The Web    Google
A Spec to Spike Spam?

A Spec to Spike Spam?
June 25, 2004

It's been a busy week for the four major U.S. ISPs . First, they issued a list of best practices and recommendations to fight the spew of spam clogging inboxes.

Earthlink, (, ) Yahoo!, (, ) Microsoft and America Online, (, ) the quartet that founded the Anti-Spam Technical Alliance (ASTA), earlier this week released a slew of recommendations for ISPs and large e-mail providers. They focus on two key areas: eliminating the spoofing of a sender's e-mail address and pointing out how e-mail providers can spot a spammer in their midst.

Then, on, Thursday, Microsoft and Sender Policy Framework (SPF) author Meng Weng Wong announced they had converged their respective e-mail authentication standards and submitted the resulting specification, now called Sender ID, to the IETF .

The Sender ID goes a step beyond recommendations and provides an authentication method, like its progenitors SPF and Caller ID for E-Mail. Authentication is seen as a critical first step in eliminating spoofing, phishing and spam. The news comes on the heels of public support for authentication standards expressed by both ASTA and the Federal Trade Commission earlier this week.

"Over half of the e-mail targeting our Hotmail customers today comes from spoofed domains, and we are committed to taking this trick away from spammers," Ryan Hamlin, general manager of the Anti-Spam Technology and Strategy Group at Microsoft, said in a statement.

Sender ID works by looking at information both in the "envelope" of the e-mail message and in the message itself. It compares that information with data published by domain owners in the Domain Name System (DNS), to confirm the e-mail actually came from the domain that it appears to be from. For example, recipients could be sure an e-mail from was actually from someone at the domain.

There's been some controversy over the format in which the Sender ID records should be published in the DNS. The merged specification calls for an XML format -- a format many critics say is unnecessarily complicated and difficult to deal with. However, the Sender ID authors have made the specification backwards compatible with the simpler SPF text format, called SPF Classic. More than 20,000 domains have already published records in that format, according to Wong.

"The SenderID draft basically contains everything that the [SFF] draft contains and adds a bunch more stuff," Wong said. "The extensions, they're still being refined, but the core of it is still SPF, that isn't going to change very much. SPF [development] has been frozen for about six months now. A lot of anti-spam vendors already have the code working and are in alpha or beta testing. When SenderID comes out, they'll only need to change a few lines of code to make it work with SenderID, as well as the old SPF."

Wong expects SenderID to be ratified by the IETF as an RFC this August, when the organization meets in San Francisco.

AOL, as one of the publishers of the original SPF standard, is pleased with Sender ID. "We are glad the new standard is fully backwards compatible with the existing SPF, which is in use by tens of thousands of domains on the Internet already," said Carl Hutzler, director of Antispam Operations at AOL, in a statement.

A number of e-mail service providers have already adopted SPF and other authentication technologies. AOL has said it will require those on its whitelist to publish SPF records by the end of the summer.

The proposals issued by ASTA earlier this week are the result of more than a year of collaboration between the four founders and member ISPs to find common ground on the root causes of spam. The group has expertly hyped its efforts: Before April 2003, the four were relatively enclosed islands of anti-spam knowledge. Since then, they've dribbled out tidbits of information and held in the months following the U.S. Senate's passage of the CAN-SPAM Act in November 2003.

The results of the year-plus effort provide a good baseline for common knowledge but don't present any new facts or information, said Ray Everett Church, co-founder of the Coalition Against Unsolicited Commercial E-mail (CAUCE), a grass-roots organization created to find a way to stop spam.

"(ASTA) came together last year and announced they were working together to much fanfare. A year and a half later, we're still waiting for something really concrete to come out of that group, in terms of something that will make a real difference in the amount of spam the average consumer receives," he said.

What the group hasn't done, according to Church, is come up with a viable proposal to fight spam in the form of standards. Outside of Microsoft's merged proposal with SPF, each ASTA founder seems to favor its own brand of technology.

However, Nicholas Graham, an AOL spokesperson, said the alliance has met most of the guidelines that it set out in its April 2003 charter, and that getting information from disparate sources takes time. "We have opened our doors to conversation with as many groups as possible, like [Church's], in order to facilitate as much feedback as possible on the process," he said. "We felt that it was very important to deliberate as long as possible in order to -- I know this sounds trite -- get it right and to be as inclusive as possible."

Church, who is also chief privacy officer at the ePrivacy Group, is co-author of his own proposal before the IETF: the Trusted E-mail Open Standard (TEOS), which uses a cryptographic header in e-mail addresses to help end users sort out e-mail as it hits the inbox.

Naturally, he favors his technology over the others. TEOS is the result of consultation with the Federal Trade Commission, the Direct Marketing Association and the Network Advertising Initiative, as well as AOL, Earthlink and Microsoft.

"The SPF and Caller ID focus on, 'Does this server trust that server?'" Church said. "But that doesn't really help you when you get to an end user's inbox. We think that it's important that you have a technology that has greater security and cryptography, but also contains the sort of data that allows the end user to make the choices."

Representatives from Microsoft, Yahoo! and Earthlink did not return calls by press time.

Competing standards proposals and lots of meetings are signs of progress, according to Wong.

"We've never seen change on this scale, so quickly before," Wong said. "Over the next few months, it will be a period of experimentation, and we may still need to tweak to get it right. You never really get it right on the first release. But this is something we need to do, and there's no way to do it except by going out there and doing it."

Pamela Parker contributed to this story.

  • Lasco.A Poses New Mobile Threat
  • 3/25: Clunk-A a Password-Stealing Worm
  • 9/16: Evaman-D Worm Kills Active Processes
  • Pedestal Adds Security Benchmark Score to Audit Software
  • Intrusion Detection Players
  • FTC Urges Industry Solutions to Spyware
  • The Backup Conundrum: More Data in Less Time, Part 2
  • Check Point Directing Security to Web Applications, End Points
  • Bush Likely to Sign Anti-Spam Bill by Jan. 1
  • Tabbed Browsing Flaws Detected
  • 5/11: Ifbo-A Worm Exploits LSASS Flaw
  • Compare Security Camera Products