April 18, 2006 4:00 AM PDT
On sentry duty in your in-box
- Related Stories
Phishers set hidden traps on eBayMarch 31, 2006
Microsoft to bring Hotmail onto the desktopMarch 29, 2006
Kits help phishing sites proliferateFebruary 27, 2006
Web site gives e-mail senders a reputationAugust 29, 2005
Sender ID's fading messageAugust 9, 2005
Data leaks denting Web shoppers' confidenceJune 23, 2005
Microsoft pushes spam-filtering technologyJune 22, 2005
Should Microsoft own antispam?November 9, 2004
Microsoft reworks antispam spec to silence criticsOctober 25, 2004
Microsoft touts 'Sender ID' to fight spam, scamsAugust 12, 2004
Microsoft wants to meld antispam proposalsMay 21, 2004
Microsoft to submit antispam standardMay 19, 2004
Yahoo, Sendmail to test antispam systemFebruary 24, 2004
Gates reveals his 'magic solution' to spamJanuary 26, 2004
(continued from previous page)
With the Authentication Summit in Chicago, sponsored in part by Microsoft and chaired by Spiezle, the technology industry is reaching out to Fortune 500 businesses to tell them about e-mail authentication. Major airlines, financial institutions and insurance companies are looking for direction and advice, Spiezle said.
Companies with online businesses have been grappling to fight phishing, a prevalent type of online scam through which phishers attempt to steal sensitive information such as usernames, passwords and credit card numbers. The schemes typically combine fraudulent spam e-mail and Web pages that look like legitimate sites.
Consumer faith in e-mail is falling, as its abuse for online scams is growing. If businesses don't sign up for Sender ID or similar technologies, that trend could continue and undermine e-mail's usefulness, authentication advocates say.
"E-mail is just getting more and more broken," said Dave Jevans, chairman of the Anti-Phishing Working Group, which includes banks, Internet service providers, law enforcement agencies and technology vendors among its members. "If there is no e-mail authentication, then you have to find some other way to communicate with your customer that is not e-mail."
eBay and its PayPal online payment unit, which are the source of more than a billion transaction-related e-mails a month, are among the biggest phishing targets. If e-mail authentication delivers on its promise, it could be a boon for eBay--but it is not there yet, Durzy said. It identifies the sender of the e-mail, but it does not do much to reassure the recipient about the reputation of the sender, he noted.
The ultimate benefits really are in the future applications of e-mail authentication, agreed Nicholas Graham, an AOL representative . "E-mail authentication has to be combined with accreditation and reputation services for a comprehensive look into the quality of mail coming from any source," he said.
Microsoft is already using such reputation-based filtering, Spiezle said. These systems look at the e-mail sending habits of a particular domain, for example CNET.com, and include that in the decision as to whether messages should be junked.
"In e-mail authentication, Sender ID is your driver's license. We know who you are, but we don't know if you're a good driver," Spiezle said. The reputation score is analogous to a driving record, he added. "If you have a lot of people complain about your mail being spam, you get a negative score."
Authentication technology helps bolster reputation systems by identifying the true source of the e-mail. Previously, assigning a reputation to a domain could be shaky, because the domain could be faked.
'More product, less hype'
Many in the industry are working on reputation technology. That includes Microsoft and e-mail security vendors such as CipherTrust, but also Meng Wong, the developer of the original Sender Policy Framework (SPF) specification, now part of Sender ID. Wong is now chief technology officer for special projects at e-mail forwarding company POBox.com.
Wong divorced himself from the SPF effort after SPF was folded together with Microsoft's Caller ID for E-mail into Sender ID. This time, he's careful to avoid the mistakes made during the authentication effort, he said. "We're going to try to get our act together as an industry before telling the world we're ready: More product, less hype."
With Hotmail, Microsoft has seen a marked increase in the number of e-mails that include an SPF record. Sender ID requires Internet service providers, companies and other Internet domain holders to publish such records to identify their mail servers. This can be challenging, especially for a large organization that may have systems sending mail in multiple countries, or may hire others to send mail for them, experts said.
18 commentsJoin the conversation! Add your comment