RealTime IT News

IBM Gets Into E-Mail Authentication

UPDATED: IBM is taking the matter of fighting spam into its own hands.

Officials started marketing an e-mail authentication technology currently underway at its alphaWorks developer site, called the Fair use of Unsolicited Commercial E-mail (FairUCE).

Launched on the site in November 2004, FairUCE checks incoming e-mails to ensure they are indeed coming from the person it claims. In that regard, it is very similar to some other popular authentication schemes in use today, notably Microsoft's SenderID and Sender Policy Framework (SPF).

Adoption of the technology is likely going to be fairly limited for the time being, though IBM officials say the technology is on the site in the first place to garner feedback from users on the technology before moving forward with the product. Currently, FairUCE only works on Linux-based MTAs using Postfix. While popular, Postfix is overshadowed by two other Linux-based e-mail server programs: Sendmail and qmail.

Marc Goubert, manager of IBM's alphaWorks site, said the company is working on versions supporting Sendmail and qmail to be released in the future.

Technologies like SPF and Sender ID for E-Mail check the e-mail headers against a list of known and authorized domains. In contrast, FairUCE performs only a DNS lookup of the sender's domain to match up the sender's domain in the e-mail and the IP address used in the sender's message.

In that regard, FairUCE's author, Mat Nelson of IBM's advanced technology group, said in a message on the alphaWorks site that the technology is a pure sender identity system. FairUCE doesn't look at anything besides the DNS information to determine whether the e-mail is legitimate or not. Future versions of the software are expected to incorporate SPF or a similar technology.

"This FairUCE technology is actually a collection of different ways to combat spam and the most innovative is how it looks at the sender's IP address, the originator of the e-mail message, and checks the envelope of that message, as opposed to checking the content," Goubert said.

Where FairUCE differs from many of the popular e-mail authentication technologies in use today is its use of the challenge-response method of verifying a questionable e-mail. When the program can't find a match between the IP address and the domain of the e-mail server, the message is tagged as not authorized and the application will send a query to the sender to confirm whether they really did send the message.

If the original sender responds to the query to confirm its legitimacy it's passed through to the end user. If it isn't, the message is either quarantined, deleted or whatever an e-mail administrator might decide to do with the message.

Mike Rothman, vice president of marketing at e-mail security vendor CipherTrust, said the challenge-response method is going to create havoc for ISPs who's customers have been infected with a virus and turned into zombied spam proxy servers .

For example, if that infected machine sends out five million spam messages and is subsequently sent to five million users who's ISP is using FairUCE, that will result in five million queries sent back to the sender through the ISP's server. For smaller ISPs that amount of queries is, in effect, the same as a DOS attack .

"If I'm an ISP, that kind of scares the bejeezus out of me, right?" he said

According to Nelson's statement on the alphaWorks site, 80 percent of spam comes from zombied computers and is a popular spammer tool.

"We can take that away from them," he stated. "Lacking that, with FairUCE we can take it away for the cost of a few delivery attempts. Our server tries to send an inquiry by making a connection, quite often met with a connection refused or a 550 [error message]. Most times we don't even have to send the data. If we do, it's tiny. And if a domain doesn't want to receive inquiries for spoofed mail, they can simply publish an SPF record saying so."

Rothman's further worried that the freely-licensed nature of alphaWorks will allow anyone, in this case anti-spam vigilantes, to download the FairUCE program and use it to fight against spam.

"We just have this fear that there is going to be a lot of innocent folks that have no idea what's going on are going to get caught in the cross-fire," Rothman said.