With the proliferation of the Internet, abuses of the electronic mail system are becoming increasingly problematic. These abuses include spoofing the origin (e.g., tricking or trying to make an origin look like a specific acceptable origin) to create e-mail spam, virus distribution, and other abuse of the electronic mail. In particular, a notoriously dangerous problem is the distribution of computer viruses via e-mail allegedly sent from friends, colleagues, and well-respected organizations.
There is no solution to date that effectively addresses the above problems, although the existing Internet standard does provide an option of checking whether the alleged sender of e-mail exists in the domain indicated in the “From:” field of the e-mail. This option is rarely used, however, perhaps because current perpetrators do have legitimate addresses at their disposal, thus, merely checking that the address is valid is not enough.
The existing e-mail standard (RFC 2821) and software allow anyone to send an e-mail message with any origin indicated in the From field. This feature (or rather vulnerability) has been exploited by advertisers to generate e-mail spam. A more sinister use—now more and more widespread—is distribution of computer viruses in messages sent to recipients from what appears to be their friends and colleagues.
The existing e-mail standard does allow to verify the sender, but this feature merely verifies that the address is correct (i.e., exists) in the existing domain. It does not verify whether this particular message has been sent from the particular address. Many mail servers ignore this feature precisely because it has become useless: e.g., a large number of valid e-mail addresses listed on the Internet, archived exchanges on various e-mail lists, and other sources (such as the information in the address books of the broken-into computers) give the spammers or crime perpetrators a sufficient number of addresses to use. Furthermore, search engines help in obtaining the lists of correspondents of potential targets, so the attacks are becoming more focused.
One way of dealing with the problem is certification and digital signing of every message, but this has not been implemented because it is costly and complex. More important, it will not be interoperable until it is deployed everywhere, but the costs and complexity make it very hard to deploy widely.