With its subscribers deluged by unsolicited commercial e-mail, Internet service provider America Online is trying new technology to crack down on one common spammer tool: forged sender addresses, which spammers and virus-writers use to bypass blacklists and trick recipients.
AOL is testing a new e-mail protocol called Sender Permitted From across its entire user base of 33 million subscribers. SPF is designed to eliminate e-mail forgeries by enabling organizations to specify which servers can send mail on behalf of their Internet domain, according to Nicholas Graham, an AOL spokesperson.
How It Works
SPF stops e-mail address spoofing by modifying the Domain Name System to declare which servers can send mail from a particular Internet domain. AOL is using SPF to publish the IP addresses of the servers it uses for outgoing e-mail. DNS is the system that translates numeric IP addresses into readable Internet domain names.
Once widely deployed, SPF records could be consulted by Mail Transfer Agents stationed around the Internet when routing e-mail messages. The agents could then check records for particular domains to determine whether an e-mail message's source is legitimate or "spoofed," according to Graham.
AOL briefly tested the protocol two weeks ago, before shutting it off to make technical changes based on feedback from other ISPs, says Graham, who declines to describe the changes.
The program is still experimental and for now AOL is not using SPF to filter mail from other Internet domains, Graham says.
Growing Problem
SPF "is just getting off the ground," Graham says. "AOL is interested in putting the proposal out there and getting feedback from stakeholders." Those stakeholders include other major ISPs such as Microsoft's MSN, Yahoo, and Earthlink, as well as other major domain owners processing bulk e-mail, Graham says.
The trial is a major test of SPF, which is one of a number of new technologies designed to thwart spammers, according to John Levine, co-chairman of the Anti-Spam Research Group.
SPF patches a hole in Simple Mail Transfer Protocol, which is used to route e-mail messages among in-boxes. Developed in the early 1980s, SMTP was designed to provide a reliable and efficient way to relay messages between host systems running different computer hardware and operating systems.
In recent years, spammers and viruses such as Sobig-F and the recent Beagle/Bagel worm have exploited SMTP's flexibility, easily transposing the actual source of messages with legitimate e-mail addresses from lists that are traded online or harvested from infected computers' hard drives.
Other Attempts
The long-term benefit of SPF is that, when the technology is widely deployed, e-mail providers will be able to associate reputations with Internet domains rather than with IP addresses, which are harder to track, according to Eric Raymond, president of the Open Source Initiative, who gave a presentation on SPF during January's Spam Conference 2004 at the Massachusetts Institute of Technology in Cambridge.
SPF itself will not stop spam, but it will help other antispam technologies like spam traps, by enabling ISPs to track spam back to specific domains and forcing spammers to move to new domains more frequently, Raymond said. The combination of technologies can be likened to a "drug cocktail" that, taken together, may stop spam, he said.
However, the protocol still has problems, including incompatibility with some e-mail forwarding services and Web sites that use mail forwarding features, Levine says. For example, online greeting card services and news Web sites use forwarding to allow readers to send e-mail cards and articles to friends, Levine notes.
SPF also causes performance problems under certain circumstances and has features that spammers could exploit to slow down and derail the system, he said. "I would be surprised if SPF survived in its current form, but something like it might survive," Levine said.
Levine is more optimistic about a technology called "domain keys," which Yahoo champions. It uses public key encryption technology at the domain level to verify an e-mail message's sender.
Gathering Data
AOL realizes SPF's problems and is soliciting feedback from other users on it, Graham says.
"We want to remind folks that we're in the beta process. These are things that are in consideration as we make refinements and enhancements (to SPF)," Graham says.
AOL's current SPF test is scheduled to run for the foreseeable future, pending feedback from ISPs, organizations receiving AOL e-mail in bulk, and ordinary Internet users. However, AOL will wait for consensus within the Internet community before making any final moves regarding SPF.
"It's premature to start looking forward. This is intended to be nothing less than a collaborative, cooperative process," Graham says.
