Whoope bloody doo.

4 Rivals Almost United on Ways to Fight Spam
By SAUL HANSELL

Published: June 23, 2004

Four large Internet service providers agreed yesterday to a partial truce in their battle with one another over potential technology to stop junk e-mail in hopes that they can devote their united energy to fighting spam.

More than a year ago the four providers - America Online, Yahoo, EarthLink and Microsoft - said that they would work together to create technical standards that could verify the identity of the sender of an e-mail message.

Most spam, and nearly all of the messages in the rapidly growing identity-theft fraud known as phishing, is done with a fake return address. Many experts suggest that a system that could identify and discard such falsely addressed messages is one of the most potent possible weapons against spam.

"The biggest thing we can do to reduce spam is sender authentication," said Brian Sullivan, the senior director for mail operations at America Online.

But the Internet providers have supported different technical approaches. Last month, Microsoft agreed to merge its proposal, called Caller ID, with another, called Sender Policy Framework, or S.P.F., backed by America Online and EarthLink. The new name of the combined standard is Sender ID.

Yahoo had continued to support a very different approach, called Domain Keys, that is more technically powerful but would take longer to carry out.

In an announcement yesterday, the two remaining camps agreed to give limited support to test each other's technology.

"Over the last year, we had four gorillas learning how to dance," Mr. Sullivan said. "Finally we can work from the same choreography."

Meng Wong, the author of the S.P.F. protocol, praised the agreement.

"It's good news because we now have a road map," he said. "We can proceed with S.P.F. and Sender ID now and with Domain Keys as a second wave."

Indeed, proponents said the two approaches had the potential to be complementary. The Internet provider that sends an e-mail message can use both methods at the same time to vouch for the veracity of the sender's address. And the provider that receives a message can also look to either approach to help determine whether a message should be discarded as spam.

America Online and EarthLink said yesterday that they would use Domain Keys by the end of the year. And Yahoo said it would probably start using both Domain Keys and Sender ID by the end of the year. Microsoft did not commit itself to using Domain Keys, saying it was still evaluating it and some other related approaches, like one recently proposed by Cisco.

Despite the talk of tests, S.P.F. and the new Sender ID proposal appear to have momentum in being adopted by major players. America Online and EarthLink already use S.P.F. to verify their outgoing e-mail. And Microsoft has said it will soon use the Sender ID system.

Perhaps more important, America Online has said that by the end of the summer it will look to see whether messages it receives are verified by S.P.F. and that high-volume mailers will have to use it if they want their messages to be delivered to AOL subscribers. Several large e-mail senders, including Amazon.com and Google, have already taken the steps necessary to verify their mail using S.P.F.

S.P.F. and Sender ID have gained a following because they are the easiest to put in effect. They are based on the fact that every computer on the Internet has a unique identifier, called an Internet Protocol number. That number is much harder to fake than a return e-mail address.

Sender ID allows an organization, like an Internet provider or a company, to designate certain I.P. addresses as the computers that are authorized to send e-mail on its behalf. Any e-mail that pretended to be from that organization but was not from those designated I.P. numbers would be suspect.

The problem with this approach is that there are legitimate cases of one server's sending e-mail on behalf of another. For example, online greeting card services often send messages with the return address of the person who sent the message. That way, if the recipient of that message replies to it, the response is routed back to the original sender.

The backers of S.P.F. and Sender ID say there are ways to work around these problems, but they may require adjustments to the procedures of some mail senders.

The Domain Keys approach tries to verify the actual sender of a message, not the computer used to send it. The author of an e-mail inserts a short code, known as a digital signature, into the header of each message. The computer that receives the message can use the signature to verify if the message was actually created by the sender in the "from" line. This method could let one computer send mail on behalf of another, as in the greeting card example. But it requires greater changes to the programs that send and receive e-mail.

The Internet providers, however, cautioned that both of these technical approaches are just part of the solution to the problem. Once Internet recipients can verify who is sending them mail, they can start to keep track of who sends legitimate mail and who sends spam.

"I don't think that users will see a reduction in spam right away," said Robert Sanders, chief architect at EarthLink. "Identity is just the first step."

Bit thin skinned are we ff? Chill out. Life's too short.

sorry, weathers lousy, i feel the same way.

Freighter fighter, when you consider the vast financial drain upon buisness and other areas due to the incredible amounts of spam mail around, this sounds like a great thing, and not something to belittle....

Tell ya what, you continue to get spam mail by the bucket load - whilst we all live free of it (or in a state of VAST reduction), and then lets hear a "whooppe bloody do" from you as you try to wade through the 100 spam mails you get filling inboxes to overflowing each day.

You may see it as pointless to you, but that is because you cannot see past yourself to the bigger picture that is the rest of the world. One day you may, and then announcements like this may actually mean something to you. Until then i suppose you can get by with only considering yourself

it's about flamin time the big guys did something about spam at source, more or less. it's a plague, ok I don't suffer to badly from it but then i know how to deal with it, but millions don't and the current spam and virus attachment spates we've had have reduced the internet to a fr*ggin nightmare at times. My own ISP has had email servers, ftp etc down for over a week, and they're a big firm. the D.o.S. attacks and the overall incovenience of mailboxes riddled with hundreds of spams every day wastes so much otherwise productive time and effort.

imo people should learn how to block. i've some 500 fake addresses blocked. amazingly it's made a noticeable dent (considering just how many fake ones are out there and still growing). now i can go for 4 days without my message size limit hitting critical.

i havent received one peice of spam for 8-9 days

does this mean that they will finally crush the little insect that is sending me viruses

Since I'm using Yahoo! I've got my e-mail set up where my bulk e-mail doesn't even show up anymore. It gets deleted automatically. And any spam I DO get I mark it as such and I don't get anything from that address anymore. I only one or two spam messages a day now.

"Violence is the supreme authority from which all other authority is derived."

Well it's probably a good thing, but the "Civil Libertarians" will have a field day *shakes head*.

AOL spam update for those who use it. Link This was also on local TV too.