4 Rivals Almost United on Ways to Fight Spam

[David Farber <dave () farber net>]

4 Rivals Almost United on Ways to Fight Spam

June 23, 2004
 By SAUL HANSELL





Four large Internet service providers agreed yesterday to a
partial truce in their battle with one another over
potential technology to stop junk e-mail in hopes that they
can devote their united energy to fighting spam.

More than a year ago the four providers - America Online,
Yahoo, EarthLink and Microsoft - said that they would work
together to create technical standards that could verify
the identity of the sender of an e-mail message.

Most spam, and nearly all of the messages in the rapidly
growing identity-theft fraud known as phishing, is done
with a fake return address. Many experts suggest that a
system that could identify and discard such falsely
addressed messages is one of the most potent possible
weapons against spam.

"The biggest thing we can do to reduce spam is sender
authentication," said Brian Sullivan, the senior director
for mail operations at America Online.

But the Internet providers have supported different
technical approaches. Last month, Microsoft agreed to merge
its proposal, called Caller ID, with another, called Sender
Policy Framework, or S.P.F., backed by America Online and
EarthLink. The new name of the combined standard is Sender
ID.

Yahoo had continued to support a very different approach,
called Domain Keys, that is more technically powerful but
would take longer to carry out.

In an announcement yesterday, the two remaining camps
agreed to give limited support to test each other's
technology.

"Over the last year, we had four gorillas learning how to
dance," Mr. Sullivan said. "Finally we can work from the
same choreography."

Meng Wong, the author of the S.P.F. protocol, praised the
agreement.

"It's good news because we now have a road map," he said.
"We can proceed with S.P.F. and Sender ID now and with
Domain Keys as a second wave."

Indeed, proponents said the two approaches had the
potential to be complementary. The Internet provider that
sends an e-mail message can use both methods at the same
time to vouch for the veracity of the sender's address. And
the provider that receives a message can also look to
either approach to help determine whether a message should
be discarded as spam.

America Online and EarthLink said yesterday that they would
use Domain Keys by the end of the year. And Yahoo said it
would probably start using both Domain Keys and Sender ID
by the end of the year. Microsoft did not commit itself to
using Domain Keys, saying it was still evaluating it and
some other related approaches, like one recently proposed
by Cisco.

Despite the talk of tests, S.P.F. and the new Sender ID
proposal appear to have momentum in being adopted by major
players. America Online and EarthLink already use S.P.F. to
verify their outgoing e-mail. And Microsoft has said it
will soon use the Sender ID system.

Perhaps more important, America Online has said that by the
end of the summer it will look to see whether messages it
receives are verified by S.P.F. and that high-volume
mailers will have to use it if they want their messages to
be delivered to AOL subscribers. Several large e-mail
senders, including Amazon.com and Google, have already
taken the steps necessary to verify their mail using S.P.F.


S.P.F. and Sender ID have gained a following because they
are the easiest to put in effect. They are based on the
fact that every computer on the Internet has a unique
identifier, called an Internet Protocol number. That number
is much harder to fake than a return e-mail address.

Sender ID allows an organization, like an Internet provider
or a company, to designate certain I.P. addresses as the
computers that are authorized to send e-mail on its behalf.
Any e-mail that pretended to be from that organization but
was not from those designated I.P. numbers would be
suspect.

The problem with this approach is that there are legitimate
cases of one server's sending e-mail on behalf of another.
For example, online greeting card services often send
messages with the return address of the person who sent the
message. That way, if the recipient of that message replies
to it, the response is routed back to the original sender.

The backers of S.P.F. and Sender ID say there are ways to
work around these problems, but they may require
adjustments to the procedures of some mail senders.

The Domain Keys approach tries to verify the actual sender
of a message, not the computer used to send it. The author
of an e-mail inserts a short code, known as a digital
signature, into the header of each message. The computer
that receives the message can use the signature to verify
if the message was actually created by the sender in the
"from" line. This method could let one computer send mail
on behalf of another, as in the greeting card example. But
it requires greater changes to the programs that send and
receive e-mail.

The Internet providers, however, cautioned that both of
these technical approaches are just part of the solution to
the problem. Once Internet recipients can verify who is
sending them mail, they can start to keep track of who
sends legitimate mail and who sends spam.

"I don't think that users will see a reduction in spam
right away," said Robert Sanders, chief architect at
EarthLink. "Identity is just the first step."

http://www.nytimes.com/2004/06/23/technology/23spam.html? 
ex=1088982618&ei=1&en=374988bf644214bc

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/