Not Everything Slimy is an Amphibian
Spammers are on notice
It all started as an epic power play in the first grade. My son Colin had prevailed through shrewd bargaining, fast talking, and not a small amount of politicking. So, one day, he brought home Frogsey, a small aquarium habitat, and a shaker of dried bloodworms.
Frogsey’s digs are right next to the coffee maker, and I always make a racket when I fire the thing up to grind and brew my home-roasted beans. The first morning after
Frogsey’s adoption, I came downstairs, and found Frogsey floating about halfway down in his tank. Uh oh. I fired up the coffee grinder/maker, which, to a frog, has to sound like an F-16 taking off right next to him. Nothing. ‘Oh, this is great’, I thought. I tapped on the glass a few times, Frogsey’s lifeless body stayed neutrally buoyant, just hanging there.
Now, I needed to think fast. Colin had been talking up the Frog Adoption Day at his school for weeks. There were eight frogs, 25 kids, but about a third of them were categorically denied adoption rights by their parents, so Colin’s chances were about even money, and he won out.
So, do I give Frogsey the Royal Flush and then speculate openly how he might have escaped? “I don’t know, Colin, all I saw were wet footprints heading toward the back door.” Do I toss him in the air so Chester (our golden retriever) could devour the evidence like a little fishy-tasting Kibble? I shook the horrific idea from my head and looked over at the floating amphibian. Then, like a shot, he sprang to life, zoomed to the surface to grab a bubble of air, and disappeared under a rock.
I decided I didn’t need to go through that every morning, so I hopped on the Internet and hunkered down to some serious frog research.
Colin had mentioned that he thought this was an African lady frog; but after a few minutes, I quickly determined Frogsey was either an African clawed frog, or an African dwarf frog…all that remained was a little close inspection. Ah hah! Frogsey had the characteristic on-the-side-of-his-head eyes, a telltale sign of the Dwarf, Hymenochirus boettgeri. Further reading indicated that determining Frogsey’s sex was going to be difficult; nothing short of a frogtopsey would give up that information and, to be honest, Frogsey lives alone so it seemed irrelevant.
Frogsey is an interesting character. They’re little guys, maybe an inch long, and live their entire lives under water…except for the mad rush to the surface for a quick snatch of air. It turns out they like to float for long periods of time in suspended animation like William Hurt in Altered States. How they sleep is more problematic. The best I can figure, Frogsey floats with his little nostrils above water when he snoozes, but I can’t be sure.
Since it was only 5:30 AM, and the rest of the pack wouldn’t rise for a while, I continued scanning the Internet for news on my white whale: Killing Spam. Gee, is it really true that since I wrote my last column on the fight against spam that nothing has been done? Hmmm…a few tidbits here and there.
Brian Livingston, writing for Datamation, seems to have noticed some ground has been gained in the battle of protocols between Microsoft’s Sender ID, and Yahoo!’s DomainKeys.
The issue extends beyond the big spammers, many of which have dulled their own righteous attitudes so that the distinction between illegal and illegitimate doesn’t cause them any sleepless nights. And even if it did, some of the big spammers who’ve been popped in the last year made millions, and some are dodging harsh judgments by declaring bankruptcy, and then reappearing as a new, equally nefarious organizations. And you thought Osama Bin Laden was hard to pin down.
But “phishing,” the black art of sucker punching some miniscule percentage of the population into giving up personal and financial information, has grown like a mutant virus. You’ve all seen the calls to “update your PayPal information,” or (name a major bank here) is contacting you that there has been suspicious activity on your account, so all activity is suspended until you update your info. Then, as you float the cursor over the link that says www.bankofamerica.com or something, you note that the URL resolves to some screwy looking location in Romania. ‘Gee, when did BOA outsource to Romania?’ you ponder.
Again, Brian Livingston pointed out that Erik Johnson, a Bank of America vice • 14 percent of Americans have stopped using online banking or bill-payment services because of fraud concerns;
• 20 percent will no longer open any e-mails, legitimate or not, that claim to be from a financial institution with which they bank;
• 26 percent won’t use any online financial products, period.
Pretty bad, eh? Well, it’s no better for millions of e-mail users who cannot go to the exclusivity of white lists, or use one of several verification tools of sort that requires a user to type in graphically obscured numbers and letters. The former is great, if you never want mail from someone not on your personal permission list, and the latter technology elicits howls of rage when people can’t read the distorted and masked symbols in a bitmap, meant to thwart bots from cruising in and harvesting information or making automated submissions.
Back to the technologies, and what is being done with them. Let’s make a few high-level cover statements first:
• DomainKeys and Sender ID are decent technologies, with the former being the stronger of the two by far.
• They ain’t worth the bits used to describe them if they are not actively used and screened.
Here’s the rub: DomainKeys, and to a lesser extent Sender ID, could go a long way toward reducing spam and phishing. On the latter, many major banks and such are voluntarily implementing Sender IDs, then they inform participating major ISPs not to accept any mail purporting to originate from them unless they contain their Sender ID, essentially restricting the valid servers sending the mail to a very few specifically named boxes.
That’s cool. But of course, if you’re a bad guy, you’re not going to comply with this, so this is a CYA. For a large bank, it makes a lot of sense to instill confidence in consumers so they use online services. Why? Well, if you’re in marketing, it’s to “provide maximum convenience to our customers.” If you’re cynical like me, it’s the same shameless shill the airlines are not at all bothering to lie about any longer when shoving online reservations down customer’s throats; it’s all about money. Airlines are the absolute rulers of the universe when it comes to pushing their luck. They float fare increases, or curtail benefits, until they realize other airlines aren’t following, and then they pull back. But they aren’t retracting the online services storm-trooping, nosirree…in fact, the latest arms escalation is that some airlines will now add a fee even if you walk up to an airport ticket counter. All of this misdirection is to reduce counter staff and costs.
But I digress.
Quoting Brian Livingston again: “DomainKeys provides a much greater level of assurance for e-mail than does Sender ID. Publishing an SPF record says that only certain IP addresses are authorized to send legitimate messages originating from a company. DomainKeys confirms not only that a message came from a recognized server but that it was authorized by someone in the company and was not altered in transit.”
This is huge, but it is a WMD against spammers that has not been deployed. Most of the experts I have researched say that day will come.
What’s missing? If all major ISPs, and maybe a fair number of small ones unite and say, “we will use 100 percent authentication of all mail passing through our servers,” well, the bottom falls out of the spamming industry as the profit and loss curve is hacked to death because so few forged messages will get to us. Fewer messages equals fewer hits, and fewer hits means reduced profits, and the vermin will find another exploitative enterprise.
There is a reluctance of ISPs to adopt this draconian measure just yet, and the reasons are both economic and technical. Technically, DomainKeys are great, but not perfect. They just authenticate that the domain being used to send mail is actually the originator, but nothing prevents a spammer from registering a domain…or many, and spamming from them. Of course, nuisance domains would be painfully obvious, and a blacklist of abusers would spread quickly…in minutes or seconds, and offending domains shut out. Economically, a major ISP doesn’t want to bounce legit messages due to a technical flaw in the approach. Until they see others piling on the spammers and phishers, they are adopting a wait-and-see attitude. There are a few other issues, but the tools are there.
So, as I tap Frogsey’s aquarium to see if he has entered the spirit world, I will keep an eye out for signs of life at the major ISPs as well.
Randy Hice is the president of the Laboratory Expertise Center. He may be reached at [email protected]