UGN Security
Posted By: Ice AOL tests caller ID for e-mail - 01/26/04 11:30 AM
America Online is testing an antispam filter intended to accurately trace the origin of e-mail messages, a move that could bring new accountability to the Net if it proves reliable.

The online unit of media giant Time Warner last week implemented SPF, or Sender Permitted From, an emerging authentication protocol for preventing e-mail forgeries, or spoofing. The trial involves the company's 33 million subscribers worldwide and is the first large-scale test for the protocol, which standards groups are considering along with various other e-mail verification proposals.

"Spoofing of e-mail has become a tremendous issue for the industry, and this allows us to help recipients of AOL e-mail to separate the wheat from the chaff," AOL spokesman Nicholas Graham said Wednesday.

The endorsement of SPF by the world's largest Internet service provider (ISP) could be critical to the evolution of a long sought e-mail verification standard and could encourage other major e-mail providers to implement it.

E-mail spoofing is one of the toughest problems that ISPs and antispam companies face, largely because Simple Mail Transfer Protocol (SMTP)--the method for sending e-mail--offers no widespread means to detect and verify a sender's identity. Junk mailers typically cover their tracks by hacking into unprotected e-mail servers or open relays, or by falsifying names and e-mail addresses in the e-mail sender field.

As a result, some in the industry have called for an overhaul of SMTP, while others have made a case for SPF and similar protocols to complement the existing system.

There are currently at least two other competing technical specifications to SPF under review by a subcommittee of the Anti-Spam Research Group of the Internet Research Task Force.

Like SPF, Designated Mailers Protocol and Reverse Mail Exchange are designed to change the Domain Name System (DNS) database so that e-mail servers can publish which Internet Protocol (IP) addresses they use to send mail. ISPs receiving e-mail can instantaneously verify whether an e-mail originates from where it says it does.

For example, an e-mail recipient would be able to look at an SPF record from AOL to ensure that e-mail appearing to originate from one of its servers--such as [email protected] actually sent from that address. The recipient would do this by using the SPF record to cross check DNS data associated with AOL's IP addresses.

The system, if successful, would protect e-mail servers and individual address owners from having their addresses falsely suspected of sending spam.

Other efforts have already launched to attack the problem, such as the Trusted E-mail Open Standard. But so far, they have failed to gain widespread adoption.

In addition, AOL last year forged an alliance with Yahoo, Microsoft and EarthLink to develop and eventually implement such antispam technologies. While a joint project has yet to materialize, individual members of the group have begun trials with emerging e-mail authentication systems. Yahoo, for example, began backing Domain Keys, a system that uses encryption within e-mail to validate that the sender is legitimate.

Yahoo, AOL and other online service providers have been driven to act against spam because of its mounting toll on one of the most popular activities on the Internet--e-mail. More than 50 percent of e-mail sent today is unwanted junk, according to antispam companies, and the spam volume costs mail providers millions of dollars in hijacked bandwidth and storage, as well as defense measures.

Some industry researchers say the SPF protocol is promising but not ready for prime time. Steven Bellovin, a member of the Internet Engineering Task Force, has said that among other problems, SPF could bind a sender too closely to DNS records, and as a result, their employers or ISPs.

"While big ISPs may like that, it flies in the face of current (American) public policy--witness local telephone number portability. Ironically, it will also discourage a current antispam strategy used by many: throw-away e-mail addresses for particular purposes," Bellovin wrote in an open criticism of the protocol.

In addition, SPF would not affect an increasingly popular method employed by spammers that involves hijacking another computer through a worm in order to launch spam from that machine. In that case, the spam would be coming from a legitimate source, even though the owner may be unaware of it.

AOL's Graham said the company is testing the protocol and soliciting the antispam community for suggestions on how to improve it. AOL tested the system for several days before it re-implemented it last week with technical improvements, he said.

The company is still committed to its anti-spam allegiances with Yahoo and others, Graham said.

CNet News
© UGN Security Forum