MX Logic Reports CAN-SPAM Compliance Increased To 2 Percent In August

    September 8, 2004

MX Logic today released the results of a preliminary study showing that spammers continue to develop tactics to dodge both legal and industry-backed efforts to curb spam.

In the study, MX Logic found that spammers are trying to make their messages appear more legitimate by adopting an emerging email authentication technology, Sender Policy Framework (SPF), intended to help stop fraudulent email. The company also reported that compliance with the federal anti-spam law, the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act, rose to 2 percent in August — up from an all-time low of 0.54 percent in July.

In its preliminary study, MX Logic found that some spammers have embraced SPF in the hope that their unsolicited email messages will be viewed as more legitimate because the messages have a SPF email authentication record associated with them. In a sample of more than 400,000 unique spam email messages that passed through the MX Logic Threat Center from Aug. 29 through Sept. 3, 16 percent had published SPF records.

SPF helps prevent domain “spoofing” in email and makes it easier to identify fraudulent email scams and “phishing” attacks by authenticating the origin of an email. Email domain owners identify their “legitimate” sending mail servers by publishing an SPF record in the domain name system (DNS). This enables email servers to validate the source of incoming email against the associated SPF record to determine if the email sender’s domain is legitimate and not “spoofed.”

“Our preliminary findings on the adoption of SPF by spammers should come as no surprise to those of us on the front lines of the spam war,” said Scott Chasin, CTO, MX Logic. “Combating spam has historically been a cat-and-mouse game, with newly developed technologies being followed almost immediately by spammer tactics that get around the new technologies. SPF is no different. While SPF is an excellent tool for preventing phishing and fraud, it is not a cure-all for spam.”

“In order for authentication to be effective against spam, the industry will need to come to agreement not only on the authentication standard to be used — such as SPF or Sender ID — but also on accreditation and reputation services that can vouch for the domain’s SPF record as well as email sending history.”

Email sender domain reputation combined with accreditation would allow for the development of a clearinghouse of information on good email senders, rather than relying on techniques to identify bad email senders, according to Chasin. Such a “guilty until proven innocent approach” to email filtering will help minimize the need for arduous email content inspection and create a “first class” category of legitimate email which can flow through email filters without interruption.

MX Logic’s findings on spammers using SPF go hand-in-hand with its findings that spammers have consistently evaded legal efforts to fight spam. MX Logic has monitored compliance with the federal anti-spam law, the CAN-SPAM Act, since it went into effect on Jan. 1, 2004. Since then, monthly compliance has ranged from a high of 3 percent from January through April to July’s low of 0.54 percent. While CAN-SPAM compliance increased to 2 percent during August, the amount of spam also increased. Of all email traffic through the MX Logic Threat Center during the month, 92 percent was spam — up from 84 percent in July.

“I wouldn’t read too much into last month’s increase in CAN-SPAM compliance. Compliance with the law has always been negligible and the August data doesn’t refute this trend. Two percent compliance is a minor uptick — not a meaningful surge,” Chasin said.

“We have always maintained that having an anti-spam law on the books was only one part of a multi-faceted solution to spam,” Chasin said. “Until the remaining pieces of the puzzle fall into place — namely, continued improvement in technology, industry cooperation on authentication, reputation and accreditation, and end-user education — spammers will continue to flout the law.”

The CAN-SPAM Act requires that unsolicited commercial email senders:

— Ensure that the “FROM” line clearly reflects the sender’s identity

— Include subject line text consistent with message content

— Include the advertiser’s valid postal address

— Contain a working opt-out mechanism as a way for the consumer to decline to receive further commercial email from the sender

MX Logic tracks compliance with the CAN-SPAM Act by examining a random sample of 10,000 unsolicited commercial emails each week.

Powering MX Logic’s email defense solutions is the MX Logic Threat Center, a sophisticated streaming-data environment where MX Logic monitors the global state of email communication 24 hours a day, seven days a week, and provides MX Logic’s customers with real-time updates and protection. Led by email security experts with extensive experience in protecting messaging networks, the Threat Center provides dynamic email defense — staying ahead of the next attack by continually incorporating information about the latest spammer, virus and worm tactics.

WebProNews | Breaking eBusiness News
Your source for investigative ebusiness reporting and breaking news.