A Spec to Spike Spam?

It’s been a busy week for the four major U.S. ISPs . First, they
issued a list of best practices and recommendations to fight the spew of spam clogging inboxes.

Earthlink, Yahoo!, Microsoft and America Online, the quartet that founded
the Anti-Spam Technical Alliance (ASTA), earlier this week released a slew
of recommendations for ISPs and large e-mail providers. They focus on two
key areas: eliminating the spoofing of a sender’s e-mail address and
pointing out how e-mail providers can spot a spammer in their midst.

Then, on, Thursday, Microsoft and Sender Policy Framework (SPF) author
Meng Weng Wong announced they had converged their respective e-mail authentication
standards and submitted the resulting specification, now called Sender ID,
to the IETF .

The Sender ID goes a step beyond recommendations and provides an
authentication method, like its progenitors SPF and Caller ID for E-Mail.
Authentication is seen as a critical first step in eliminating spoofing,
phishing and spam. The news comes on the heels of public support for
authentication standards expressed by both ASTA and the Federal Trade
Commission earlier this week.

“Over half of the e-mail targeting our Hotmail customers today comes from
spoofed domains, and we are committed to taking this trick away from
spammers,” Ryan Hamlin, general manager of the Anti-Spam Technology and
Strategy Group at Microsoft, said in a statement.

Sender ID works by looking at information both in the “envelope” of the
e-mail message and in the message itself. It compares that information with
data published by domain owners in the Domain Name System (DNS), to confirm
the e-mail actually came from the domain that it appears to be from. For
example, recipients could be sure an e-mail from [email protected] was
actually from someone at the aol.com domain.

There’s been some controversy over the format in which the Sender ID records
should be published in the DNS. The merged specification calls for an XML
format — a format many critics say is unnecessarily complicated and
difficult to deal with. However, the Sender ID authors have made the
specification backwards compatible with the simpler SPF text format, called
SPF Classic. More than 20,000 domains have already published records in that
format, according to Wong.

“The SenderID draft basically contains everything that the [SFF] draft
contains and adds a bunch more stuff,” Wong said. “The extensions, they’re
still being refined, but the core of it is still SPF, that isn’t going to
change very much. SPF [development] has been frozen for about six months
now. A lot of anti-spam vendors already have the code working and are in alpha or beta
testing. When SenderID comes out, they’ll
only need to change a few lines of code to make it work with SenderID, as
well as the old SPF.”

Wong expects SenderID to be ratified by the IETF as an RFC
this August, when the organization meets in San Francisco.

AOL, as one of the publishers of the original SPF standard, is pleased
with Sender ID. “We are glad the new standard is fully backwards compatible
with the existing SPF, which is in use by tens of thousands of domains on
the Internet already,” said Carl Hutzler, director of Antispam Operations at
AOL, in a statement.

A number of e-mail service providers have already adopted SPF and other
authentication technologies. AOL has said it will require those on its
whitelist to publish SPF records by the end of the summer.

The proposals issued by ASTA earlier this week are the result of more than a
year of collaboration between the four founders and member ISPs to find
common ground on the root causes of spam. The group has expertly hyped its
efforts: Before April 2003, the four were relatively enclosed islands of
anti-spam knowledge. Since then, they’ve dribbled out tidbits of information and
held press
conferences
in the months following the U.S. Senate’s passage of the
CAN-SPAM Act in November 2003.

The results of the year-plus effort provide a good baseline for common
knowledge but don’t present any new facts or information, said Ray Everett
Church, co-founder of the Coalition Against Unsolicited Commercial E-mail
(CAUCE), a grass-roots organization created to find a way to stop spam.

“(ASTA) came together last year and announced they were working together to much
fanfare. A year and a half later, we’re still waiting for something really
concrete to come out of that group, in terms of something that will make a
real difference in the amount of spam the average consumer receives,” he
said.

What the group hasn’t done, according to Church, is come up with a viable proposal to
fight spam in the form of standards. Outside of Microsoft’s merged
proposal with SPF, each ASTA founder seems to favor its own brand of
technology.

However, Nicholas Graham, an AOL spokesperson, said the alliance has met
most of the guidelines that it set out in its April 2003 charter, and that
getting information from disparate sources takes time.

“We have opened our doors to conversation with as many groups as possible,
like [Church’s], in order to facilitate as much feedback as possible on the
process,” he said. “We felt that it was very important to deliberate as
long as possible in order to — I know this sounds trite — get it right and
to be as inclusive as possible.”

Church, who is also chief privacy officer at the ePrivacy
Group, is co-author of his own proposal before the IETF: the Trusted E-mail
Open Standard (TEOS), which uses a cryptographic header in e-mail addresses
to help end users sort out e-mail as it hits the inbox.

Naturally, he favors his technology over the others. TEOS is the result of
consultation with the Federal Trade Commission, the Direct Marketing
Association and the Network Advertising Initiative, as well as
AOL, Earthlink and Microsoft.

“The SPF and Caller ID focus on, ‘Does this server trust that server?'” Church said. “But
that doesn’t really help you when you get to an end user’s inbox. We think that it’s important that you have a technology that has
greater security and cryptography, but also contains the sort of data that
allows the end user to make the choices.”


Representatives from Microsoft, Yahoo! and Earthlink did not return
calls by press time.

Competing standards proposals and lots of meetings are signs of progress, according to Wong.


“We’ve never seen change on this scale, so quickly before,” Wong said.
“Over the next few months, it will be a period of experimentation, and we may
still need to tweak to get it right. You never really get it right on the
first release. But this is something we need to do, and there’s no way to do
it except by going out there and doing it.”

Pamela Parker contributed to this story.

News Around the Web