Possible Solutions
Peter Firstbrook, research director at Gartner is not sure that authentication holds as much promise as people hope. "Because it is complex and expensive to implement, I am not sure this is going to work. Even though it seems simple on the surface, for large organizations, just understanding who sends email on its behalf is phenomenally hard. And this is not a one-time activity, you have to keep up every time a new server comes online or affiliate is added. It is a continuous process, because no one has automated it," comments Firstbrook. "Plus, it only deals with one issue, somebody impersonating my specific domain, but the issue is they can impersonate your domain by stealing a similar sounding domain. For example if my domain is bankofamerica. com, they could use bofa_support. com or any number of variations. All the criminals have to do is look for a variation and use it and publish their DKIM or SPF statistic. The incoming message will look like it is coming from a trusted source. Then where are we?" Firstbrook points out that it does not disclose if what they are sending, from a content perspective, is something they are allowed to send. So the server is authenticated, but the content is false. "I do not think it is possible to solve that issue unless you link anti-spam security, to try to filter through all the garbage and look for the bad senders. I do not think the solutions are nearly adequate yet—except for your basic anti-spam security. From an enterprise perspective, the enterprise anti-spam is pretty good, but the consumer stuff is pretty horrible." Firstbrook feels that today's reputation services are very useful. "Spamhaus and other RBLs are becoming less useful because they are advertising who they are putting on the list, and they are not fast enough. Someone has to report spam, and investigate, and then put them on the list, and by then the bot is gone." Firstbrook points out that on average, spam is fatter than regular email. Therefore, when spam is 90 percent of email, dropping 40 to 60 percent of it at the connections layer can have a huge impact on scalability. "Reputation as a detection technique and management technique has a lot of legs on it."
Lists do have their place. "The whole idea is that blacklists and antispam programs can work harder, if there is a whitelist. It is the same with spyware. The anti-spyware programs can work harder, because they can go full force if they havethe whitelist exception," believes Maier. "That is what we did with the Bonded Sender program, and what we are doing now with the Web Seal and Trusted Download program." Maier is pleased with the efforts of TRUSTe, but recognizes that there is still much education that needs to happen
Champine agrees. "When people hide their pin as they enter it at an ATM or don't walk away from a bank with all their money in full view, they do not necessarily think of it as a counter-fraud activity. Instead, these are common sense habits in order to have safe banking practices." Champine does not think people will shy away from using email. But he does believe that they are starting to acclimate and incorporate some online common-sense practices. "It is still early days for a lot of people and they are making mistakes," says Champine. "Honestly, I think the big burst in activity from the attackers side represents that they recognize that they have to stay creative, and stay ahead of the curve and the curve is gradually growing."
Most all agree that it is a battle between those that want to continue online exploitation, and those that want to keep the medium safe. It may be too late to restore online trust and confidence to its original state, but consumer and businesses alike show no signs of abandoning the race. "The challenges keep on coming," concedes Maier. "I guess the overall theme here is that those of us on the side of legitimacy and trust and that believe in the full promise of ecommerce and community have got to get behind each other and continuously come up with solutions. It is not going to be a one shot deal." SJ/TMP