February 24, 2004

Sendmail working on sender authentication in war on spam

Author: Jackie Lightfield

UPDATED Sendmail, Inc., which claims that more than 60 percent of the world's email
traffic runs on its messaging servers, announced Monday
that it is developing and promoting sender authentication technologies
that are designed to prevent email address spoofing, forging, and email
fraud. The open source technology will follow Sendmail's milter (mail filter) plug-in
framework.

Sendmail plans to test many mainstream sender authentication schemes in
order to figure out which ones, or which combinations, are effective at
reducing or eliminating unwanted email messages. Once a set of
effective schemes is identified, Sendmail plans to release plug-ins for
both the open source sendmail Mail Transfer Agent (MTA) and Sendmail's
commercial email message products.

The testing is currently taking
place and will continue through Q2 2004, with an expected
release of the open source plug-ins sometime in Q3.

"Our approach is that these schemes
will remain invisible to the end user," Sendmail's Todd
Blaschka said. "There is no 'winner take all' from
the OS or applications perspective as to what scheme becomes dominant."

To that end, one of the first schemes receiving Sendmail's attention is
DomainKeys,
which Yahoo! announced late last year as a way to combat spoofed email.
The DomainKey scheme uses public/private key cryptography as its
authentication method. DomainKeys digitally signs an outgoing email
message with a private key. The system receiving the message uses
public key data to validate the message and allow it through.

Sendmail plans to test the Yahoo! DomainKeys scheme with a variety of
open standards in efforts to help a more rapid adoption across the
Internet in through the second quarter. Sendmail is
uncertain about how the release schedule will look, but the plan is to
release an open source package that will enable other email systems to
generate and validate the DomainKeys authentication information -- as
well as the other schemes -- when Sendmail has determined they are
effective and ready for release.

Another scheme available for testing -- but which Sendmail says they are not currently testing -- is Sender Policy
Framework
(SPF), an extension to the SMTP standard that requires MX
records to add SPF protocol information which checks DNS to see if the
originating IP address on the message comes from the originating
domain. This sender authentication scheme provides a way for MTAs to
verify that an email message came from where it claims to have come
from before moving it to users' inboxes.

On Tuesday, Sendmail announced an endorsement of Microsoft's "Caller ID"
technology. Working with the "Caller ID" spec that Microsoft provided,
an open source plug-in will be developed and tested.

The "Caller Id" spec is based on an IP check of the email header
against a published text record in the domain's DNS record. George
Webb, Group Business Manager, Anti-spam Technology and Strategy Team,
explained, "We took one year of development before we released the
spec, working outside of Microsoft and with feedback with other
partners. The whole goal is to solve the spam problem- which requires
teamwork and partnership. Signature based and IP based solutions are
both promising and complementary as part of a long term solution."

The "Caller ID" pilot test includes outbound mail passing through
Microsoft.com, amazon.com and hotmail.com in addition to the testing
with Sendmail. Inbound "Caller ID" tests are scheduled for early
summer. Microsoft declined to reveal whether it will be incorporating
other sender authentication schemes in its products.

Unrelated to sender authentication, Microsoft plans to deploy its SmartScreen technology to Exchange Server 2003.
Microsoft already uses SmartScreen technology in its Outlook email
client and on its Hotmail and MSN services. SmartScreen algorithms
identify email messages and filter them before they reach users'
inboxes.

"Anything done to fight spam is a good thing," said Mark Levitt, VP
for collaborative computing at IDC. "Winning the war on spam will take
many players on many different levels cooperating with service
providers and users. There is no wrong way to fight spam, and it will
take a coordinated effort -- the challenge being to take the money out of
spam and make it harder to do business as spammers."

Sender authentication will not solve the spam problem alone, conceded
Levitt, "but it?s a welcome sharing of technology that is a good step
to dedicate product strategies toward fighting spam instead of
commercializing products."

Click Here!