Internet service providers test new ways to outsmart spam

At the time, the Internet was in its infancy, used by a few hundred researchers at universities, government labs and high-tech companies. Today, hundreds of millions of people have e-mail addresses, and junk e-mailers send out billions of messages every day. And Internet service providers are racing to figure out how to force spammers to abide by that old golden rule.

Microsoft Corp, Yahoo Inc and other companies are taking different approaches, but they all have the same objective: finding a way to verify that people who send e-mail are who they say they are. That would plug the biggest hole in Simple Mail Transfer Protocol.

The designers of SMTP knew their protocol didn’t have a built-in authentication system. But they saw no reason to worry. ‘‘There was very little attention paid to nasty people because we all knew and trusted each other,’’ said David Farber, an Internet pioneer who is now a professor of computer science and public policy at Carnegie Mellon University. ‘‘It was understood that it was easy to forge mail, but who would forge mail among your friends?’’

Spammers have taken full advantage of that oversight. They falsify their names and reply-to addresses to bypass junk e-mail filters and trick recipients into opening messages. They copy corporate logos to send fake messages purporting to be from companies such as eBay and Citibank to fool people into handing over their credit card numbers and other personal information in so-called ‘‘phishing’’ attacks.

‘‘Accountability is really the missing link for many of the problems we have on the Internet,’’ said Phillip Hallam-Baker, principal scientist for VeriSign Inc, the company that maintains the master list of commercial Internet addresses. The Federal Trade Commission last month cited the lack of authentication standards when it declined to create a ‘‘do-not-e-mail’’ registry modelled after the ‘‘do-not-call’’ list for telemarketers.

Without knowing for sure who is sending a message, the FTC said, Internet service providers and other spam fighters wouldn’t be able to punish violators. The big Internet service providers don’t agree on how to best fix the authentication problem.

AOL has started publishing the list of IP addresses from which it sends its members’ e-mail so that other e-mail service providers can block messages from spoofed AOL addresses.

If the ISPs succeed, e-mail marketers will have no choice but to authenticate their messages to prevent them from being blocked. Companies would be held accountable for the sending habits of their employees, and ISPs would be responsible for their customers’ e-mail.

Those that developed a reputation for generating spam could find their e-mail blocked.

The catch is that an authentication standard has to be widely adopted to be effective. —(LAT-WP)