As most CAUCE supporters already know, forging From: or other commonly seen email headers is trivially easy. It's one of the most frustrating oversights in the creation of Internet email technology -- though of course that's only obvious in hindsight; it was just fine for the pre-Internet networks of the late 1970s and early-mid 1980s.

Since then, things have changed -- and the most interesting recent technological advancements in email have been in the realm of sender authentication, which encompasses ways to verify that the apparent sender of a message actually is the entity which sent it. Before you can answer the question "can I trust this message," you have to ask "who sent it?" -- but before authentication, there was often no way to know for sure.

The first authentication technology to catch the interest of the industry was Meng Wong's SPF, which also formed the basis for Microsoft's SenderID. In parallel, Yahoo! developed DomainKeys, which has now evolved into DKIM. All of these are free to use, though some have licensing requirements or patents which may prevent derivative works.

Having what looks like four entirely different technologies may seem confusing, and marketing tactics from some of the organizations involved certainly haven't helped. Luckily, our friends at the Messaging Anti-Abuse Working Group have published a new white paper, Trust in Email Begins with Authentication, which should help to clarify things. It provides a much-needed substantive overview of the authentication methods and practices currently in use, without inappropriate bias or attempts at coercion.

CAUCE hopes that this effort will raise the level of debate within the email industry, and lead to faster adoption of authentication technologies. Sender authentication will not, obviously, solve spam -- it has very little to do with spam, in fact -- but curtailing the bad guys' ability to send messages that look like they're from your bank or other trusted institution will certainly help.


[Some CAUCE Board members -- including the author of this article -- contributed to the MAAWG document, and are regular attendees of MAAWG events.]

Yahoo users can feel a little bit more secure when receiving email from eBay and Paypal after Thursday's Yahoo! yodel: Say goodbye to eBay and PayPal fraudsters.

"We’ve teamed up with eBay and PayPal to become the first Web mail service to block the delivery of unauthenticated eBay and PayPal emails, reducing your risks of receiving phishing scams or fraudulent emails. Our weapon
is a technology Yahoo! spearheaded called DomainKeys, which uses cryptography to verify the domain of the sender."

This is the first major announcement of this kind, be prepared for more to follow by authenticating your mail now. Not just your commercial or transactional email but also your Corporate email.

CAUCE North America Debuts - New anti-spam advocacy group combines CAUCE Canada and CAUCE US

Montreal and Los Angeles, June 06, 2007 -- Neil Schwartzman, chair of CAUCE Canada, and Scott Hazen Mueller, chair of CAUCE U.S., today announced the formation and launch of CAUCE North America to build upon the work of their previously separate organizations.

CAUCE North America is now the premiere anti-spam advocacy group, representing the interests of the millions of Internet users in North America. The combined group will work towards equitable solutions for the original threat posed by spam since the 20th century, and Spam 2.0, the 21st-century blended threat posed by the merging of spam, viruses, phishing and malware.

"When we launched the original CAUCE, back in 1997," said Scott Hazen Mueller, founder of CAUCE U.S. and now President of CAUCE North America, "spam was an isolated problem and it was seen by many as unimportant. Now, spam is part of a multi-pronged assault by various criminal organizations attacking the very basis of trust on the Internet. If this threat is not met soon, users will continue to migrate away from the Internet for their commercial needs."

press contact: press@cauce.org

Tel . +1 303 800 6345

We were shocked, not so very many years ago, when AOL reported that spam was 30% of their incoming mail. Now, some of the world's largest ISPs report that it's well beyond 80% -- in some cases higher -- and increasing.

Back then we knew who the spammers were, they stayed in one place and thought of themselves as "high volume" email marketers -- but now, the leaders of the email marketing industry know they must respect permission, and can't engage in the spammy behavior of their predecessors. We predicted that a private right of action in civil court would be sufficient to keep those same marketers in line, and now we know that's correct -- but today, much of the spam volume is sent by career criminals and malicious hackers who won't stop until they're all rounded up and put in jail.

Reuters reports that a UK appeals court ruled that an English 18-year old who sent five million spams to a company who had fired him had indeed broken the law. The judge said that "while a computer user might consent to being sent some e-mails, that consent did not extend to receiving a barrage of such messages."

This may seem obvious, but it wasn't to a lower court, which now has to reconsider the case and what penalty to assess.

http://news.yahoo.com/s/nm/20060511/wr_nm/crime_britain_spam_dc