America Online is testing an antispam filter intended to accurately trace
the origin of e-mail messages, a move that could bring new accountability
to the Net if it proves reliable.
The online unit of media giant Time Warner last week implemented SPF, or
Sender Permitted From, an emerging authentication protocol for preventing
e-mail forgeries, or spoofing. The trial involves the company's 33 million
subscribers worldwide and is the first large-scale test for the protocol,
which standards groups are considering along with various other e-mail
verification proposals.
"Spoofing of e-mail has become a tremendous issue for the industry, and
this allows us to help recipients of AOL e-mail to separate the wheat from
the chaff," AOL spokesman Nicholas Graham said Wednesday.
The endorsement of SPF by the world's largest Internet service provider
(ISP) could be critical to the evolution of a long sought e-mail
verification standard and could encourage other major e-mail providers to
implement it.
E-mail spoofing is one of the toughest problems that ISPs and antispam
companies face, largely because Simple Mail Transfer Protocol (SMTP)--the
method for sending e-mail--offers no widespread means to detect and verify
a sender's identity. Junk mailers typically cover their tracks by hacking
into unprotected e-mail servers or open relays, or by falsifying names and
e-mail addresses in the e-mail sender field.
As a result, some in the industry have called for an overhaul of SMTP,
while others have made a case for SPF and similar protocols to complement
the existing system.
There are currently at least two other competing technical specifications
to SPF under review by a subcommittee of the Anti-Spam Research Group of
the Internet Research Task Force.
Like SPF, Designated Mailers Protocol and Reverse Mail Exchange are
designed to change the Domain Name System (DNS) database so that e-mail
servers can publish which Internet Protocol (IP) addresses they use to send
mail. ISPs receiving e-mail can instantaneously verify whether an e-mail
originates from where it says it does.
For example, an e-mail recipient would be able to look at an SPF record
from AOL to ensure that e-mail appearing to originate from one of its
servers--such as bob@localhost actually sent from that address. The
recipient would do this by using the SPF record to cross check DNS data
associated with AOL's IP addresses.
The system, if successful, would protect e-mail servers and individual
address owners from having their addresses falsely suspected of sending
spam.
Other efforts have already launched to attack the problem, such as the
Trusted E-mail Open Standard. But so far, they have failed to gain
widespread adoption.
In addition, AOL last year forged an alliance with Yahoo, Microsoft and
EarthLink to develop and eventually implement such antispam technologies.
While a joint project has yet to materialize, individual members of the
group have begun trials with emerging e-mail authentication systems. Yahoo,
for example, began backing Domain Keys, a system that uses encryption
within e-mail to validate that the sender is legitimate.
Yahoo, AOL and other online service providers have been driven to act
against spam because of its mounting toll on one of the most popular
activities on the Internet--e-mail. More than 50 percent of e-mail sent
today is unwanted junk, according to antispam companies, and the spam
volume costs mail providers millions of dollars in hijacked bandwidth and
storage, as well as defense measures.
Some industry researchers say the SPF protocol is promising but not ready
for prime time. Steven Bellovin, a member of the Internet Engineering Task
Force, has said that among other problems, SPF could bind a sender too
closely to DNS records, and as a result, their employers or ISPs.
"While big ISPs may like that, it flies in the face of current (American)
public policy--witness local telephone number portability. Ironically, it
will also discourage a current antispam strategy used by many: throw-away
e-mail addresses for particular purposes," Bellovin wrote in an open
criticism of the protocol.
In addition, SPF would not affect an increasingly popular method employed
by spammers that involves hijacking another computer through a worm in
order to launch spam from that machine. In that case, the spam would be
coming from a legitimate source, even though the owner may be unaware of it.
AOL's Graham said the company is testing the protocol and soliciting the
antispam community for suggestions on how to improve it. AOL tested the
system for several days before it re-implemented it last week with
technical improvements, he said.
The company is still committed to its anti-spam allegiances with Yahoo and
others, Graham said.