April 18, 2006 4:00 AM PDT

On sentry duty in your in-box

(continued from previous page)

With the Authentication Summit in Chicago, sponsored in part by Microsoft and chaired by Spiezle, the technology industry is reaching out to Fortune 500 businesses to tell them about e-mail authentication. Major airlines, financial institutions and insurance companies are looking for direction and advice, Spiezle said.

Companies with online businesses have been grappling to fight phishing, a prevalent type of online scam through which phishers attempt to steal sensitive information such as usernames, passwords and credit card numbers. The schemes typically combine fraudulent spam e-mail and Web pages that look like legitimate sites.

E-mail ID cheat sheet
Here's the lowdown on the main technologies that are out to clean up e-mail by identifying the source.

Sender ID
Brings together two previous security technologies: Caller ID for E-mail, introduced by Microsoft in February 2004, and SPF, developed by Meng Wong. Sender ID compliant e-mail requires an SPF tag in a Domain Name System record to identify valid machines sending mail from that domain.

SPF
Short for Sender Policy Framework. Both main versions of SPF records comply with Sender ID, but they verify a different "from" address. SPF 1 validates the sender data contained in the e-mail envelope data, which is typically only read by e-mail systems. SPF 2 verifies the "from" name displayed to the user. Industry experts advise companies to publish and use both.

DKIM
Merges Yahoo's DomainKeys with Cisco Systems' Internet Identified Mail. DKIM, or DomainKeys Identified Mail, relies on public key cryptography. It attaches a digital signature to outgoing e-mail so recipients can verify that the message comes from its claimed source.

Consumer faith in e-mail is falling, as its abuse for online scams is growing. If businesses don't sign up for Sender ID or similar technologies, that trend could continue and undermine e-mail's usefulness, authentication advocates say.

"E-mail is just getting more and more broken," said Dave Jevans, chairman of the Anti-Phishing Working Group, which includes banks, Internet service providers, law enforcement agencies and technology vendors among its members. "If there is no e-mail authentication, then you have to find some other way to communicate with your customer that is not e-mail."

eBay and its PayPal online payment unit, which are the source of more than a billion transaction-related e-mails a month, are among the biggest phishing targets. If e-mail authentication delivers on its promise, it could be a boon for eBay--but it is not there yet, Durzy said. It identifies the sender of the e-mail, but it does not do much to reassure the recipient about the reputation of the sender, he noted.

The ultimate benefits really are in the future applications of e-mail authentication, agreed Nicholas Graham, an AOL representative . "E-mail authentication has to be combined with accreditation and reputation services for a comprehensive look into the quality of mail coming from any source," he said.

Microsoft is already using such reputation-based filtering, Spiezle said. These systems look at the e-mail sending habits of a particular domain, for example CNET.com, and include that in the decision as to whether messages should be junked.

"In e-mail authentication, Sender ID is your driver's license. We know who you are, but we don't know if you're a good driver," Spiezle said. The reputation score is analogous to a driving record, he added. "If you have a lot of people complain about your mail being spam, you get a negative score."

Authentication technology helps bolster reputation systems by identifying the true source of the e-mail. Previously, assigning a reputation to a domain could be shaky, because the domain could be faked.

'More product, less hype'
Many in the industry are working on reputation technology. That includes Microsoft and e-mail security vendors such as CipherTrust, but also Meng Wong, the developer of the original Sender Policy Framework (SPF) specification, now part of Sender ID. Wong is now chief technology officer for special projects at e-mail forwarding company POBox.com.

Wong divorced himself from the SPF effort after SPF was folded together with Microsoft's Caller ID for E-mail into Sender ID. This time, he's careful to avoid the mistakes made during the authentication effort, he said. "We're going to try to get our act together as an industry before telling the world we're ready: More product, less hype."

With Hotmail, Microsoft has seen a marked increase in the number of e-mails that include an SPF record. Sender ID requires Internet service providers, companies and other Internet domain holders to publish such records to identify their mail servers. This can be challenging, especially for a large organization that may have systems sending mail in multiple countries, or may hire others to send mail for them, experts said.

Previous page | CONTINUED: Getting the message out…
Page 1 | 2 | 3

See more CNET content tagged:
e-mail authentication, Sender ID, e-mail security, authentication, sender

18 comments

Join the conversation!
Add your comment
Bull
This is just a way to "validate" spam. It is VERY EASY to block the email sender-id would not let through, and - if you dont use a MS Mail Server that ACCEPTS and PROCESSES EVERYTHING - it uses little processing power and bandwidth. Currently, sender-id would not block the email that get through my mail server. I would just mean more spamer would spend money with MS and Security vendors to get IDs. The end user would still get the spam.

Another MS joke at attempting to benefit from a problem that will always exist.
Posted by umbrae (1073 comments )
Reply Link Flag
Bull
This is just a way to "validate" spam. It is VERY EASY to block the email sender-id would not let through, and - if you dont use a MS Mail Server that ACCEPTS and PROCESSES EVERYTHING - it uses little processing power and bandwidth. Currently, sender-id would not block the email that get through my mail server. I would just mean more spamer would spend money with MS and Security vendors to get IDs. The end user would still get the spam.

Another MS joke at attempting to benefit from a problem that will always exist.
Posted by umbrae (1073 comments )
Reply Link Flag
Bull II
The real Spam problem is the bandwidth that it consumes. And as far as I can tell, neither MS SenderID, Yahoo DomainKeys, or AOL "Moneygrab" (aka Goodmail) will do anything about that, because the crap will be sent to my server.

All these systems can do is "verify" supposedly good messages. We already block 99% of all spam with a combination of Spamassassin and the Spamhaus.org blacklist (with no false positives).

I seriously doubt SenderID or the others could improve on that.
Posted by rcrusoe (1305 comments )
Reply Link Flag
Wow
Spam about an anti-spam product - excellent !
Posted by (409 comments )
Link Flag
Bull II
The real Spam problem is the bandwidth that it consumes. And as far as I can tell, neither MS SenderID, Yahoo DomainKeys, or AOL "Moneygrab" (aka Goodmail) will do anything about that, because the crap will be sent to my server.

All these systems can do is "verify" supposedly good messages. We already block 99% of all spam with a combination of Spamassassin and the Spamhaus.org blacklist (with no false positives).

I seriously doubt SenderID or the others could improve on that.
Posted by rcrusoe (1305 comments )
Reply Link Flag
Wow
Spam about an anti-spam product - excellent !
Posted by (409 comments )
Link Flag
More Beta Testing!
More beta testing a unworkable idea!

Microsoft should know by now that having people register to prove who they are doesn't work. 'No one' registerd drivers, 'no one' registers activex components, and if anyone did, would it help? Nope.

Why does Microsoft keep having us beta test their ideas and software, and try to charge us for it?
Posted by hawkeyeaz1 (569 comments )
Reply Link Flag
Charge?
Einstein, MS is giving away money to suport an idea that is not tied to their technology at all.

You people are pathetic. I'm glad folks like you will have no meaningful impact on the world I'll be living in for the next decades. You post here over and over for no other reason than our amusement. However, you still don't have the style of ol' "Cut 'n Paste" Mettler!
Posted by KTLA_knew (385 comments )
Link Flag
Microsoft keep having us beta test their ideas
<a class="jive-link-external" href="http://www.analogstereo.com/volvo_xc90_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/volvo_xc90_owners_manual.htm</a>
Posted by Ipod Apple (152 comments )
Link Flag
More Beta Testing!
More beta testing a unworkable idea!

Microsoft should know by now that having people register to prove who they are doesn't work. 'No one' registerd drivers, 'no one' registers activex components, and if anyone did, would it help? Nope.

Why does Microsoft keep having us beta test their ideas and software, and try to charge us for it?
Posted by hawkeyeaz1 (569 comments )
Reply Link Flag
Charge?
Einstein, MS is giving away money to suport an idea that is not tied to their technology at all.

You people are pathetic. I'm glad folks like you will have no meaningful impact on the world I'll be living in for the next decades. You post here over and over for no other reason than our amusement. However, you still don't have the style of ol' "Cut 'n Paste" Mettler!
Posted by KTLA_knew (385 comments )
Link Flag
Microsoft keep having us beta test their ideas
<a class="jive-link-external" href="http://www.analogstereo.com/volvo_xc90_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/volvo_xc90_owners_manual.htm</a>
Posted by Ipod Apple (152 comments )
Link Flag
spammers can use SenderID too
So this isn't really an anti-spam technology
Posted by Jackson Cracker (272 comments )
Reply Link Flag
spammers can use SenderID too
So this isn't really an anti-spam technology
Posted by Jackson Cracker (272 comments )
Reply Link Flag
Why MS should not be trusted with this;
Last I knew MS would not allow open source products free access to use the technology. In other words, pay to play.

All other MS products that have anything to do with Internet technologies, without fail open up users of said technology to an untold number security and privacy concerns. No other product in any category is perfect, but the issues concerning MS products outnumber all other products combined across the board in terms of numbers, impact and severity.

Last but certainly not least, since when does Microsoft care about you and me? I'm not a Microsoft hater, only looking at the facts and track record. Microsoft only does what is good for Microsoft, to obtain and/or maintain a monopoly at the expense of users/consumers. This issue is no exception.
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
Why MS should not be trusted with this;
Last I knew MS would not allow open source products free access to use the technology. In other words, pay to play.

All other MS products that have anything to do with Internet technologies, without fail open up users of said technology to an untold number security and privacy concerns. No other product in any category is perfect, but the issues concerning MS products outnumber all other products combined across the board in terms of numbers, impact and severity.

Last but certainly not least, since when does Microsoft care about you and me? I'm not a Microsoft hater, only looking at the facts and track record. Microsoft only does what is good for Microsoft, to obtain and/or maintain a monopoly at the expense of users/consumers. This issue is no exception.
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
Line of Responsibility
This problem has a real solution.

Every single IP address in the world is managed by members if ICANN.

ISP's in all the countries get their IP address blocks from ICANN authorised sources.

Thus - you cannot have a "Spam Source" that works outside the known chain of responsibility from ICANN to the local ISP.

The responsibility for controlling SPAM has to be that of ISP's. They are the ones who hand out the IP addresses that are used to send SPAM.

This is not a problem that can be solved by any company, even the mighty Microsoft. In fact, many suspect that Hotmail is the biggest harvester of email addresses that are used for spamming.

SPAM as another poster pointed out, accounts for a humongous waste of bandwidth. It can be controlled only through the concerted efforts of countries (who own the blocks of IP addresses) and ISP's who are allotted IP Address blocks within countries.

sughyosha
Posted by sughyosha (21 comments )
Reply Link Flag
Line of Responsibility
This problem has a real solution.

Every single IP address in the world is managed by members if ICANN.

ISP's in all the countries get their IP address blocks from ICANN authorised sources.

Thus - you cannot have a "Spam Source" that works outside the known chain of responsibility from ICANN to the local ISP.

The responsibility for controlling SPAM has to be that of ISP's. They are the ones who hand out the IP addresses that are used to send SPAM.

This is not a problem that can be solved by any company, even the mighty Microsoft. In fact, many suspect that Hotmail is the biggest harvester of email addresses that are used for spamming.

SPAM as another poster pointed out, accounts for a humongous waste of bandwidth. It can be controlled only through the concerted efforts of countries (who own the blocks of IP addresses) and ISP's who are allotted IP Address blocks within countries.

sughyosha
Posted by sughyosha (21 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.