IronPort has upgraded its mail gateways with a new technology it claims can protect against the growing scourge of e-mail bounce attacks.
Currently circulating as a proposed IETF (Internet Engineering Task Force) draft, Bounce Address Tag Validation (BATV) adds an encrypted verification check to the SMTP FROM: field for outgoing mail which makes it possible for real and fake bounce addresses to be distinguished from one another.
It adds no administrative overhead, and can be globally deployed, IronPort claims. The technology is now a part of the IronPort C-Series email security and S-Series web security products.
"Traditional email security solutions available in the market today are simply not effective at stopping bounce attacks. IronPort's Bounce Verification incorporates pioneering technology from the Internet community and makes it available in an easy to use, 'set and forget' appliance," said IronPort’s Tom Gillis.
There are at least two forms of bounce attacks. The commonest is for spammers to spoof bounce addresses, so that anti-spam systems send the unwanted returns to anyone but their originators. This clogs up mail gateways and annoys people.
A second, more cunning attack involves spammers sending e-mails with the intended recipient address spoofed as the return address. Anti-spam systems then inadvertently bounce the spam to their real victims, risking being put on e-mail blacklists while allowing the spammers to remain anonymous.
The IronPort announcement looks like it could be the first step to mainstream acceptance for a standard that has been kicking around IETF circles for some years. "Each organisation that deploys BATV gains immediate benefit from it. IronPort's initiative in adopting BATV shows industry acceptance that will help promote the draft through IETF standards adoption process," said its co-author, Dave Crocker, of Brandenburg InternetWorking Consulting.
BATV’s other prime mover, John R. Levine, explains the thinking behind the technology in his weblog. In recent years, there have been several high-profile attempts to counter spam by adding authentication to e-mails, including Microsoft’s Sender ID and AOL-Yahoo’sSender Policy Framework (SPF). BATV’s much narrower ambitions could be its strength, however.