|
Last month’s article concerned the role of email authentication services in the fight against spam. As authentication gains momentum and proposed methods are standardized, email source identification will claim center stage as ISPs assign spam designations.
Spam filtering based on the senders’ reputation or demographic isn’t a novel concept. For example it’s a safe bet that email from China will likely be offering you wonder pills, refinancing or other unsolicited products and services. Consequently companies that don’t do business in the Pacific Rim generally block email that originates from those IPs.
Looking at the history of email originators instead of examining email messages on a case by case basis has its advantages: email patterns generally repeat, and the flood of unwanted email can be reduced simply by rejecting all messages from a known “bad actor”. Such blocking is attractive to ISPs and organizations -- it provides a marked decrease in spam and lower false-positives rates, while reducing the CPU load of content filtering.
Current methods of reputation management are largely internal to specific organizations and exist in the following forms:
Private lists. Blacklists and whitelists based on established criteria are maintained internally by an organization (usually an ISP). Typically ISP user feedback -- either an abuse department or “report spam” buttons -- helps administrators determine the reputation of email sources. Guidelines for whitelisting may also be used (AOL being a prime example) to help determine which email sources to allow.
Public Lists. Blacklists and whitelists are maintained by volunteers, are accessible to the public, and are often used by smaller ISPs and companies without dedicated email administrators. Because of the myriad of public sources available listing criteria runs the gamut depending on list owners’ preferences, and administrators can select lists that closely match established policies. A comprehensive list compilation can be found at (http://www.declude.com/Articles.asp?ID=97). The most widely used and fairly credible lists are MAPS, Spamcop, Spamhaus, and SPEWS.
As legislation and accountability guidelines escalate, reputation services are starting to resemble the Better Business Bureau or Verisign of email marketing. These two relatively new companies offer certification of compliance with their published guidelines and standards:
Ironport’s Bonded Sender. (http://www.bondedsender.com/) Bonded sender programs allow email marketers to secure a bond (usually thousands of dollars) to certify that their email adheres to Bonded Sender guidelines on the basis of privacy, mailing practices and issue resolution. ISPs and other mail servers can query Bonded Sender when scanning incoming messages and handle them accordingly.
Habeas. (http://www.habeas.com/) Recognized by several anti-spam solutions and ISPs, the Habeas warrant mark is protected by US Trademark law. The Habeas mark can be licensed for application to email that satisfies Habeas’ strict privacy guidelines, and the mark is integrated into email message headers for easy detection by content filtering systems. Habeas also provides a list of IPs that send certified mail.
With the increase of spam, ISPs are more likely to employ services to do the legwork of compliance certification. Imminent clarification of the CAN-SPAM act by the FTC will probably increase CAN-SPAM compliance certification demand and further amplify the market for email reputation agencies.
|
