This news article will be of interest to members of this IETF mail list.
Russ
---
Subject: No More Spam From Fakes
Web Titans Seek Standard To Authenticate Senders And Thwart Junk E-Mail
By RIVA RICHMOND
DOW JONES NEWSWIRES
June 9, 2004; Page D9
NEW YORK -- Names just don't have the value they used to -- at least
when it comes to e-mail.
After all, spammers, virus writers and identity thieves now regularly
affix fake names to their e-mail messages in hopes of conning users
into opening them and evading block lists. Take a message today from
"Sonia Sauders," subject line "Re: Hey cutie." It could have been a
note from a college chum, but was actually a pitch for porn. With
billions of these messages cluttering e-mail in boxes every day,
there's simply no trusting a name anymore.
But this could change soon, if Internet heavyweights such as Microsoft
Corp., Yahoo Inc., Time Warner Inc.'s America Online unit and EarthLink
Inc. have their way. These otherwise fierce rivals are working together
to come up with standard technologies for authenticating e-mail
senders, which the companies say will make it easier for mail
recipients to beat back spam, scams and viruses.
Internet service and Web e-mail providers and others in the industry
say broad agreement on a technology is vital to getting the large-scale
adoption that's needed to stop e-mail "spoofing," as the use of fake
sender names is known. The companies are looking at new technology that
could be adopted in the coming months. These include easy and cheap
technologies for verifying e-mail senders' domain names, as well as
more effective, but also more complicated and expensive, systems for
attaching and viewing actual proof of e-mail senders' identities.
Once rolled out, e-mail authentication is "going to have a major
impact" on spam, says Miles Libbey, antispam product manager for Yahoo
Mail. "That's not to say the spammers won't adapt...but it's a critical
thing to have in place."
Internet companies, inundated by customer complaints about e-mail
blights, say authentication would help them clean up in boxes because
real names could be separated out -- and questionable names singled out
for blocking or special scrutiny. It would also help them track down
and prosecute e-mail's abusers.
The simplest authentication approach is being promoted aggressively by
Microsoft and AOL. In this type of system, a receiving e-mail server
attempts to verify whether the domain name in a sender's e-mail address
comes from an authorized computer. This is done by dispatching a quick
query to the computers that hold the central records for Internet
addresses, known as the Domain Name System, to check whether the domain
name and the numerical "IP address" generated by the computer go
together.
Both DNS records and IP addresses are difficult to spoof, but experts
warn that miscreants could get around such "IP-based" systems, at least
in the early stages of adoption, by using e-mail servers that don't
publish their identities in the DNS record. Also, an IP-based system
wouldn't work in all situations, such as with forwarded messages.
Two IP-based proposals have been under consideration: Microsoft's
Caller ID, and Sender Policy Framework, or SPF, which has been
championed by AOL. SPF was created by Meng Wong, the co-founder of
Pobox.com, an e-mail forwarding service owned by IC Group of
Philadelphia.
In late May, Microsoft and Mr. Wong agreed to merge their proposals,
which industry players say will likely pave the way for quick industry
adoption. Although some experts had seen implementation as a year or
two away, Microsoft expects a merged technology to be finalized this
month and says it could be taken up by big ISPs "several months" later.
The technology will be made available for free, Microsoft says.
Both Microsoft and AOL say they would like to see a more-advanced,
key-based system implemented, too, but believe that should be step No.
2.
In key-based systems, cryptographic keys and digital signatures are
used by the sending e-mail server to assert the sender's identity and
by the receiving server to confirm that identity. Big industry players
are most interested in a key-based technology developed by Yahoo called
DomainKeys, which authenticates the domain name in e-mail headers.
Yahoo's Mr. Libbey says that adopting an IP-based system would be a
positive step, but that DomainKeys solves the e-mail authentication
problem better, in large part because it works in cases such as
forwarded messages. DomainKeys, which involves changing how both
outbound and inbound e-mails are processed, will be open-source and
royalty-free.
There are other key-based options, too. Tumbleweed Communications
Corp., an e-mail security company, is advocating the use of its S/MIME,
a protocol already in use for encryption of messages.
Tumbleweed Chief Executive Jeff Smith says there's a lot of
misunderstanding about S/MIME, because it was created as a desktop
encryption technology. He argues it's also simple and cost-effective to
use as a gateway authentication technology, and that its quality
advantages make it the best choice. Tumbleweed would like to work with
Yahoo to merge their technologies.
Yahoo plans to begin using DomainKeys on its own network this year, and
says it's working with others in the industry to advance DomainKeys'
adoption, including Sendmail and Qmail, two popular open-source e-mail
server software programs. Sendmail Inc., which implements e-mail
systems, last week said it would sponsor public testing of both
DomainKeys and the merged Caller-ID/SPF technology when it becomes
available.
But all the giants on the front lines of the war on spam warn against
false hopes that authentication will eliminate e-mail woes or bring
peace.
"Like bad colds and taxes, spam in some way or form will always be
lurking around," says AOL spokesman Nicholas J. Graham. Spammers are
resilient and tenacious, but "we are hopeful that [authentication
technology] will meet the test, that it will take a very large chunk of
spammers out of the game."