ISP heavies call time on spoofers

To stop up the loopholes exploited by spammers, AOL and Yahoo are rolling out technology to verify the source of e-mail messages.

To stop up the loopholes exploited by spammers, internet service providers AOL and Yahoo are rolling out technology to verify the source of e-mail messages.

From September, AOL will verify the source of incoming e-mail using Microsoft's Sender ID technology. Yahoo will use its DomainKeys equivalent to sign all e-mail coming out of its servers by the end of this year.

The decisions are part of an industry-wide push to thwart spam and phishing attacks by improving the ability of e-mail and internet service providers to verify the source of e-mail messages.

AOL spokesman Nicholas Graham said AOL would screen mail using Sender Policy Framework (SPF), a part of Sender ID.

Sender ID combines two previous standards, Caller ID and SPF. If adopted by the Internet Engineering Task Force, it could close loopholes in the current system for sending and receiving e-mail that allow senders to fake or "spoof" a message's origin.

AOL has been publishing SPF records that identify its outgoing e-mail servers in the domain name system that translates numeric IP addresses into readable internet domain names. However, it has not yet used SPF to screen incoming e-mail.

AOL will begin checking whether the purported responsible address of an e-mail server sending mail matches one of the servers listed in the SPF record for that internet domain. Tens of thousands of e-mail domains have published SPF records.

Graham said AOL would use SPF to help determine which messages were legitimate, rather than using it as a criteria to reject e-mail.

This approach is similar to that of Microsoft, which has promised to match the source of inbound e-mail to the IP addresses of e-mail servers listed in the sending domain's SPF record. Microsoft's Craig Spiezle said messages that failed the check would not be rejected out of hand, but further scrutinised and filtered.

Miles Libbey, antispam product manager at Yahoo, said Yahoo was looking at putting its thumbprint on outbound, rather than inbound, messages. The company will roll out its DomainKeys technology by the end of the year, digitally signing all e-mail messages sent from its servers.

DomainKeys use public key infrastructure to create a unique signature for each e-mail message based on the content of the message. When e-mail servers receive DomainKeys-signed messages, they use a public encryption key published by the company in the DNS record for the sending domain and the contents of the message to verify the source of the e-mail.

"The world of e-mail is in a lot of hurt," said Greg Olson, chairman and co-founder of e-mail company Sendmail. "It's in trouble and there's a sense of urgency we haven't seen before."

Libbey said that pushing technologies like Sender ID and DomainKeys into service even before their official adoption as standards by governing bodies was a safe way to work out any problems before widespread deployment.

"All these solutions are reasonably early in the life cycle," he said. "There's a lot of interoperability testing that has to happen. Implementing DomainKeys on Yahoo will give us real-world data on how it works."

Microsoft's Spiezle agreed. "It's an iterative process," he said. "We have to try something. The spammers are outsmarting us and the more we delay, the more time they have to figure out what to do."

Paul Roberts writes for IDG News Service

Read more on PC hardware