Found: One Alleged Spammer

How’s this for a tale of spam? According to Microsoft, the alleged spammer it sued yesterday, in cooperation with the New York Attorney General, sent messages using false sender names, false subject lines, fake server names, inaccurate and misrepresented sender email addresses, or obscured transmission paths. Those sender addresses used 105 different domain names. Messages were routed through at least 514 IP addresses, in 35 countries on six continents.

How much more deceptive can you be?

The amazing part is, despite all this falsity, Microsoft and the New York AG are convinced they’ve got their man. And he’s a man with a name, not your usual “John Doe” spammer so often named as defendant in such lawsuits. Microsoft “investigators” apparently noted a high volume of spam coming from a New York IP address. They helped the AG track down its sources. The Microsoft/AG team is a natural because for all the rhetoric about the new Can Spam law and how it’s going to stop spammers, legislation can only work if it goes hand-in-hand with technology. You’ve got to figure out who sent the message before you can prosecute them.

Thankfully, folks in the anti-spam community are proposing technological solutions to make emailers more identifiable. At least they’d help separate easily identifiable people from the shadier characters. But there’s a danger lurking. Spam’s a big problem and a big money maker for a lot of players. That means a lot of people have a vested interest in keeping spam a problem. It also means everyone’s looking for a proprietary solution so they (and they alone) get the financial reward.

Spam is an Internet-wide problem. It requires an open source solution, not a proprietary one.

I got to thinking about this when Yahoo unveiled its DomainKeys proposal earlier this month. It combines Public Key encryption with the domain name system (DNS), allowing authentication of an email sender’s domain.

People more technically inclined than myself have criticized the idea as unworkable. Just the fact they’re weighing in is important, especially if these critics can help strengthen Yahoo’s proposal.

“Yahoo’s focus right now is to garner feedback and support for DomainKeys,” said Brad Garlinghouse, VP of communication products at Yahoo “Certainly, as more organizations embrace this idea, it will have an increased impact on solving the spoofing/forgery problem. We are also proactively developing open source code for DomainKeys, which will be available to the Internet community for free. So collaborating with industry leaders and increasing support is a definite priority.”

Fact is, any change to the email protocol is a sort of chicken-and-egg problem. You can’t get companies to invest in infrastructure changes until you’ve convinced them it will become standard, but you can’t convince them it will become standard until enough companies invest in infrastructure changes. While I’ve seen ideas from proprietary companies that claim to have solved the problem, there’s no way the whole Internet community will solidify behind a proprietary solution. Everyone needs to have a say.

In that spirit of cooperation, the NAI’s E-Mail Service Provider Coalition (ESPC) proposed Project Lumos, a system aimed at both establishing sender identity and attaching reputation to that identity. Thankfully, the proposal’s authors don’t seem to be unduly attached to its details, although they’ve obviously worked very hard coming up with the plan.

“Certainly, we in the ESPC have no ego attached to our proposal at all. We don’t care if anyone ever acknowledges that we had any role in it,” Margaret Olson, CTO at Roving Software and co-chair of the ESPC’s technology committee, told me. “We just want to see a solution that works for the recipients. And what works for the recipients works for the senders as well.”

Although IronPort Systems makes its money fighting spam with a proprietary solution, the company appears to understand it can’t solve the problem alone.

“I’m skeptical that any company could build a business out of some proprietary way of establishing identity, because ubiquity and proprietary seem to be at odds,” Tom Gillis, SVP of worldwide marketing for IronPort, at a roundtable the company hosted on the issue.

The techie folks who have given this problem the most thought may be the Internet Engineering Task Force (IETF), through its Anti-Spam Research Group (ASRG). Its latest proposal is called Lightweight MTI Authentication Protocol (LMAP). To give you an idea of how much they’ve considered this, one LMAP document refers to no less than seven previous proposals addressing the subject.

What’s really wonderful is the Internet, and email, the subjects of all this scrutiny, are such incredible tools for discussion and building consensus. It’s going to take time, but there’s growing consensus an identity solution is needed. Sure, Microsoft and the NY AG were able to find one individual to blame (at least partially) for the spam problem. In five other suits the software giant filed, 200 “John Doe” defendants were named. Wouldn’t you like to know who they are, if only so you could reject their email?