ISPs Go It Alone on E-Mail Identity Issue
America Online confirmed yesterday that it is testing the SPF (Sender Permitted From) protocol to fight forged e-mail addresses, or spoofing, which is used commonly by spammers.
"We felt that it was a critical and important part of meeting the challenge of spammers' tactics, specifically the practice of spoofing AOL addresses," AOL spokesman Nicholas Graham said.
AOL's move comes six weeks after Yahoo announced it would implement another e-mail identity protocol, DomainKeys. The different proposals dampen hopes that the industry would work in concert toward developing a solution to the e-mail identity problem. Under the current system, Simple Mail Transfer Protocol, a spammer easily can forge the return address on e-mail, making tracing the source of spam extremely difficult.
Fixing SMTP's shortcomings tops the list for ISPs, though each has a different view about the best way to do so. AOL, Yahoo, Microsoft and EarthLink formed the Anti-Spam Technical Alliance last April to cooperate on various spam-fighting fronts, including the development of a standard for e-mail identity protocols.
However, as the anti-spam alliance bogged down in discussions, Yahoo went its own way with the DomainKeys protocol, which uses public-private keys to determine sender identity. Yahoo said it would make DomainKeys freely available to other ISPs and propose it for adoption to the anti-spam alliance, though it has yet to publish the technical details of the system. Yahoo plans to implement DomainKeys sometime this year.
SPF is a free open-source protocol that uses publicly available domain registration records and a list of servers the domain owners use to send mail. If e-mail is received from a sender whose records do not match up, the receiving ISP or domain could block the mail because of the suspect identity. The system is voluntary, Graham stressed, and each receiver would decide its own policies for using the tool.
Pat Peterson, general manager of information services at IronPort, a San Bruno, CA, e-mail infrastructure provider, said both protocols had good points and shortcomings.
The advantage of SPF, he said, is that it is light and easy to implement. The biggest downside is forwarded e-mail or e-mail sent from a different location would foul up the system. Peterson said DomainKeys would not have such problems, but would face a longer adoption cycle because of the technical requirements.
"The big problem today is none of those options are on the table because there's no critical mass," he said.
The proposals from Yahoo and AOL have gained little initial support, though both companies said they would propose their identity protocols to the anti-spam alliance. No other e-mail receivers have endorsed the Yahoo proposal. In addition to AOL, only a few small domains are publishing SPF, and AOL itself is not checking mail it receives for SPF. Graham said AOL would wait for the results of its test, along with feedback from others in the industry, before proceeding.
Graham said AOL remained committed to fighting spam in a coordinated industry effort but that it was only natural that each ISP would have its own opinion about the best approach to establishing identity.
"This is part of the effort to bring the best and brightest ideas to the table," he said. "We're very much interested in the DomainKeys proposal from Yahoo. The bottom line is the more the merrier."
E-mail service providers would prefer to have a linked system of identity, along the lines of the confederated model proposed by the E-mail Service Provider Coalition's Project Lumos plan. Such a system would make establishing identity once sufficient, instead of meeting different criteria for each ISP and e-mail receiver.
"It has to come to one solution," said John Matthew, vice president of operations at New York e-mail service provider Bigfoot Interactive. "That's the only way it will work."
Peterson holds little hope for such a neat solution in the near term.
"I think, unfortunately, it's going to be very fragmented," Peterson said. "There will be a multitude of solutions, which will make it complicated for senders for a while. It will still make it better than it is today."
Other ISPs have joined the e-mail identity debate. Last week, a group of 22 ISPs and telecoms comprising 80 million subscribers formed the Messaging Anti-Abuse Working Group. A priority for the coalition is to work on solving the identity problem.
MAAWG has not endorsed an authentication standard. Omar Tellez, a senior director of product development at Openwave, a Redwood City, CA, messaging-software company and a MAAWG organizer, said it would examine each proposal and look to the Internet Engineering Task Force's anti-spam research group for guidance.
"We definitely believe having a whole variety of sender protocols is not the way to go," he said.