Everyone on the Internet used to be friends.

Take it from Dave Farber, a computer networking guru who was on the scene when the forerunner of today's Internet was being established.

	SECOND OF TWO PARTS
	Daniel Marsula, Post-Gazette Click illustration to view a larger version. Part one Drowning in spam

"Back in the '60s, we were all friends," he said of those early research networks. No one worried much about security because snooping in someone else's files wasn't something a friend did. As for e-mail, users were glad to have that capability; no one worried about getting too much.

Fast forward 35 years, however, and the Internet is a lot bigger and far less friendly. In addition to the viruses, worms and denial-of-service attacks launched by devious hackers, e-mail in boxes each day are stuffed with spam -- unwanted messages hawking pills, porn and proffers for mortgage loans.

With more than half of Internet traffic now consisting of spam, it has become a major headache. Efforts to screen it out with so-called spam filters, or legislate it away with the federal Can-Spam Act that went into effect Jan. 1, have had limited success.

But technologists such as Farber, who on one recent afternoon noted he had received 430 spam e-mails since 8 that morning, say reducing the deluge ultimately will require changes in the way the Internet operates, fixing some oversights that he and his trusting colleagues made when the Internet was still aborning.

Work on those fixes is well under way, and some may begin taking effect in just a few months.

Unmasking the senders

		Other steps can curb spam Sender authentication schemes could put a huge dent in the volume of unwanted e-mail, but other simpler, seemingly obvious technical steps also could help. John R. Levine, co-chairman of the Anti-Spam Research Group, said home users and small businesses need to pay more attention to security, particularly those using broadband services, such as DSL or cable modems. These links, which are always on, make it possible for spammers to gain control of unprotected computers and turn them into "zombies," which can be used to relay spam messages. Computer users should have anti-virus programs on their machines and keep them up to date, he suggested. They also should install a firewall, a device that limits access to authorized users. Another simple step is to develop standards for Internet service providers to alert each other when an e-mail abuse occurs so that the providers can shut down mail from that spammer. "It sounds so obvious," Levine said, "but we need to find a way to do it."

The fixes are intended to eliminate, or at least chip away at, the cloak of anonymity that allows spammers to send out millions of e-mails without worrying about them being tracked back to their source. Called spoofing, it allows senders to make e-mails look as if they're coming from a friend of the recipient, a legitimate business or any source other than the actual sender.

"Spoofing has been known for 30 or 40 years," said Farber, former chief technologist for the Federal Communications Commission and now a professor of computer science and public policy at Carnegie Mellon University.

If the source of e-mail could be authenticated, however, it could be easier to block or eliminate a lot of spam. Spammers forced to use their own addresses also would be much easier to identify and prosecute.

Three schemes have been proposed for authenticating e-mail and are being studied by the Internet Engineering Task Force, the international group that sets technical standards for the Internet.

And the advantage to consumers is that none of the authentication measures would require any changes or actions by individual e-mail users; rather, the changes would be implemented by Internet service providers and be transparent to most users.

"Given how desperate people are feeling about spam, I see something shaking out by the end of the year," said John R. Levine, a computer consultant from upstate New York who co-chairs the Internet Research Task Force's Anti-Spam Research Group.

"It's the biggest crisis the Internet has ever faced," Levine continued. "It's clear to all of us that if we don't do something soon, some people may give up on e-mail."

A survey released this spring by the Pew Internet & American Life Project, for instance, found that almost 30 percent of e-mail users said they had reduced their overall use of e-mail because of spam and 77 percent said the flood of spam was making the online environment unpleasant and annoying.

Late last month, federal authorities filed the first criminal charges under the new Can-Spam Act against four Michigan men who they said had sent out hundreds of thousands of sales pitches by using spoofed identities and bouncing messages through unprotected computers.

Though Congress passed the legislation last year in response to public outcry over spam, computer scientists such as Carnegie Mellon's William Scherlis doubt such laws will have much long-term effect, given the difficulty in tracing the source of e-mails and given the fact that spam can just as easily originate overseas.

"All [Can Spam] ensures," agreed Farber, "is that this industry goes offshore."

Spam filters are limited

Spam filters have been the major technological response to spam to date. This software attempts automatically to identify content that is likely to be spam, scanning the subject lines and text blocks for sexually explicit terms or other words and phrases that repeatedly show up in spam: "Viagra," "your order" or "we ship." The more such red flags turn up in an e-mail message, the more likely it is to be spam.

But there is a limit to their effectiveness. Some legitimate e-mail gets erroneously labeled as spam, and some scurrilous spam keeps getting through.

"We are having a war of attrition between spammer and spam filters," Scherlis said. When spam filters clamp down on one set of phrases, spammers use other tricks, such as packing subject lines or the text itself with random, non-spam words, or changing the spelling so that the subject remains obvious, such as vaigra, or C*ial*s.

"Legislation and filtering will not remove spam," he said. "It will not make it go away."

Some have proposed e-postage as a possible spam solution ---- charging a cent or less for each e-mail. The idea would be to keep the charge low enough so that it doesn't inhibit legitimate users from sending e-mail, but high enough that it becomes prohibitively expensive to sends thousands or millions of e-mails.

But charging for e-mail is fraught with problems.

"E-postage is the water-powered car of the Internet," Levine said. It sounds like a good idea, "but nobody knows how to build it."

So, much of the attention has shifted to authentication schemes.

The simplest and, Levine says, the least effective is Sender Policy Framework, or SPF, a scheme developed by Ming Weng Wong, the co-founder and chief technology officer of pobox.com, an e-mail-forwarding service in Philadelphia.

SPF would check the so-called "Return-path" address, also known as the bounce address. This is not the return address that e-mail users typically see when they open an e-mail. Rather, it is part of the underlying text "envelope" that is attached to e-mail and purports to show the electronic route the e-mail took.

Normally, the return-path address would be the same as the sender's; it's the address where the recipient's reply would be routed, or the address where the e-mail would go if the recipient's inbox couldn't accept it.

Faking the 'bounce address'

But it's relatively easy to change this return-path address. Most spammers who hope to get the recipient to click on an Internet link rather than reply to the e-mail routinely stick in bogus addresses.

"If they didn't do that, it would be really easy to block them," Wong said. "You'd just say, 'This is the address of a known spammer.' "

This practice of substituting bogus bounce addresses is why people sometimes receive e-mail replies from strangers, telling them that an e-mail they supposedly sent included a virus. That means a spammer has used their address as the bounce address for an e-mail.

Sender Policy Framework is designed to determine if the domain name ---- the part of the address that comes after the @ sign in e-mail addresses ---- is legitimate. Wong likens it to a recipient of postal mail comparing an envelope's return address with the postmark.

Each domain, whether it is AOL, Yahoo or post-gazette.com, already identifies in a global database which computers accept incoming e-mail before it is routed to individual computers. But domains that register with SPF also would identify which machines send their e-mail. This allows SPF to authenticate that the bounce address on a given e-mail is legitimate.

If SPF sees that the return address listed is not legitimate, an Internet service provider could block that e-mail as spam.

Levine said spammers still might be able to fool SPF by inserting a valid bounce address, which will limit its effectiveness, but SPF also is relatively simple to implement.

Wong said more than 13,000 domains already have installed Sender Policy Framework and identified their e-mail-sending machines. He expects some Internet service providers to begin using it to screen mail within two or three months and for all to be using it within 12 months.

Microsoft has proposed a similar, though more challenging, method, called Caller ID for e-mail. Instead of checking the bounce address, however, Caller ID would check the return address as seen by the recipient.

Just as the bounce address can be changed by an unscrupulous e-mailer, so can the address header seen by the recipient. This is a key ingredient of the identity theft practice known as "phishing." Rather than trying to sell the recipient some product, spammers who are phishing hope to steal the recipient's Social Security number, bank account numbers or other identification.

Official-looking scam

A typical phishing e-mail might appear as if it has been sent by a bank and asks the recipient to click on a link where they are asked to supply identifying information.

Caller ID would put a halt to phishing by detecting when a return address is fake. But it also is technically more complex, requiring that the e-mail be opened so that full information about the header can be examined. Microsoft spokesman Marc Lallaman said this would be a rapid process: "Users will not see a lag."

But Microsoft has not announced when Caller ID for e-mail might be put to use. Microsoft is working with other members of the Anti-Spam Technical Alliance, which includes Yahoo, Earthlink and AOL, to test the system.

A third system, called DomainKeys, is being developed for Yahoo. This system would add a digital signature to each e-mail originating in a domain using a cryptography system. A secret code, or key, would be used to encrypt the identification of each e-mail sent out, which could be unscrambled with another key at the recipient's end.

In this way, the recipient's Internet service provider could immediately determine the domain where each e-mail message originated.

"Of the three, I like DomainKeys the best," Levine said. But it's also the most complicated of the three. Though Yahoo is using the system internally, he said, it's not clear when it will be available.

"Doing crypto is going to be much harder," Wong said, "but it will be the ultimate solution."

All three systems, however, could complement each other, at least until DomainKeys or something like it can be fully implemented, he said.

All of the systems will be voluntary, but it's possible that someday, some Internet service providers might decide to block all e-mail that isn't authenticated in one way or another.

But Farber, Wong and others argue that blacklisting such domains is an extreme step. Anonymity might help spammers, but it's also useful for whistle-blowers and other people who have legitimate reasons for cloaking their identities. An alternative to blacklisting might be to simply make authentication one of the factors evaluated by spam filters.

None of these approaches is likely to eliminate spam, Wong said, but it might reduce it to 1997-98 levels, when spam made up less than 10 percent of all e-mail.

"I think that would be a win," he maintained.