Most suggestions available today tend to address controlling the source of "evil" mail. In other words, if we can shut down the source of spammers and phishers, we can eliminate the problem. The very idea of accomplishing this is both naive and unrealistic. Much of this activity originates overseas. Can we really going to rely on the US government to institute bilateral agreements with every country from which mail scams originate? And even supposing that were accomplished - is it at all realistic that this would have any impact on the problem? The clear answer is "No" to both. This has been demonstrated with too many other criminal activities over the years. The internet is, by design, very flexible and changeable, and simply changing the source of email servers, ip's, domain names etc. is trivially easy to do. That is both the strength and and a weakness of the architecture.

Another reason controlling at the source is impossible stems from the fact that much of the "evil mail" originates from unsuspecting home machines that have been commandeered by trojans. If you look at any log file for an incoming mail server, you will see an overwhelming amount of email coming directly from dynamic and residential network addresses. Although this is becoming easier to block - the majority of the incoming servers still do not take this basic step (but that is an entirely different problem!). If mail is coming from hijacked pc's in the home - who do you prosecute? The spammers and phishers have insulated themselves behind an innocent victim. And there will continue to be "victims"...there is no doubt about that.

At this point - I seem to have effectively dismantled the value of the existing suggestions to deal with the problem. And I would like to put forth an idea which may provide a much better approach to the problem. S/Mime has been around for a long time, and is built into virtually every mail client out there. S/Mime relies on certificates for public key encryption or signing of messages. This article will not delve into the mechanics of public key encryption, or the workings of certificates; there are many well written explanations on this available at your fingertips. The important part is that public key encryption relies on a "private key" and a "public key", together called a key pair. The algorithms allow for one way encryption - meaning that a message encrypted with the private key can only be decrypted with the public key, and vice versa. Used wisely, this gives the user a few very valuable and functional options when sending email.The two key benefits of S/Mime are encryption and signing. To encrypt a mail to me for example, you would encrypt

using my (widely available) public key. The resulting messagecannot be decrypted except with the use of the private key - which only I hold. Therefore you have the ability to use my public key to send absolutely secure email to me since only I can decrypt it. But can I be sure it really came from you? This is where "signing" comes in. If you should also use your own private key to encrypt a small digest as part of the message - then using your public key to decrypt that digest will assure me that ONLY the holder of that private key could have sent that message. Very functional stuff!
Corporations use these encryption and signing protocols routinely for internal communications. But it has not propagated at all into the retail world. It is something of a mystery to me why this has not occured, as the benefits are substantial, and the limits on liability alone should have made this an extremely compelling proposition.
Let's once again consider Citibank as an example. Let's assume that Citibank posts their public key on their web site and all customers of Citibank are formally notified that this key exists and to obtain it. Citibank could then "sign" every legitimate mail they send to their customers and those customers could be assured that this mail actually came from Citibank. The biggest loophole being abused by phishers is summarily closed. If it did not (verifiably) come from Citibank (ie. the signature fails) - it is not Citibank mail, no matter how much it may look like their logo, or refences their site, or otherwise look authentic. This is remarkably simple, and it astounds me that the financial institutions have not taken this path. The ability to notify customers that all mail will be signed as an assurance of authenticity would radically limit the liability on the financial institutions, but perhaps most importantly, provide the avenue to maintain the trust, reliability and viability ofe-communications of all forms with their customers.
Why have they not done this already if it is so very simple? That is of course the big question and I will try to obtain some feedback from the major financial institutions on this front. The existing mantras of "we don't request information in email" does not work, and will not carry them into the future. Something more robust needs to be undertaken now to protect the integrity of their markets, and the surprising part is - the architecture is already in place to do just that.

Back>>