Sender authentication hits roadblocks

With the IETF's response in September that Microsoft rework its proposal to address concerns over the technology's licensing structure, and the subsequent dismantling of the MARID group because of technology disagreements among members regarding SenderID, implementation might be severely delayed.

Sender authentication won't completely rid e-mail in-boxes of spam and phishing. Yet technology has emerged as a useful tool in fighting e-mail abuses by giving recipients some clue as to who is sending them messages.

Many sender authentication proposals are being developed, including DomainKeys, an authentication technology that uses cryptography from Yahoo, and Identified Internet Mail from Cisco that uses attached signatures. The most popular proposal is Microsoft's Sender ID, a combination of the company's original Caller ID technology and Sender Framework Policy, developed by Meng Weng Wong of Pobox.com. In June, Sender ID was submitted to the IETF for consideration as a standard by the organization's MTA Authorization Records in DNS (MARID) working group.

But with the IETF's response in September that Microsoft rework its proposal to address concerns over the technology's licensing structure, and the subsequent dismantling of the MARID group because of technology disagreements among members regarding SenderID, implementation might be severely delayed. Last week Microsoft submitted a revised version of Sender ID to the IETF with hopes that the changes it made will satisfy critics.

Sender ID requires organizations to publish a list of their e-mail servers that recipients can use to validate the domain from which a message originates.

Supporters say sender authentication will help fight phishing because senders will no longer be able to make their e-mails look like they've been sent by a valid company. These proposals won't directly curtail spam because plenty of spammers don't hide their identity to begin with, but some say they will enable a new approach to filtering unwanted messages.

"Sender authentication doesn't cure spam, but it gives us some important new clues in controlling our mail. Once you know mail is legitimate . . . it makes sense to shift the strategy away from the current mail filters that [weed] out the bad stuff and switch to where we filter in the good stuff," says Greg Olson, founder and chairman of e-mail software maker Sendmail.

But others question the effectiveness of authenticating a sender's identity.

"Very little of the spam I receive has an identity that is useful in making its way in," says Steven Bellovin, AT&T Fellow and security area director for the IETF. As for phishing, sender authentication might prevent spoofed e-mail, but that alone won't put an end to the scams. "Sure, [sender authentication] might prevent [spoofing] e-mail from citibank.com, but it won't prevent clever phishers from creating ecitibank.com or cit1bank.com, or a thousand other variations," Bellovin adds.

Back to feature: "E-mail at a crossroads"

Join the discussion
Be the first to comment on this article. Our Commenting Policies