Ciphertrust adds support for SPF anti-spoofing

A new feature in the IronMail e-mail security appliance will support anti-spam technology that prevents the use of forged or “spoofed” sender addresses on unsolicited commercial (“spam”) e-mail, CipherTrust said Thursday.

The Atlanta company announced that IronMail 4.0 now supports Sender Policy Framework (SPF), one of a number of new technologies that authenticate e-mail senders and block spam before they are sent, CipherTrust said.

E-mail using spoofed Internet domains often play a role in so-called “phishing” schemes, in which unwitting Internet users are led to Web pages that look like legitimate online businesses, but are actually scam sites designed to harvest personal information like user names, passwords and credit card numbers.

SPF is not a spam-filtering technology. Instead of analyzing the content of messages to spot spam, SPF allows Internet domain administrators to describe their e-mail servers in an SPF record that is attached to the Domain Name System record. Other Internet domains can then reject any messages that claim to come from that domain but weren’t sent from an approved server, said Meng Wong, independent anti-spam researcher and primary author of the SPF protocol.

Unlike spam filters, the SPF technology allows e-mail gateways to analyze the e-mail envelope, a wrapper for the message that is transferred between mail servers before the full message is sent. Messages that do not come from a valid server at the domain are dropped, before any message content is sent. Because no message content is sent, organizations save Internet bandwidth and computing resources compared with filtering, which requires bogus messages to be sent, received and then analyzed, Wong said.

CipherTrust added an SPF registry to the IronMail 4.0 correlation engine, known as the Enterprise Spam Profiler (ESP). That allows the IronMail appliance to match the e-mail envelope back to published SPF records on the Internet, said Paul Judge, chief technology officer at CipherTrust.

The appliance uses SPF matching as part of the ESP rating assigned to each e-mail record. A failure to match on an SPF record may or may not result in the message being dropped immediately, depending on other factors, Judge said.

CipherTrust’s professional services group is working with customers to publish SPF records for their domain. The company expects that IronMail’s support of SPF will result in a number of high-profile customers, including the Federal Deposit Insurance Corp. publishing SPF records for their domains, Judge said.

“We have 1,400 (IronMail) gateways across the e-mail universe, and we’re working with our customer base to educate them about SPF. We have 20% of the Fortune 500 as customers. Many of them have been victims of phishing attacks and are looking for ways to protect themselves,” he said.

CipherTrust’s adoption of SPF is encouraging to Wong, who said that more than 7,000 Internet domains have already published SPF records, including ISP America Online, companies such as AltaVista and Ticketmaster and universities, including Oxford University in the U.K., Wong said.

The widespread adoption is particularly impressive because an official Internet draft for SPF was only published this month and the technology has just begun the process of obtaining official Request for Comment standard status, he said.

“This is just a formalized version of what a lot of people are already doing. A lot of domains already check mail that’s coming from (Microsoft’s) Hotmail or Yahoo to see if it’s coming from actual Hotmail or Yahoo machines,” Wong said. “SPF is just giving everyone an open, standardized way of doing what they already want to do.”

IronMail 4.0 with SPF support is available now from CipherTrust, Judge said.