Microsoft’s announcement last week of a host of
initiatives to stop spam highlighted some tectonic shifts taking
place in the once staid world of internet messaging.
The company’s latest e-mail authentication architecture, known
as Caller ID, is being met with cautious acceptance. However,
Microsoft is unlikely to have the last word on secure e-mail, and
expects have warned that a shake-out of antispam solutions backed
by Microsoft, Yahoo, America Online and others is likely to take
place in coming months.
Microsoft used a keynote address at the RSA Conference last
week by chairman and chief software Architect Bill Gates to unveil
its new authentication scheme.
With Caller ID, e-mail senders publish the IP address of their
outgoing e-mail servers as part of an XML format e-mail "policy" in
the domain name system (DNS) record for their domain.
E-mail servers and clients that receive messages can then query
that DNS record and match the source IP address of the message to
the address of the approved sending servers. E-mail messages
that do not match the source address can be discarded.
To bolster its proposal, Microsoft has cut a deal with leading
e-mail software provider Sendmail to support Caller ID. Sendmail is
testing the Caller ID technology and intends to create an
open-source plug-in Sendmail filter, or "milter", that works with
the Caller ID architecture, said Sendmail chief executive officer
Dave Anderson.
Sendmail also announced last week that it will soon begin
testing another e-mail authentication technology - called
DomainKeys - backed by leading ISP Yahoo.
Yahoo proposes to use PKI (Public Key Infrastructure) technology
to prevent e-mail address spoofing, Sendmail said.
Sendmail executives say that backing both proposals is not
contradictory and that having more than one authentication scheme
can work.
"It will be like the IDs in a wallet, where you have multiple
kinds of IDs," said Anderson.
While DomainKeys and Caller ID overlap in some areas, they also
have different strengths, he added.
The DomainKeys system uses public/private key cryptography to
generate a unique signature for each e-mail address based on
information in the message header. The system requires senders to
deploy a PKI infrastructure, but makes it possible to authenticate
both the source of the message and the message content, Anderson
said.
In contrast, Caller ID does not allow organisations to verify
message content, but it is easy to deploy and does not require new
technology purchases, he added.
"Caller ID will be quick to deploy for a basic set of [e-mail
senders}. They don’t have to do anything else besides put their
sender ID in DNS."
To complicate matters even further, Caller ID is similar to
another sender authentication proposal circulating among leading
ISPs and e-mail security experts called Sender Policy Framework
(SPF), which was developed by independent antispam researcher Meng
Wong of the e-mail forwarding service Pobox.com.
In January, America Online said it was testing SPF across its
entire user base of 33 million subscribers, making it one of more
than 7,500 internet domains to publish SPF records.
Behind all of the activity is built-up demand caused by years of
inaction by major e-mail stakeholders on security issues, which
allowed online fraud and e-mail scams to flourish, according to
Pete Lindstrom of Spire Security, who chaired a panel discussion on
sender authentication at the RSA Conference.
But some companies that do business on the internet are worried
that the competing proposals for e-mail authentication could cause
more harm than good, said Gail Goodman, CEO of Constant Contact,
which provides e-mail marketing services for small and medium-sized
businesses.
"Our main concern is that whatever technology is implemented is
able to accommodate various configurations that people commonly use
today and that it's affordable to all businesses that use the
internet now," she said.
New architectures, such as SPF and Caller ID, will prompt
changes in the way Constant Contact and its customers do business,
Goodman said. For example, the company's customers will need to
modify their DNS record to include an e-mail policy document that
lists Constant Contact's e-mail servers as an approved e-mail
service provider.
SPF might even make it difficult for Constant Contact to
continue business, because the company sends e-mail from its own
servers on behalf of customers, listing the domain name of its
customers in the "from" address - a legal manoeuvre that is often
abused by spammers and that SPF is designed to thwart.
"SPF doesn't work for a lot of edge cases like e-mail forwarding
companies," said Hans Peter Brondmo, senior vice president at
e-mail marketing company Digital Impact and a co-chair of the
Technology Working Group at the E-mail Service Providers' Coalition
(ESPC). The coalition represents about 40 companies in the
commercial e-mail business, including Digital Impact and Constant
Contact.
On the other hand, DomainKeys, which relies on a signature based
on the exact message formatting, might fall flat with e-mail
servers, such as Microsoft Exchange, that alter the format of the
e-mail message body after it has been received, Brondmo said.
The ESPC has been consulted by Microsoft and others about their
plans and is putting together trials of Caller ID, DomainKeys and
SPF. While the group has not come out in favour of any solution, it
backs the use of sender authentication as a way to weed out
legitimate e-mail marketers from spammers, Goodman said.
However, the group also advocates the creation of a "reputation"
system to build accountability into e-mail.
Such a system would aggregate information collected by large
ISPs such as Hotmail, Yahoo, AOL and others from billions of e-mail
messages and create an accreditation system for e-mail domains.
Smaller ISPs and other domain owners could then use that to vet
e-mail on their domains, Brondmo said.
"Forty or 50% of the e-mail goes to small and medium-sized ISPs
and mail gateways. Those guys need a framework for authentication
and to determine the quality of e-mail," he added. At present, none
of the proposed sender authentication solutions directly addresses
the reputation issue, nor have ISPs published standards for how
such information could be shared.
Sendmail also backs a sender reputation infrastructure to
complement sender authentication, Anderson said.
Anderson, Brondmo and others also envision multiple technologies
working side by side.
"Maybe you start with SPF and, if that fails, you choose to
accept a message and the secondary authentication on the additional
headers," Brondmo said.
Multiple, competing standards are rarely a good thing in
technology circles, and we are likely see "jostling" between
competing authentication schemesin the coming months, although
Brondmo admitted that could be a good thing.
"Right now, the competing standards are causing everyone to run
real fast and be aggressive," he said.
If providers decide on an authentication infrastructure within a
year, organisations can begin working on other pieces of the secure
e-mail puzzle and make the system work for everybody, Brondmo
added.
Paul Roberts writes for IDG News Service