I am thrilled to see that at least one industry writer/analyst, Ester Dyson, is brave enough to not only realize, but actually put into writing an acknowledgment that the solution to the global spam problem is SENDER AUTHENTICATION. At Sendio (http://www.sendio.com) we began offering a Sender Authentication anti-spam network appliance in 2003 and have been fighting an up-hill battle for recognition that the problem of spam is an Identity Management problem which is best addressed through Sender Authentication. Artificial Intelligence (a.k.a. filters) are great for some applications, unfortunately, fighting spam is not an area where this type of bleeding edge technology (filtering) is best suited.

For more information on the world’s only licensed Sender Authentication based network appliance, please visit our web site at http://www.sendio.com or contact me, Tal Golan (.(JavaScript must be enabled to view this email address)), directly.

Thank you, Ester, for telling it like it is.

I read, with interest, both the article and the encouraging response from Mr. Golan.

As the CIO for a mid-sized organization suffering under the weight of SPAM.  All the obvious was true at this site.  The burden of SPAM was increasing, the claims of effective filtering were proven false irrespective of the time and money committed to the solution.

As technical people we were embarrassed at failing to provide effective answers to our users and made aware of the failures before our Senior Management who were highly motivated to be past the problem and intolerant of our claims that there was no real answer.

These were the obvious facts.  What we all hear little of are other real truths.  To wit:

1. That the labour cost of clearing the debris brought by SPAM is staggering. 10 minutes/day spent in mailbox clean up in an organization of 1500 equates to millions of dollars annually.  Recurring.

2. That the cost of expanding capacity on mail-servers (ie, Exchange) relates to bearing the burden of unsolicited commercial emails.

3. And this, for us was a killer, that the ability to daily backup our mail-server (typically done in the off-shift) was becoming impossible due to the shear size of the files and a fixed window to perform the task.  The reaction, short of finding a solution for SPAM was to invest in high cost (faster, automated) backup devices which would NOT be required conventionally.  Frustrating.

What is the solution?  By experience Sender Authentication.  Spam traffic was stemmed at the front door.  Exchange is then able to handle the ‘normal’ email traffic without burden.  Backing up returned to normal routines and well within the capacity of existing devices.  Labour, otherwise spent in nonsense work was again available to the organization. No more false positives nor, in particular, alarming warnings such as “[Suspected Spam]....” generating more support questions and exhausting time.  User satisfaction and confidence is on the return.  Yes… once lost it is difficult to recover.  Perhaps I’ll find an equally elegant solution for this problem too.

I support the views of the article and the response from Mr. Golan.  The key to progress is the first step.  The moment when our foot is in the air is the moment we we are most vulnerable. The choice to lift the foot and move it forward is fraught with fears of other times when we’ve been knocked over.  But, when the direction is clear, and the reasons to proceed are compelling, we must. On SPAM, we must. Knowing the direction to face is key.  I say, on this topic, Sender Authentication.

I thank you both for your thoughts.

Esther, I guess the problem with the inboxevent sessions you attended was that there’s a whole lot of feel good morale boosting support for spf + caller id, domainkeys and other MARID proposals, which are all really good .. except that as you point out,

It is not a single cure all / magic bullet solution.  You definitely need a whole lot of education, but you also need a combination of

* good legislation (like, for example, the australian antispam law .. and definitely not like CAN-SPAM)

* good ISP policy enforcement around the world - with spammers hosting in China, spamming from Costa Rica and having payment gateways in the bahamas ... you definitely need that.  Education, definitely - start with ISPs policymakers, ISP sysadmins, give them the tools and the knowledge of how best to react to spam issues on their network.

* technical solutions - better blocklists, better whitelists, MARID .. only, keep in mind that these proposals address forgery, they don’t directly address spam - there’s a LOT more to spam than forgery as even Meng Wong and others on the IETF marid group will point out. Getting a whole bunch of people to publish spf records is going to be staggeringly difficult, even with the threat of large ISPs rejecting their mail if they don’t publish.  Heck, I know a whole bunch of people who continue to use long dead blocklists like monkeys.com, that closed down ages back and were set up to return a positive to each and every query.  I wonder .. people don’t seem to learn even if they don’t see any email at all coming into their systems :(  It’s that old cliche’ about taking horses to water, or perhaps the one about teaching pigs to sing.

The APCAUCE conferences I’ve organized in the past (the most recent in feb 2004 at Kuala Lumpur, with Dave Crocker as keynote - program at http://icauce.org/Program.htm ...) and the upcoming WSIS antispam meet at Geneva - http://www.itu.int/osg/spu/spam/meeting7-9-04/index.html (where I’ll be chairing a track on technical measures) focus exclusively on spam, and as far as I can see, do see a much broader picture than what you describe.

[Editor’s Note: Portions of comment removed as per CircleID COC]

I read, with interest, the comments from Mr.Ramasubramanian.  I have not had the pleasure of meeting Mr.Ramasubramanian but align with some of his thoughts expressed.  I would only encourage the continued healthy presentation of views while yielding the floor for the flora and value of others thoughts, experiences and wisdom.

I wonder, however, if this forum is the best place to make personal comments about views of individuals who take the time to offer thier encouragement to the writer.  In the end, it would heartening to consider that we are all against spam and that any alignment against the foe is worthy of respect.

If one had personal issue with anything that I write I would invite a personal response.  If one had a contrary view, without it becoming a personal attack, I would welcome same as healthy debate.  Perhaps this would be polite. Either option is available in this forum.

I’m sure Mr.Ramasubramanian is a learned man and far from me to offer a correction.

The CircleID Code of Conduct.
1. Members shall not attack or judge anyone personally.
 
2. Members shall avoid obscene, irrelevant, or needless inflammatory remarks.
 
3. Members shall respect other fellow members’ time by keeping all posts intelligent, constructive, informative, and original.

<snip>

Warm regards to all who find spam as offensive as I.

Rob