spam, spam, spam,  privacy, security & spam

Back to the main spam page, click here.

For a direct link to our data privacy and computer security resources, click here.

For an explanation of why it is okay to say "EMAIL CAN BE SPAM" but it is dumb to say email can be SPAM™ or even Spam, click.

For more about the Trusted Email Open Standard, click here.

Make Your Mark

An Approach to Email Authentication

Stephen Cobb, 2002

Companies and government agencies need to be able to mark their email as official, so that it can be readily distinguished from fakes such as the "scam spam" that has recently been used to harvest passwords and other personal data from consumers.

It has to be said that many computer security experts saw this type of spoofed or fake email attack coming, myself included. The ingredients have been there for some time, including the lack of authentication in SMTP and the growing use of HTML email, which makes it possible to produce more plausible fakes of visually branded email (check the last page of this .pdf article for an example of a "scam spam" that targets a well-know bank--I think you will agree it looks pretty convincing, at least until you check the grammar).

The Trusted Sender Solution
My colleagues at ePrivacy Group were among those who could see the potential for this abuse of email and it became one of the motivations behind the development of something called Trusted Sender™. This is available as a technology that companies can license. A company can use the Trusted Sender product to embed a cryptographically-protected stamp or mark (of their own design if they like) into all their official email. Here is a sample of what this might look like:

A recipient of such email immediately gains a degree of assurance that the message is official, just by looking at the stamp. By clicking on the stamp a cryptographically secure authentication of the message can be performed.

Through the parallel customer education effort, the recipient knows what the stamp should look like and that it should have an appropriate email address in the From and To portions of the stamp. Creating a credible forgery of this is hard (and we have had a lot of people try, a lot of very clever people).

The Technology
Bear in mind that the image needs to be generated individually, one per message. The technology that supports Trusted Sender, known as Postiva™, is able to stamp messages like this at high rates of speed, sufficient to support large corporate customer mailings. However, replicating that processing for fraudulent purporse, in the high volumes required for spamming, would be a very costly undertaking for anyone who might be inclined to try.

Furthermore, when someone gets a Trusted Sender stamped message they can click on the stamp to obtain further verification that the message is legitimate. This is an interactive process and only genuine stamps will pass the test and verify. So consumers can have complete certainty that the message is genuine.

At the same time, the sender, using the Postiva technology, can quickly react to any attempts to spoof the stamp, moving against the perpetrator with all the force of international trademark law, policing of which is well-established and carries large penalties (as opposed to newer and generally weaker domestic spam laws, of which there is, as yet, no international equivalent).

Official Government Email
Another application of this technology is official government email. I predict that there will soon be attempts to confuse or defraud people via email messages that purport to be from government agencies or representatives.

For example, terrorists might try this in concert with physical attacks to hamper the work of first responders. Or scams such as phony tax rebates might be perpetrated via email faked to look like it comes from the IRS. With a Trusted Sender stamp, backed up by Postiva verification, such scams would have far less chance of success. Here are some examples of what these stamps might look like:

Will This Work?
Yes. The approach is based on established fraud reduction principles widely applied elsewhere, and the technology is already working. Tests by several consumer companies, including Microsoft, have found that not only does the technology work in terms of stamping and verifying email, but consumers love it.

Even more important perhaps for companies is the solid protection that this technology provides against claims, which undoubtedly will start to surface, that they did not do enough to help consumers tell the difference between official company email and fraudulent email.

I have been fighting fraud with and by computers for over twenty years and I think this is the way to go.

Note: SpamSquelcher and Trusted Sender are trademarks of ePrivacy Group. All other trademarks mentioned on this page are the property of their respective owners.

Back to the main spam page, click here.

More information about Spam Squelcher technology.

More information about Trusted Email Open Standard.

Updated January, 2010, by webbloke at cobbsblog.com © Stephen Cobb, 1996-2010