Anti-spam firms test 'caller-ID' for email

Spammers will have to go back to their old jobs on used-car lots as the email infrastructure is upgraded to eradicate email spoofing, say email security experts

The future looks bleak for spammers as service providers start testing technologies to overcome email address 'spoofing', according to email and security experts speaking at the RSA Security conference in San Francisco on Wednesday. It could mean that spammers will have to go back to "selling used cars", they said.

On Tuesday, Microsoft chairman Bill Gates highlighted the need to "strengthen" the standards and protocols that govern the transmission of email, and announced a plan to introduce a Caller ID system for emails. Service providers said they are already testing technologies that should eradicate email spoofing within two years.

Eradicating the majority of spam will mean the email infrastructure will have to be updated so emails can "prove" they come from the domain they say they were sent from. Hans-Peter Brondmo, co-chairman of anti-spam organisation the Email Service Provider Coalition (ESPC)'s technology working group, said the key is to allow IP addresses to be tied to a domain: "What we are talking about here is an upgrade to the email infrastructure, but it is a minor upgrade. Caller ID/SPF simply means that when an IP address sends email, you can ask if the domain it represents is legitimate. It uses the DNS infrastructure that is already there, so it links the sending domain with the sending IP address," he said.

Dr Paul Judge, chief technology officer of email security firm CipherTrust, told ZDNet UK that the planned improvements will vastly improve current filtering methods, which he said are making a difference on their own: "The media talks about the volume of spam increasing but what is particularly exciting is that the volume of spam hitting inboxes is decreasing." But Judge warned that the situation will probably get worse before it gets better. "The technology is getting better and more widely deployed so the spammers' first reaction is to send more. The next reaction is to try to get past filters with random text, Trojans, etc., so phishing is just a phase to increase their response rate," he said.

Robert Sanders, chief systems architect at ISP Earthlink, agreed that new technologies will ensure that spammers will find it increasingly difficult to fool end users: "It can prevent phishing attacks -- if you get a message saying it comes from PayPal and we can verify that it did not come from PayPal's email gateway, we can in some way communicate that to the end user. This summer should see active trials and within the next couple of years, the economic incentives are going to go away," he said.

Sanders said the new technology will create an identity for email users, but was keen to point out that they will not contain personal information: "It is not a true identity we are interested in here -- it is not your real name, home address or credit card number. We just want to know that the email address does belong to you," he said.

Judge said spammers are already feeling a pinch in their finances and some have already decided to quit: "I was on the phone with one of the top ten spammers in the world -- he used to send a couple of hundred million spam messages every day -- and he is quitting because it is no longer worth it and he can't make enough money. That is just one example, but it is a great example of the shift we are seeing," he said.

"The spammers down in Boca Ritan or wherever they are will have to go back to selling used cars," said ESPC's Brondmo.