spam messages were three times more likely to pass an SPF check than legitimate mail. "We've always known that spammers are not as stupid as everyone thinks they are," CipherTrust Research Engineer Dmitri Alperovitch told TechNewsWorld.
Not Intended to Fight Spam
"They adapt to most counter measures that we throw at them," he continued, "so we pretty much expected they would do something to evade this new tool, and these results confirm that."
While SPF is doing what it was designed to do, he said, that design is having little impact on spam traffic. "There was a perception out there that SPF was designed to stop spam, and it wasn't," he observed. "It was designed to authenticate the sender of a message, and that's exactly what it's doing."
"Spammers aren't circumventing this, but adopting it and adopting it at a greater rate than legitimate senders," he observed.
Although CipherTrust reported that the number of Fortune 1,000 companies that have deployed e-mail authentication has increased 200 percent since May, that increase from 11 to 31 companies shows that the technology has yet to become widespread.
"Some are wrongly assuming that because a domain has an SPF record, it is therefore a legitimate 'nonspammer' domain," Steve Linford, CEO and Founder of the SpamHaus Project, an international spam-fighting organization, told TechNewsWorld via e-mail. "But in fact spammers have already begun adding SPF records to their domains."
A spammer wishing to send a few million pieces of spam needs only add a simple SPF record to the originating domain declaring the entire IP range as his own, he explained.
Because SPF is essentially an open-source protocol, spammers are free to publish their own SPF records, noted Scott Chasin, CTO of MX Logic, an e-mail defense company in Denver.
"There's no accreditation associated with an SPF record," he told TechNewsWorld. "Anybody can purchase a domain for $5 and implement their own SPF with what's essentially a throwaway domain."
While SPF isn't a silver bullet for the spam problem, the technology can be useful as part of a multilayered defense perimeter against junk e-mails.
Another Hoop to Jump
"It gives the spammer another hoop to jump through," Alan Hockey, technical director for Clearswift, a maker of software for managing and securing communications, told TechNewsWorld from his office in Theale, Berkshire, UK. "They have to get past that to get to the next layer."
The technology also can be leveraged with other tools as an effective antispam weapon, asserted Dave Jevans, chairman of the Anti-Phishing Working Group and senior vice president at Tumbleweed Communications, a messaging software maker in Redwood City, California.
"Once we have e-mail authorization to verify the sender, then we need reliable sender reputation services that categorize known senders as spammers or not," he told TechNewsWorld via e-mail. "That way, when e-mail comes in, sender is verified and then checked against a blacklist-reputation service to see if they are a spammer."
Spoofing and Phishing
One area where SPF appears to be very effective is in thwarting malignancies such as spoofing and phishing.
"SPF is designed to stop spoofing of e-mail addresses," Linford said. "Those that will benefit from SPF are the large mail providers (Hotmail, AOL, Yahoo, etc.) whose addresses are most often used fraudulently as 'From' addresses in spams."
"Once widely deployed," he added, "SFP will also have the effect of reducing the vast volumes of virus e-mails clogging the net, since viruses always spoof the sender."
Whatever SPF's future role in fighting e-mail nasties will be, its use should be viewed with caution, according to Eric Johansson, a consultant with the TriArche Research Group, an international consulting organization in Cambridge, Massachusetts and the developer of a decentralized authentication scheme that involves electronic "franking" of e-mail.
"E-mail authentication is one step toward having the power to control who says what on the Net," he told TechNewsWorld.