Popular spam fighter's effectiveness questioned
Study shows SPF's loopholes
A technological weapon against unwanted ''spam" e-mails that has been embraced by leading Internet companies doesn't work as well as its developers had hoped, according to a new study.
''It's really a reality check," said Paul Judge, chief technology officer for CipherTrust Inc., an antispam software maker in Alpharetta, Ga.
Microsoft Corp., Google Inc. and other major Internet companies have endorsed the technology, called Sender Policy Framework, or SPF. The system is designed to fix a weakness of traditional e-mail that makes it hard to track down spammers.
E-mail technology lets a sender put a phony return address on each message, thus concealing its source. But every e-mail message must come from a numerical Internet address. The SPF system compares the address on the message to the numerical address. If they don't match, the recipient can reject the message.
Proponents have predicted that SPF would help law enforcement agents catch spammers who use their true addresses, and make it easy to filter messages from spammers who use phony addresses.
But Judge says it isn't working that way. Few legitimate e-mailers use the SPF system. And a small but growing number of spammers are using SPF. ''As always, spammers are very quick to adapt," he said. ''They're taking advantage of our tools faster than we are."
A spammer who uses SPF can no longer conceal the origin of his messages, but that isn't much help to spam fighters. That's because the spammers have set up hundreds or thousands of ''throw-away" Internet addresses for sending spam.
Antispam companies like CipherTrust quickly detect these addresses, often within hours, and update their customers' software to block mail from them. When that happens, the spammer switches to a different address. And because each address is SPF-compliant, filters that check for SPF will let the unwanted mail go through.
''It's like checking someone's passport at the airport," Judge said, ''but not checking the terrorist database."
Spammers who use multiple SPF-compliant addresses may be easier to prosecute, because there will be a way to trace who purchased the originating Internet address. But that can only happen after the fact. For now, SPF filtering must be combined with traditional antispam software to weed out the unwanted messages before they show up in e-mailboxes.
Still, Judge said SPF could stop one of the most vexing forms of Internet fraud, ''phishing." In a phishing scheme, criminals send e-mail messages that appear to come from legitimate businesses, such as banks and credit card companies. The messages ask the recipient to provide sensitive information, such as a credit card number, and inattentive consumers often comply.
If SPF were adopted by leading Internet providers and corporations worldwide, phishing would become virtually impossible. An e-mail that appeared to come from, say, citibank.com would instantly be verified, and phony Citibank messages would never arrive. ''SPF will be very good at identifying these phishing attacks," Judge said -- but only if people use it.
Judge said adoption of SPF has been slow. He estimates about 3 percent of Fortune 1000 companies use the technology, up from 1 percent in April. ''We're seeing some momentum, but as you can see, there's a long way to go."
Companies may be dragging their feet because SPF is just one of several proposals to stamp out e-mail address forgery. Microsoft plans to combine SPF with another technology, Caller ID for E-mail. Google is considering the use of SPF in its free Gmail service. Another group of e-mail companies, including Yahoo Inc., has embraced a system called DomainKeys.
Hiawatha Bray can be reached at bray@globe.com. 