August 9, 2005 4:00 AM PDT
Sender ID's fading message
- Related Stories
Phishers cash in on ATM cardsAugust 2, 2005
Antispam proposals advanceJune 29, 2005
Data leaks denting Web shoppers' confidenceJune 23, 2005
Microsoft pushes spam-filtering technologyJune 22, 2005
Microsoft-backed antispam spec gets filtered outSeptember 23, 2004
Antispam framework scores Microsoft endorsementMay 25, 2004
Gates: 'Everything' impacted by security concernsFebruary 24, 2004
Gates reveals his 'magic solution' to spamJanuary 26, 2004
(continued from previous page)
exist. There are several versions of SPF, and there is Sender ID, for example.
Those could be reasons why the technology hasn't proved too popular with businesses. Gartner analyst Lydia Leong doesn't expect companies to start picking it up anytime soon. "Adoption will be slow, and many enterprises will not publish records until 2007," she said.
About 1 million domains currently publish SPF records, Microsoft said. That's much fewer than the 71.4 million domains that had been registered worldwide by the end of last year.
There is evidence to suggest that quite a few of the technology's adopters are senders of junk e-mail. Out of a sample of more than 17.7 million e-mail messages taken in late June, a little more than 9 percent were from domains that published an SPF or Sender ID record, according to spam-filtering company MX Logic. About 84 percent of those authenticated messages were spam, it found.
"The majority of the adoption has been by rogue senders trying to get some legitimacy for their messages," said Scott Chasin, the chief technology officer at Denver-based MX Logic.
For spammers, publishing a valid record means they will pass any Sender ID authentication part of a general spam check. Earlier this year, Microsoft said its Web-based e-mail service Hotmail would start flagging messages without valid authentication. Later this year, the company plans to introduce "tougher filtering on nonauthenticated e-mail," Craig Spiezle, director of Microsoft's technology care and safety group, said in June.
"The spammers have more of a motivation to go and do it than most other people," said Forrester analyst Paul Stamp.
For Sender ID to get picked up more widely, the technology needs to become easier to adopt and provide a clear benefit to users, analysts and experts said. "If we don't reach critical mass on the authentication of legitimate senders, there are going to be dire consequences," said Dave Lewis, vice president of marketing at Redwood Shores, Calif.-based StrongMail.
Many of the legitimate e-mail senders who have attempted to publish information on their e-mail servers have made errors, said Dean Drako, the CEO of Barracuda Networks, a Mountain View, Calif.-based maker of antispam appliances.
"We're big proponents of SPF, and all our boxes support it," Drako said. "But we have to recommend to our customers that they do not do any filtering on it, because there are too many false positives. A significant number of people who have published their SPF record have done so incorrectly."
Working with e-mail authentication should be made easier for companies, agreed Lewis of StrongMail. For example, makers of e-mail server software could include simple wizards that collect the needed information, he suggested. "Also, notice back should be provided if there is improper authentication," he said.
Sender ID may not be the perfect solution, Lewis said. "But if we hold out for the silver bullet, we will see a continued erosion in consumer trust in e-mail."
The problem goes beyond junk mail that advertises herbal stimulants or get-rich-quick schemes. Phishing is costing victims real money. An estimated 2.42 million U.S. adults lost money in phishing attacks in the 12-month period that ended in May, according to Gartner. Total losses amounted to nearly $929 million, the research firm said. That in turn hurts customers' relationships with online businesses.
"Where sender authentication is really valuable to enterprises, right now, is in the area of phishing," Gartner's Leong said.
That is why major e-commerce players such as eBay and banks such as Bank of America have been among the first to adopt it, Leong said. Those businesses are among the 36 companies, organizations and individuals who, along with Microsoft and SPF developer Wong, sent a letter to the Federal Trade Commission to promote industry collaboration on e-mail authentication.
The move was only the latest for Microsoft, which has been pushing for widespread e-mail authentication since Gates unveiled the predecessor to the current Sender ID specification in February 2004. But the effort has had its critics. Some have accused the Redmond, Wash., software giant of trying to strong-arm the industry into accepting Sender ID, especially given its warning that Hotmail may treat unauthenticated messages as spam.
Critics have pointed out that Sender ID is not an accepted standard, and some say it has many shortcomings. Last year, the Internet Engineering Task Force, a standards-setting body, let a Sender ID working group expire. The Internet Engineering Steering Group, a division of the IETF, said in June that it would solicit comments on Sender ID and on SPF as two separate proposals.
There are technologies that offer an alternative to Sender ID and SPF, such as Yahoo and Cisco Systems' DomainKeys Identified Mail, which is also making its way through the standards process. DKIM attaches a digital signature to outgoing e-mail so that recipients can verify that the message comes from its claimed source.
The Sender ID and DKIM camps, however, say the technologies are complimentary, and many of the companies that back Sender ID also support DKIM.
That flexibility could prove a benefit in the fight against spam and phishing if Sender ID ends up having to co-exist with other technologies. It's also a sign that the software industry is serious in its desire to crush spam and keep e-mail functioning. At the moment, though, a lack of enthusiasm and know-how is holding up mass adoption. But for Barracuda Networks' Drako, it's actually the lack of immediate payback that's keeping a majority of the legitimate e-mail senders from using the e-mail authentication technology.
"It won't solve a problem until everybody adopts it," Drako said, echoing other experts. "If we can get to a place where a significant portion of e-mail has valid SPF records, then we can start to do things to fight spam more effectively."
32 commentsJoin the conversation! Add your comment