Security threats Toolkit

Microsoft proposes ID solution for spam

Tags:
Solution,
Microsoft,
SenderID,
Spam

Dawn Kawamoto CNET News.com

Published: 13 Aug 2004 08:40 BST

Microsoft on Thursday is holding a summit with members of the Email Service Provider Coalition to address the use of Sender ID technology as a standard to fight spam and phishing.

The software giant said it would gather more than 80 members of the ESPC coalition at its headquarters to discuss using Sender ID as a way to ensure that email originates from the Internet domain it claims to come from. Fighting the annoyance of spam and the dangers of fraud activity such as "phishing" is among the top concerns of Internet users and the companies that serve them.

Sender ID validates the server Internet Protocol address of the sender to assure an email recipient that a message claiming to be from a credit card company actually is. The technology relies on Microsoft's Caller ID for Email technology and the Sender Policy Framework, authored by Meng Weng Wong, chief technology officer at Pobox.com.

The Internet Engineering Task Force is currently evaluating Sender ID as an industry standard for email authentication. Thursday's meeting will look at what Sender ID can do to control unwanted email and at the challenges the technology will bring to legitimate users of email.

Several companies have already announced plans to roll out products and services that support Sender ID, including Cloudmark, DoubleClick, IronPort Systems, Sendmail, Symantec, Tumbleweed and VeriSign, Microsoft said in a statement.

DoubleClick, which delivers Web advertising, will use Sender ID in the email system it uses to communicate with its customers. Ken Takahashi, DoubleClick's senior director of email operations and ISP relations, said a framework like Sender ID is only part of the solution to controlling unwanted and fraudulent email.

"Since the spam epidemic exploded in the past few years, we have always maintained that a solution could only come from a combination of legislation, technology, industry self-regulation and consumer education."

Companies and individuals are increasingly deluged with spam and phishing scams, in which con artists send email purportedly from a recipient's bank, credit card company or Internet provider requesting sensitive information such as "lost" credit card numbers or passwords "needing confirmation."

Spammers often "spoof" their return addresses -- forging them to make them look legitimate to the recipient's spam filters. This can trick recipients into opening the unwanted mail, because it appears to be from a known contact. The technique also assists in the dissemination of email viruses.

Other efforts
The email problems have sparked efforts by other email giants such as America Online and Yahoo to research their own authentication systems. AOL and Yahoo have technologies in the works, and plan to implement them into their email systems by year's end.

AOL has been testing a system called Sender Permitted From, or SPF, that uses the domain name server (DNS). A company spokesman said SPF tests for outbound mail are currently compatible with SenderID. The company plans to test inbound SPF with SenderID beginning in September. AOL also will test technology supported by Yahoo by the end of the year.

"This isn't an online medal race to see who gets the gold when it comes to spam-fighting," AOL spokesman Nicholas Graham wrote in an email. "We're all on the same team."

As for Yahoo, the Web portal is testing its so-called DomainKeys system for Yahoo Mail. The technology creates an encrypted email address signature and then uses DNS to prove a message verify it came from Yahoo. Recipient email servers must add software to use domain keys.

A Yahoo spokeswoman said the company is also looking into SenderID technology.

"We are evaluating IP-based solutions like SenderID," said company spokeswoman Terrell Karlston. "We are eager to see the results of some rounds of testing by other industry leaders."

CNET News.com's Jim Hu contributed to this report.