Spammers Get Authenticated

Until now, most spammers sent their stuff through open relays — Internet-connected computers that were either unprotected, or else had been compromised by viruses or trojans into sending the spam without the owner being aware. But that is changing, says AppRiver, and it has big implications for how spammers work and may render useless today’s big thing: email authentication.

Up until now, AppRiver says, ISPs could presume that if they forced a system to authenticate their message before sending it, they could be trusted because spammers couldn’t have access to the authentication mechanism. Authenticating a message basically means you must use a password to send an email as well as to receive it. Before, so long as you knew the correct server for your ISP, you didn’t need a password.

What the bad guys are doing now, AppRiver says, is hacking into the ISPs, figuring out those passwords, and then sending their email through those compromised accounts. This is not only a security risk, it increases the chance for the spammer that those emails will now get through, since they come from what are called “trusted systems” — email servers that require authentication. A survey in April by the Email Sender and Provider Coalition found that 16 of the 18 top U.S. ISPs were applying applying authentication to outgoing e-mails, and eight of those ISPs were also checking for inbound authenticated e-mail and applying some sort of filter to the mail as a result, according to ClickZ News.

AppRiver’s Chief Science Officer, Peter McNeil, predicts that as this tactic becomes widepsread, sender reputation services touted by the big boys — Microsoft’s Sender ID, for example — would effectively wither on the vine. In the meantime, it’s going to mean that for those spammers who have perfected this new art, their junk is more likely to get through than other junk because it appears to be authenticated. (More on all this at, which wrote a piece on it while I was still trying to figure it out.

Biometrics Close To The Bone

Further to my column about fingerprint biometric scanners (subscription only ), I’ve heard from  a company working on a different kind of biometric security: Via the bone.

Last week, Mass.-based RSA Security Inc. (the guys who make the SecurID number tag, called ‘a two-factor user authentication system’ in the jargon) announced a joint research collaboration with Israel’s i-Mature, specialists in ‘online age recognition’. The two vow to bring together RSA Security’s cryptographic expertise and i-Mature’s Age-Group Recognition (AGR) technology to “work towards a unique solution that would genuinely improve the safety of the Internet for children, by enabling both adult and children’s sites to restrict their content more reliably to their appropriate audience”:

i-Mature has developed an innovative technology that can determine, through a simple biometric bone-scanning test, whether a user is a child or an adult – and thereby control access to Internet sites and content. AGR technology could help prevent children from accessing adult Internet sites and prevents adults from accessing children’s sites and chat rooms.

As far as I understand it, users wanting to visit a website would be required to press their fist against a small scanner, which would work out whether they are 18 or above, or 13 or younger, and then determine, based on software installed at the website itself, whether they are old enough to visit it:

Although the i-Mature website focuses not on confirming the identity of the user but his/her age group, the press release suggests that RSA’s involvement would fact bring some verification: The project would bring a “unique combination of technologies verifying that the person accessing the age-appropriate site is in fact who they claim to be,” the release says.

Obvious benefits? No need for the website itself to know who the user is or keep any data on them, since the scan is simply confirming age-group. Users can’t transfer their passwords or authentication tag to someone else (unless, I guess, if they happen to be around and ‘fist’ themselves into the computer for another user). Also not much work for the parent or teacher to set things up. It might prove popular with public Internet access, since providers might be able to use to limit underage surfing to a select number of websites.

Downsides? The website the person visits needs to have software installed to match the fist-tag. While some pornographic sites, for example, are going to be delighted to conform and limit access, I can’t imagine all of them are. And how many porn websites are there out there at any given point?

I assume RSA and (the rather oddly named) i-Mature are going to limit their targets to chat-rooms and more general websites, rather than the pornographic web. Indeed, the press release suggests as much: “The collaboration will include joint research as well as joint marketing activities around age-group recognition, including market education and engagement with government policy makers.”

Indeed, i-Mature has set its sights more broadly than the net: The press release says:

The protection and safety of children is also required outside the Internet arena. The AGR system complies with this since it is also compatible with mobile phones, television, video and DVD systems that can use AGR technology to prevent children from viewing harmful content. i-Mature can also partner with developers of computer games, online games and video games to block extremely violent and un-educational materials.

Sounds like something worth watching.