Online business Toolkit

AOL filter prevents anonymous email

Stefanie Olsen CNET News

Published: 22 Jan 2004 12:20 GMT

America Online is testing an anti-spam filter intended to accurately trace the origin of email messages, in a move that could bring new accountability to the Net if it proves reliable.

The online unit of media giant Time Warner last week implemented SPF, or Sender Permitted From, an emerging authentication protocol for preventing email forgeries, or spoofing. The trial involves the company's 33 million subscribers worldwide and is the first large scale test for the protocol, which is being considered by standards groups alongside various other email verification proposals.

"Spoofing of email has become a tremendous issue for the industry, and this allows us to help recipients of AOL email to separate the wheat from the chaff," AOL spokesman Nicholas Graham said on Wednesday.

The endorsement of SPF by the world's largest Internet service provider (ISP) could be critical to the evolution of a long-sought email verification standard and could encourage other major email providers to implement it.

Email spoofing is one of the toughest problems that ISPs and anti-spam companies face, largely because Simple Mail Transfer Protocol (SMTP) -- the method for sending email -- offers no widespread means to detect and verify a sender's identity. Junk mailers typically cover their tracks by hacking into unprotected email servers or open relays, or by falsifying names and email addresses in the email sender field.

As a result, some in the industry have called for an overhaul of SMTP, while others have made a case for SPF and similar protocols to compliment the existing system.

There are currently at least two other competing technical specifications to SPF under review by a subcommittee of the Anti-Spam Research Group of the Internet Research Task Force.

Like SPF, Designated Mailers Protocol and Reverse Mail Exchange are designed to change the Domain Name System (DNS) database so that email servers can publish which Internet Protocol (IP) addresses they use to send mail. ISPs receiving email can instantaneously verify whether an email originates from where it says it does.

For example, an email recipient can look at an SPF record from AOL to ensure that email that appears to originate from one of its servers, for example, bob@aol.com, was actually sent from that address. The recipient can do this by using the SPF record to cross check DNS data associated with AOL's IP addresses.

The system, if successful, would protect email servers and individual address owners from having their addresses falsely suspected of sending spam.

Other efforts have already launched to attack the problem, such as the Trusted Email Open Standard. But so far, they have failed to gain widespread adoption.

In addition, AOL last year forged an alliance with Yahoo, Microsoft and EarthLink to develop and eventually implement such anti-spam technologies. While a joint project has yet to materialise, individual members of the group have begun trials with emerging email authentication systems. Yahoo, for example, began backing Domain Keys, which is a system that uses encryption within email to validate that the sender is legitimate.

Yahoo, AOL and other online service providers have been driven to act against spam because of its mounting toll on one of the most popular activities on the Internet -- email. More than 50 percent of email sent today is unwanted junk, according to anti-spam companies, and the spam volume costs mail providers millions of dollars in hijacked bandwidth and storage, as well as defence measures.

Some industry researchers say the SPF protocol is promising but is not ready for prime time. Steven Bellovin, a member of the Internet Engineering Task Force, has said that among other problems, SPF could bind a sender too closely to DNS records, and as a result, their employers or ISPs.

"While big ISPs may like that, it flies in the face of current [American] public policy -- witness local telephone number portability. Ironically, it will also discourage a current anti-spam strategy used by many: throw-away email addresses for particular purposes," Bellovin wrote in an open criticism of the protocol.

In addition, SPF would not affect an increasingly popular method employed by spammers that involves hijacking another computer through a worm in order to launch spam from that machine. In that case, the spam would be coming from a legitimate source, even though the owner may be unaware of it.

AOL's Graham said that the company is testing the protocol and soliciting the anti-spam community for suggestions on how to improve it. AOL tested the system for several days before it re-implemented it last week with technical improvements, he said.

AOL's Graham said that the company is still committed to its anti-spam allegiances with Yahoo and others.

CNET News.com's Paul Festa contributed to this report.