America Online is conducting a trial of an e-mail protocol called Sender Permitted From, or SPF, across its entire user base of 33 million subscribers, to crack down on forged sender adresses.
The company hoped that SPF would eliminate e-mail forgeries by enabling organisations to specify which servers are allowed to send mail on behalf of their internet domain, according to AOL spokesman Nicholas Graham.
SPF stops e-mail address spoofing by modifying the Domain Name System (DNS) to declare which servers can send mail from a particular internet domain. AOL is using SPF to publish the IP (Internet Protocol) addresses of the servers it uses to send outgoing e-mail. DNS is the system that translates numeric IP addresses into readable internet domain names.
Once widely deployed, SPF records can be referenced by mail transfer agents (MTAs) stationed throughout the internet when routing e-mail messages from a particular domain to determine whether an e-mail message's source is legitimate or "spoofed", said Graham.
The program is still experimental and for the time being AOL will not use SPF to filter mail from other internet domains, Graham said.
"[SPF] is just getting off the ground. AOL is interested in putting the proposal out there and getting feedback from stakeholders," he said.
Those stakeholders include other major ISPs such as Microsoft's MSN, Yahoo and Earthlink.
The trial is a major test of SPF, which is one of a number of new technologies designed to thwart spammers, according to John Levine, co-chairman of the Anti-Spam Research Group.
SPF patches a hole in SMTP (Simple Mail Transfer Protocol), which is used to route e-mail messages from one e-mail inbox to another. Developed in the early 1980s, SMTP was designed to provide a reliable and efficient way to relay messages between host systems using different computer hardware and operating systems.
In recent years, spammers and viruses such as Sobig-F and the recent Beagle/Bagel worm have exploited SMTP's flexibility, easily transposing the actual source of messages with legitimate e-mail addresses from lists that are traded online or harvested from infected computers' hard drives.
The long-term benefit of SPF is that, when the technology is widely deployed, e-mail providers will be able to associate reputations with internet domains rather than with IP addresses, which are harder to track, according to Eric Raymond, president of the Open Source Initiative.
SPF itself will not stop spam, but it will help other antispam technologies like spam traps, by enabling spam to be tracked back to specific domains and forcing spammers to move to new domains more frequently, Raymond said. The combination of technologies can be likened to a "drug cocktail" that, taken together, may stop spam.
Paul Roberts writes for IDG News Service