4 Rivals Almost United on Ways to Fight Spam
By SAUL HANSELL
Published: June 23, 2004
Four large Internet service providers agreed yesterday to a partial truce in their battle with one another over potential technology to stop junk e-mail in hopes that they can devote their united energy to fighting spam.
More than a year ago the four providers - America Online, Yahoo, EarthLink and Microsoft - said that they would work together to create technical standards that could verify the identity of the sender of an e-mail message.
Most spam, and nearly all of the messages in the rapidly growing identity-theft fraud known as phishing, is done with a fake return address. Many experts suggest that a system that could identify and discard such falsely addressed messages is one of the most potent possible weapons against spam.
"The biggest thing we can do to reduce spam is sender authentication," said Brian Sullivan, the senior director for mail operations at America Online.
But the Internet providers have supported different technical approaches. Last month, Microsoft agreed to merge its proposal, called Caller ID, with another, called Sender Policy Framework, or S.P.F., backed by America Online and EarthLink. The new name of the combined standard is Sender ID.
Yahoo had continued to support a very different approach, called Domain Keys, that is more technically powerful but would take longer to carry out.
In an announcement yesterday, the two remaining camps agreed to give limited support to test each other's technology.
"Over the last year, we had four gorillas learning how to dance," Mr. Sullivan said. "Finally we can work from the same choreography."
Meng Wong, the author of the S.P.F. protocol, praised the agreement.
"It's good news because we now have a road map," he said. "We can proceed with S.P.F. and Sender ID now and with Domain Keys as a second wave."
Indeed, proponents said the two approaches had the potential to be complementary. The Internet provider that sends an e-mail message can use both methods at the same time to vouch for the veracity of the sender's address. And the provider that receives a message can also look to either approach to help determine whether a message should be discarded as spam.
America Online and EarthLink said yesterday that they would use Domain Keys by the end of the year. And Yahoo said it would probably start using both Domain Keys and Sender ID by the end of the year. Microsoft did not commit itself to using Domain Keys, saying it was still evaluating it and some other related approaches, like one recently proposed by Cisco.
Despite the talk of tests, S.P.F. and the new Sender ID proposal appear to have momentum in being adopted by major players. America Online and EarthLink already use S.P.F. to verify their outgoing e-mail. And Microsoft has said it will soon use the Sender ID system.
Perhaps more important, America Online has said that by the end of the summer it will look to see whether messages it receives are verified by S.P.F. and that high-volume mailers will have to use it if they want their messages to be delivered to AOL subscribers. Several large e-mail senders, including Amazon.com and Google, have already taken the steps necessary to verify their mail using S.P.F.
S.P.F. and Sender ID have gained a following because they are the easiest to put in effect. They are based on the fact that every computer on the Internet has a unique identifier, called an Internet Protocol number. That number is much harder to fake than a return e-mail address.
Sender ID allows an organization, like an Internet provider or a company, to designate certain I.P. addresses as the computers that are authorized to send e-mail on its behalf. Any e-mail that pretended to be from that organization but was not from those designated I.P. numbers would be suspect.
The problem with this approach is that there are legitimate cases of one server's sending e-mail on behalf of another. For example, online greeting card services often send messages with the return address of the person who sent the message. That way, if the recipient of that message replies to it, the response is routed back to the original sender.
The backers of S.P.F. and Sender ID say there are ways to work around these problems, but they may require adjustments to the procedures of some mail senders.
The Domain Keys approach tries to verify the actual sender of a message, not the computer used to send it. The author of an e-mail inserts a short code, known as a digital signature, into the header of each message. The computer that receives the message can use the signature to verify if the message was actually created by the sender in the "from" line. This method could let one computer send mail on behalf of another, as in the greeting card example. But it requires greater changes to the programs that send and receive e-mail.
The Internet providers, however, cautioned that both of these technical approaches are just part of the solution to the problem. Once Internet recipients can verify who is sending them mail, they can start to keep track of who sends legitimate mail and who sends spam.
"I don't think that users will see a reduction in spam right away," said Robert Sanders, chief architect at EarthLink. "Identity is just the first step."