There are many companies in the spam-fighting business and most, if not all, claim to be hugely successful. Yet spam is exponentially more prevalent today than it was just 2 years ago. How can one conclude that today's anti spam solutions are working? This year spammers will use machine-generated programs to send trillions of unsolicited email.
Thankfully, a new anti-spam technology has made its way into the market. This approach, known as Sender Address Verification or SAV, is poised to cripple spammer's ability to deliver machine-generated email. SAV employs a patented methodology that asks first-time senders to verify their email address before a message is forwarded to an individual recipient's inbox. SAV is easy to set up and provides tremendous value to both IT and business users. Most importantly, SAV eliminates 100% of spam and produces zero false positives. We will discuss more on SAV later in this article.
The Weapons of a Spammer: Anonymity, Automation, and an Arms Race Mentality
There are 3 primary reasons why the problem of spam has exploded:
Filtering is a computing technique that employs artificial intelligence and complex algorithms to decipher "wanted" email from "unwanted" email. The two most common filtering techniques are "Bayesian" and "heuristic." Both are sophisticated and intriguing, and both have failed miserably. Considering the exponential growth of spam and its financial impact in terms of lost employee productivity and wasted IT resources, it is clear that a better solution must be found.
[Flaw] Filters are reactive, a fact that spammers can exploit in 2 ways:
As vendors or their customers tighten filters in hopes of blocking all spam, they begin to filter out important non-spam emails as well, an occurrence known as a "false positive." When filters are relaxed to limit the number of false positives, more spam emails slip through. This "catch 22" will continue to be an ongoing dilemma for companies that use anti-spam filters.
[Flaw] Filters are being subsumed by SAV techniques:
Acknowledging their innate deficiencies, filtering vendors may be forced to include authentication layers in their anti spam offerings. The current "soup du jour" is Sender Policy Framework (SPF). Unfortunately, with their substantial investment in artificial intelligence (filtering), many vendors are prohibited from abandoning this flawed approach. The results are product offerings that force customers to pay for filtering features that are no longer needed or effective.
Sender Address Verification: Winning the Battle Against Spam
A hallmark of our civilized society is etiquette. As children we are taught to always "knock" before entering a room with a closed door. SAV technology employs this approach to stop spam, requiring first time senders to identify themselves before their message is allowed to enter a recipient's inbox - a type of digital doorbell.
SAV's effectiveness is matched only by its simplicity. When persons with whom one has never corresponded send an email, a properly designed SAV system responds to the sender, in the intended recipient's name, asking the sender to identify themselves by performing a simple task. This one-time verification request comes in the form of an email back to the sender. The simplest task requires the sender to press "REPLY" and "SEND" when they receive the request. Additional tasks, such as puzzle solving (captchas) can be employed if necessary to confirm a human sender. When the sender completes the verification request their email is automatically delivered. A delivery confirmation receipt is sent acknowledging that their email has been delivered and that their address has been automatically placed on the recipient's approved sender list. Once placed on this "whitelist" all future emails will be delivered directly to the recipient.
SAV removes the veil of anonymity enjoyed by spammers because the verification request is, by definition, an audit trail leading back to the sender. According to the Anti-Phishing Workgroup's May 2004 report, "...the actual percentage of spoofed phishing emails is likely higher than 95%." It is highly unlikely that spammers will respond to the verification requests, assuming that the return email address they provide is actually real, because in doing so they would be accepting responsibility for the spam that was sent. SAV turns the tables on the spammers back in favor of email recipients.
Advantages of Sender Address Verification (SAV)
While there are many compelling arguments in favor of SAV, perhaps the most convincing are its 100% effectiveness and ability to help enterprises re-capture billions of dollars in lost productivity and wasted resources.
[Fact] SAV reduces server load and storage costs:
When implemented as a stand-alone network appliance SAV sits at the network edge, in front of the corporate mail infrastructure. Only email that should be delivered is actually allowed into the network. Spam is never allowed to reach the messaging infrastructure, thus limiting the burden on existing resources. In certain industries where government regulations mandate that all email is indexed and archived, a SAV enabled network appliance can free companies from incurring storage costs associated with spam.
[Fact] SAV never deletes legitimate emails:
Spam filters that use mathematical formulas to guess whether an email is legitimate regularly obscure valid email after mistaking it for spam (a false positive). SAV does not employ these techniques nor does it make these costly errors. SAV eliminates the guesswork by merely asking first-time email senders to "knock before entering."
[Fact] SAV mitigates future spam by exposing the sender:
SMTP (the backbone of Internet messaging) has no mechanism for verifying the validity of the email sender, thus making it an anonymous transport mechanism. There are promising technologies on the horizon, such as Sender Policy Framework (SPF) and Domain Keys. However, at this time the efficacy of either approach cannot be accurately measured due to lack of widespread industry adoption. SAV solves this basic problem not by trying to fix/monitor the actual correspondence that is sent via SMTP, but by closing the "loophole" in SMTP - the anonymity factor. SAV requires that senders of email either be pre-approved by recipients, or be willing to identify themselves.
Dispelling Myths About SAV
While the concept of SAV is quite simple to grasp, many experts have struggled to understand how SAV is implemented. This confusion has allowed a significant amount of misinformation to find its way into both the mainstream and IT trade press. Below are some common myths about SAV:
[Myth] SAV will double the amount of email traffic by flooding the Internet with verification requests:
The misconception is that for every piece of email there will be a corresponding verification request. This is false.
At the root of any email processing mechanism is an email server. A basic characteristic of any modern email server is the prevention of "bounce" loops. A properly implemented SAV mechanism will, therefore, not be subject to "bounce" loops or message "ping pong."
[Myth] SAV will block legitimate machine-generated email (e.g., newsletter subscriptions):
Part of every SAV system is a pending queue, or waiting room. This is a place where messages are sent until they are validated as legitimate. If a machine-generated message is sent from a previously unauthorized newsletter subscription or an e-commerce receipt, the message will be waiting for approval in the pending queue. Some SAV systems allow users and administrators to whitelist entire domains and/or parts of domains. For example, a system administrator could globally indicate that any email sent from @Amazon.com, or @VentureWire.com should never be authenticated. Individual end users have the same capability to configure this functionality for their personal accounts.
[Myth] SAV is easily circumvented by "joe-jobing":
While "joe-jobing" a SAV system is certainly possible, in practice it is cost prohibitive and by actively committing fraud, spammers put themselves at greater risk. In addition, with the creation and proliferation of anti-fraud mechanisms like SPF, Sender ID, etc., "joe-jobing" can be prevented entirely.
Sender Address Verification makes it impossible for the purveyors of spam to realize the financial gains that have been enjoyed in the past. SAV eliminates the unfettered access to email inboxes that was available to crafty spammers, enabling companies to regain productivity and IT resources once lost to fighting spam. As this simple and elegant approach gains widespread acceptance, spam, as we know it, may be entirely eradicated.
Reproduced by CircleID with expressed permission of Sendio, Inc. An Adobe PDF version of this article available for download from Sendio's website.
By Tal Golan, CEO
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Minds + Machines
Neustar DDoS Protection
Neustar DNS Services