Big consumer ISPs are talking up a campaign against spam, and financial intermediaries are talking up a campaign against phishing.
But Internet activists fear both campaigns are just bringing up the drawbridges on resources.
First, the spam fight. (The image here is also the solution to your e-mail problems, Whitehat Interactive.)
I was hammered recently for predicting that spam would become organized crime, but in fact it has become just that. Most spam now comes from hijacked home PCs, and increasingly it's personalized. You don't do that without organizatoin and infrastructure -- spammers have both.
To fight this, consumer ISPs want to cut-off hijacked PCs from e-mail until PC owners clear spyware from their systems. They're also uniting around Meng Wong's Sender Policy Framework (SPF), merged with a Microsoft proposal called Caller ID into something called Sender ID. (Another proposal, called Domain Keys, is said to be supported, but that will be done "next," which we all know from the Windows-OS/2 agreement means "never." )The idea is that bulk senders of e-mail must register the IP numbers of the computers sending the mail and IP numbers are hard to spoof.
Activist Lauren Weinstein smells trouble. Consumers will no longer be able to send e-mail newsletters, he charges, and ISPs will have an excuse to force all newsletter authors into higher-priced hosting packages.
Well, maybe. But when my own newsletter, a-clue.com got near 500 subscribers (which is the arbitrary sending limit proposed before investigations are made) I was already in great technical need of a hosting solution. And any hosted e-mail solution costs money, not just for the connections but for the software that lets you handle subscriptions and bounces. (I recommend Whitehat.) Business and university systems just need to let the ISPs know the addresses of their e-mail servers and, so long as they're following correct opt-in policies, they're good to go.
On to phishing, which is a specific type of Web fraud in which crooks seek banking passwords.
Banks have always been reluctant to call the cops. They rely on intermediaries, like MasterCard. MasterCard lacks the resources to do much, so they've signed with NameProtect, which started as a service to help companies know what people were saying about them online.
NameProtect will scan for the use of bank names online, pass on word of these pages to MasterCard, and MasterCard will then call the cops on behalf of member banks. The idea is that, before a phishing spam is sent, the scammer has to have a landing page ready, and this landing page must look legitimate. By having NameProtect go after the landing pages before the spam can be sent, phishing can be stopped in its tracks.
I'm still looking for the downside on this one. Anyone want to identify it?
Dana Blankenhorn has been a business journalist for over 25 years and has covered the online world professionally since 1985. He founded the "Interactive Age Daily" for CMP Media, and has written for the Chicago Tribune, Advertising Age, and dozens of other publications over the years.
1. Brad Hutchings on June 23, 2004 11:42 AM writes...
I'm skeptical that they can preempt phishing. The obvious attach on such preemption is spoofing the phishing, much like spammers spoof return addresses. I.e. in your phish spam, send people to a bogus URL on my website, directing the NameProtect people to my web site, which isn't engaged in anything. Disregard spoofing and think what this really amounts to... it's like finding a blog that isn't on anyone's blogroll. Not likely they can do anything except make sure they get phished with 100 thousand of their closest friends and get there first before it does a lot of damage.
But here is what we really need. You know in the browser how the lock indicates a secure session? That says that encryption is being used to transmit all data between client and host and that the keys have been verified as issued by a certificate authority. We need another "lock" icon that indicates that the transaction is being watched and recorded by a privacy authority. That may sound a little weird, and the architecture may not be entirely obvious, but the best protection against the scammers might just be to have a complete recording of what they are doing and perhaps haviing some third party that approves or denies their attempt to deaal with you in real time.
Permalink to Comment