Gates' spam plan cops another pasting

Gates' spam plan cops another a pasting

More security experts have expressed concerns about Bill Gates' plan to eliminate spam by cracking down on e-mail "spoofing".

Gates's strategy for blocking spam, outlined in his key note address to the RSA 2004 conference last week, is to build technology into e-mail systems to verify that messages originate from where their senders purport to be.

However, David Banes, MessageLabs' technical director, fears that the Gates plan could damage the reputations of businesses that fall victim to hackers.

Likened to caller ID, the new specification would require companies to publish the IP addresses of servers they use to send e-mail and allow recipient systems to compare them against information carried in the headers of e-mail addresses.

But Banes points out that this could lead to a black-listing of legitimate businesses whose servers are hijacked by spammers.

"That machine only has to be compromised by a hacker which is then [used] by a spammer and you've got spam coming out of an authenticated source, so all that is going to do is close down a legitimate business somewhere when they get black listed," said Banes.

"There's all sorts of problems and issues around that, there's no easy solution".

Following similar reasoning, Tim Hartman, systems engineering director, Symantec Asia Pacific, says that spam bots -- zombie systems infected by viruses designed to make its host emit spam -- remain the biggest headache for anti-spam agents.

Message Labs' Banes agrees. He indicated that it was unclear how Gates's verification system would help detect spam e-mails from spam bots as most messages emanating from them would appear legitimate in the eyes of his system.

"There's the assumption that everyone is going to be using their own infrastructure to send these things; most spam is sent through hijacked computers at some other location from the sender," he said.

Hartman and Banes have identified other concerns about the Gates's plan. For Banes the plan generally assumes too much.

"The assumption there is that everyone is using Microsoft e-mail products and or standard Microsoft standard in take up by everybody, which is going to be tricky to do with the aggravation you get between the Microsoft community and everybody else," he said.

Symantec's Hartman was slightly more positive but also observed that the logistical problems associated with getting everyone to agree on how to replace the current standard -- RFC 822-- were immense.

He said the plan would "definitely alleviate a few problems" but said any e-mail client that's got an SMTP connector on it would need to comply with Bill Gates' new standard.

"This problem is bigger than Ben Hur, basically".