America Online and Yahoo both plan to begin using technology that verifies the source of e-mail messages in coming months, as they step up efforts to stop spam.
In September, AOL will begin verifying the source of incoming e-mail using a component of Microsoft's Sender ID authentication architecture. By the end of 2004, Yahoo will use its DomainKeys authentication technology to sign all e-mail coming out of the company's mail servers.
The decisions are part of an industry-wide push to thwart spam and online scams known as phishing attacks. By implementing these technologies, ISPs and e-mail providers like AOL and Yahoo can expect to improve their ability to verify the source of e-mail messages, say executives from e-mail technology companies.
Sender ID In Action
AOL will screen mail using Sender Policy Framework (SPF) technology, says AOL spokesperson Nicholas Graham in an e-mail statement. SPF is part of Sender ID, a proposed technology standard backed by Microsoft for verifying an e-mail message's source.
Sender ID combines two previous standards: the Microsoft-developed "Caller ID," and SPF, developed by Meng Weng Wong. The combined standard was submitted to the Internet Engineering Task Force (IETF) in June for consideration. If adopted, Sender ID could provide a way to close loopholes in the current system for sending and receiving e-mail that allow senders--including spammers--to fake, or "spoof," a message's origin.
AOL has been testing SPF since January. The company is publishing SPF records that identify AOL's outgoing e-mail servers in the DNS, which translates numeric IP addresses into readable Internet domain names. However, the ISP has not yet used SPF to screen incoming e-mail.
AOL will begin checking whether the purported responsible address, or PRA, of the e-mail server sending mail matches one of the servers listed in the SPF record for that Internet domain. Tens of thousands of e-mail domains have published SPF records. AOL will use SPF to help it determine which messages are legitimate, rather than using it as a criteria to reject e-mail, Graham says.
Other Efforts
AOL's approach is similar to one Microsoft announced in July. The company said that, by October 1, it will begin matching the source of inbound e-mail to the IP addresses of e-mail servers listed in that sending domain's SPF record. Messages that fail the check will not be rejected, but will be further scrutinized and filtered, says Craig Spiezle, director of Microsoft's Safety Technology and Strategy Group.
Conversely, Yahoo is looking to put its thumbprint on outbound, rather than inbound, messages with its DomainKeys technology, which digitally signs all e-mail messages sent from its servers. The company plans to roll out this technology by the end of 2004, says Miles Libbey, Yahoo's antispam product manager.
DomainKeys use PKI (Public Key Infrastructure) technology to create a unique signature for each e-mail message based on the content of the e-mail message. When e-mail servers receive DomainKeys signed messages, they use a public encryption key published by the company in the DNS record for sending the domain and the contents of the message to verify the source of the e-mail, Libbey says.
Problem Hits Critical Mass
The movements by Microsoft, AOL, and Yahoo are a sign of the increased urgency with which e-mail and Internet service providers are treating the spam problem.
"The world of e-mail is in a lot of hurt. It's in trouble and there's a sense of urgency we haven't seen," says Greg Olson, chairman and co-founder of e-mail technology company Sendmail.
The spam problem is bad enough that companies are seeking ways to battle spam, even if standards for doing so aren't yet in stone. Libbey sees a benefit to forging ahead: Pushing technologies like Sender ID and DomainKeys into service even before their official adoption as standards by the IETF or other governing bodies is a way to safely work out problems the technologies may cause when widely deployed, says Libbey.
"All these solutions are reasonably early in the life cycle. ...There's a lot of interoperability testing that has to happen. Implementing DomainKeys on Yahoo will give us real-world data on how it works," Libbey notes.
"It's an iterative process," adds Microsoft's Spiezle. "We have to try something. The spammers are outsmarting us and the more we delay, the more time they have to figure out what to do."
Note: PC World has a partnership agreement to provide content to both America Online and Yahoo.
