Sender Authentication, Gmail abuse, IPv6 ... Discuss!

Lately, I've been thinking about several related issues:

• The challenges and effectiveness of sender authentication and reputation filtering.
• The rise of Gmail spam and MessageLabs subsequent attempt to throttle it now that Gmail's Captcha is broken.
• The issue of IPv6 reputation as raised by Cloudmark.

How are these issues related?

Anti-spam systems have steadily improved their ability to identify and block known spam senders.However, this is having a significant impact on the value of legitimate addresses.

Authentication, reputation systems, computational challenge, and traffic shaping share an “Achilles Heel.” They dramatically increase the value of hijacking legitimate servers. If the spammers hijack legitimate email servers or domains their messages will get through because they are now coming from legitimate senders. We see this all the time with spam from all sorts of legitimate sites but we've also seen a jump in spam from Gmail since their account creation Captcha mechanism has been cracked. What if all my mail is hosted on Gmail? How do recipients distinguish all these hosted senders? Can centralized reputation systems be expanded to track reputation at the individual sender level? Do we want them to?

As Cloudmark suggests in the interview, if we ever get to IPv6 , reputation will be compromised as far as spam protection goes. There will be so many addresses we'll be back to every spammer being an unknown sender. Reputation filtering will fail unless hard authentication is also widely adopted to enable recipients to reject mail not coming from known legitimate senders.

Along with increasingly aggressive treatment for unknown senders, spam protections will need to implement greater restrictions and careful scrutiny of webmail providers offering free accounts, especially those with automated account creation. There will also be a greater need for IT administrators to protect their systems from hijacking.

Taking the text out of the Spam

For spammers, the trouble with image and video spam is that they have to ultimately give you information. Selling Viagra - you need to know where to buy it. Stock pump and dump - you need to know what stock you need to buy. So, leaving audio based spam aside for now, the text has to be given to you and it has to be readable, or it's of no use to the spammers. Text-based spam content-filtering has come a long way, so as long as we can extract the text from the images and video, we should be able to run that text through the existing text filters.

Many top websites use "Captchas". This is distorted text, designed to be unreadable by computers (used in automation by spammers), but is readable by humans. This is exactly what spammers are trying to do with image-spam. Whilst websites are using distorted image text to stop spammers, the spammers are using distorted image text to bypass email spam filters. The irony is that as spammers seem to be using social engineering and a little ingenuity to defeat catchas, image-based spam filters are still struggling. So what if we used spam images as captchas? Could we somehow use this to get spammers to unwittingly convert their images back to text?