America Online (AOL) has decided not to fully support
Microsoft's Sender ID spam-fighting plan after the Internet
Engineering Task Force (IETF) and the open- source community
expressed intellectual property concerns.
"AOL will now not be moving forward with full deployment of the
Sender ID protocol," said spokesman Nicholas Graham.
Instead, the ISP (Internet service provider) will support only
the sender policy framework (SPF) to fight spam by verifying the
source of e-mail sent to its users, he said.
AOL's rejection comes a week after an IETF group considering
Sender ID as a standard said the proposal needed rewriting. Earlier
this month, open-source groups the Apache Software Foundation and
the Debian Project dismissed Sender ID because the licence would
prevent them from supporting the technology.
AOL is concerned about the lack of acceptance for Sender ID in
the open-source community, Graham said. Additionally, the ISP is
afraid that recent changes to Sender ID will make it incompatible
with the original SPF specification, he said. AOL had endorsed
Sender ID when it was submitted to the IETF in June.
While AOL's decision could be seen as another setback for Sender
ID, Microsoft said AOL's action is fully in line with the Sender ID
proposal, which is being revised.
Support for SPF essentially equals support for Sender ID, said
Microsoft spokesman Sean Sundwall.
"AOL's decision to conduct just the SPF check reflects exactly
the flexibility provided by the Sender ID proposal. Sender ID is
still alive and there are two ways to do the checking," he
said.
Sender ID combines SPF, developed by Meng Weng Wong of
Pobox.com, and the Microsoft-developed Caller ID specification. In
May, Microsoft and Meng agreed to merge their proposals and
submitted it to the IETF a month later.
The Sender ID proposal to the IETF is being rewritten to allow
flexibility on which checking method is used, either the SPF method
or a check for the Purported Responsible Address, which was first
published as part of Microsoft's original Caller ID plan, Sundwall
said.
Microsoft and Wong propose Sender ID as a standard for e-mail
authentication, designed to prevent faking of e-mail addresses and
the origin of an e-mail message. Criminals have used the ability to
forge the origin of an e-mail, for example, in schemes to send
e-mail that looks like it is from a bank and tricks users into
giving up personal information.
With SPF, organisations publish a list of their approved
outgoing e-mail servers, called an SPF record, in the DNS (Domain
Name System). That SPF record is then used to verify the source of
e-mail messages sent to other internet domains. Microsoft's Caller
ID works in a similar way.
AOL is not completely backing out of Sender ID. While it will
not check Sender ID records on mail coming in, it will publish
Sender ID records for outbound mail, Graham said.
AOL said it is also looking at Domain Keys, a technology
developed by rival Yahoo, for possible use in tandem with SPF. With
Domain Keys each e-mail gets a digital signature to verify its
source.
Joris Evers writes for IDG News Service