CNN covers Meng's SPF

[Dave Farber <dave () farber net>]

Delivered-To: dfarber+ () ux13 sp cs cmu edu
Date: Mon, 01 Mar 2004 15:48:32 +0000 (UTC)
From: Chris Metcalfe <metcalfe () pobox com>
Subject: CNN covers Meng's SPF
X-X-Sender: chris () hypatia fricative org
To: farber () cis upenn edu
=
E-mail identity system proposed to combat spam

Friday, February 27, 2004 Posted: 3:19 PM EST (2019 GMT)

Bill Gates, chairman of Microsoft Corp., speaks about software
breakthroughs and solving problems in computer science at Cornell
University on Wednesday.
Story Tools


RELATED
Your computer could be a 'spam zombie'
Expert: Microsoft dominance poses security threat
Hackers target online bookies
. Business 2.0: A smarter spam sorter
. Microsoft beefs up security initiatives
. Poll: Don't-call list works, spam law doesn't
YOUR E-MAIL ALERTS
Follow the news that matters to you. Create your own alert to be notified
on topics you're interested in.

Or, visit Popular Alerts for suggestions.
Manage alerts | What is this?

NEW YORK (AP) -- With a simple adjustment in your e-mail software, you can
pretend to be anyone. You can send messages marked as coming from
BillGates () microsoft com.

The trick, known as spoofing, is a popular method for spammers to hide
their tracks -- you'd blame Microsoft Corp. chairman Bill Gates and not
the actual perpetrator of junk mail.

To close that loophole, Microsoft and Yahoo! Inc. are each developing
systems aimed at authenticating senders of e-mail. America Online Inc. is
testing a third.

"Having e-mail come in, and not really being able to identify where it
comes from, this is a huge security hole," Gates said this week in
announcing specifications for his proposal.

Many software engineers are concerned, however, that these systems could
end up causing more problems than they solve.

Microsoft's proposal, known as Caller ID for E-mail, calls for Internet
service providers to submit lists of unique numeric addresses for their
mail servers. On the receiving end, software would check a database to
verify that a message said to come from an e-mail provider actually
originated at one of its registered machines.

In January, AOL began testing a similar system called Sender Policy
Framework, or SPF, which checks a different part of the message.

Yahoo's proposed solution is a different animal. It would use encryption
to digitally sign messages. If the sender or message content is altered,
the signature gets rejected. Yahoo announced its proposal, DomainKeys, in
December but has yet to make details public.

The big three e-mail providers are not alone in trying to tackle address
spoofing. Leading e-mail software vendor Sendmail Inc., spam-filtering
company Brightmail Inc. and frequent e-mailer Amazon.com are also at it,
each planning to test one or more systems.

All these competing proposals are enough to get the Internet's
standards-setting bodies in a lather.

One of them, the Internet Engineering Task Force, has scheduled a session
on authentication next Thursday in South Korea. Experts predict some
combination of the techniques will be ready for use later this year,
though formal standards will take longer.

There's much work to be done in the meantime, including proving the
systems can actually work beyond controlled, laboratory environments.

Caller ID and SPF, at least, are likely to disrupt mail-forwarding
services that colleges and companies offer to let alumni and subscribers
route e-mail through a domain name other than their own service
provider's.

They also could break "send to a friend" features in which someone clicks
on a Web link to pass an interesting item to someone else.

Issues to be worked out for all three systems include how to properly send
e-mail from cybercafes, hotels and public Wi-Fi hotspots and how to
preserve privacy when using anonymous re-mailers, which are used by
whistleblowers and others to intentionally mask the origin of messages.

"A lot of people have said that e-mail today is broken, and now we're
going to break it a little more," Meng Weng Wong, lead developer of SPF,
acknowledged. "Some of the things people are used to doing, they won't be
able to do it in quite the same way."

But the gain in fighting spam outweighs any pain from change, Wong argues.

Authentication also can help limit the spread of e-mail viruses and, with
Caller ID and DomainKeys, help flag fraudulent "phishing" messages that
try to trick people into revealing passwords and credit card information.

The proposals require no changes to existing protocols for e-mail or the
domain name system, and developers of all three pledge to eventually seek
standards status (Wong has already submitted SPF for review).

For now, the three can coexist, although adoption could be limited until a
consensus emerges around one or a combination.

But these solutions alone will not stop spammers.

Systems will have to be established to evaluate the reputation of domains
that relay e-mail, and that raises questions about who would develop such
lists and who would arbitrate disputes.

In the short term, authentication will be useful mostly for verifying
newsletters and other bulk mailings that are often misidentified as spam
today, said Margaret Olson, co-chairman of the Email Service Provider
Coalition's technology committee.

Once enough service and software providers adopt the technology, "getting
unauthenticated mail delivered will be extremely difficult," she said.

And that could hurt e-mailers in other countries where adoption of
English-language specifications tend to lag, and smaller service providers
may be forced to accept whatever the giants decide, critics warn.

At EarthLink Inc., which is experimenting with authentication, chief
architect Robert Sanders said no service provider wants to suddenly stop
e-mail from non-participants.

But he likened the technology to telephone's caller ID: "You may still get
a phone call with caller ID, but you may not choose to answer it."

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/