Sender authentication will have a major place in the
arsenal of anti-spam technology, Mark Sunner
believes.
Spam used to be just a nuisance but, as volumes have
increased, it has become a business issue.
In March 2003, spam accounted for 36% of all e-mails scanned by
MessageLabs' anti-spam service; last month it had risen to 53%. The
lost productivity, wasted IT resources and bandwidth, coupled with
the sheer frustration of dealing with it, are familiar to most
organisations.
Industry players are now looking at new ways to beat spam. One such
development is sender authentication - a way to check that an
e-mail has genuinely been sent from the domain it claims to come
from. It works by examining the IP address of the e-mail: if it
does not match the source of the e-mail as given by the domain, it
is likely to be a forgery.
Sender authentication is not designed to prevent spam per se; it is
a way of finding out whether an e-mail address has been spoofed.
However, given that many spammers re-route their spam and forge its
origin, authentication should help to weed them out. It should be
noted that identifying forged e-mails has potential for tackling
phishing scams and the spread of viruses too.
Three main technologies now offer sender authentication:
Sender Policy Framework, created by pobox.com, is
being trialled by AOL and is the best established of the
authentication systems. SPF identifies e-mails that have been
forged and alerts the user to suspicious e-mails. This is useful
for those who do not want to adopt a black-and-white
approach.
Domainkeys, Yahoo's proposal for sender
authentication, is a more complex offering than SPF. It uses
cryptography to verify the IP address and domain and look at when
the e-mail was sent. Using this technology, e-mails are assigned
inbound and outbound tokens to help assess their
authenticity.
Caller ID, from Microsoft, is similar to SPF in
that it tries to validate the sending domain, but it is based on
the headers of an e-mail rather than the SMTP envelope. This makes
implementation more complex and fragile. Caller ID also requires
all e-mail clients to upgrade.
In the short term, companies may have to support all three
authentication technologies, but past lessons suggest that one
technology will emerge as the standard. Whether Microsoft will win
remains to be seen. Technically, Domainkeys or SPF probably has the
edge.
What is clear is that despite some opposition, sender
authentication is likely to gain mainstream support. Will sender
authentication spell the end of spam? Alone, probably not -
anti-spam technology will still have an important part to play. But
it should turn out to be a very significant piece of the
puzzle.
Mark Sunner is chief technology officer at
e-mail security firm MessageLabs
