With a simple adjustment in your eMail software, you can pretend to be anyone online. The trick, known as spoofing, is a popular method for spammers to hide their tracks–and for internet predators to conceal their identities. To close that loophole, Microsoft Corp. and Yahoo! Inc. are each developing systems aimed at authenticating senders of eMail, while America Online is testing a third.
“Having eMail come in, and not really being able to identify where it comes from, this is a huge security hole,” Microsoft chairman Bill Gates said last week in announcing specifications for his proposal.
Many software engineers are concerned, however, that these systems could end up causing more problems than they solve.
Microsoft’s proposal, known as Caller ID for eMail, calls for internet service providers to submit lists of unique numeric addresses for their mail servers. On the receiving end, software would check a database to verify that a message said to come from an eMail provider actually originated at one of its registered machines.
In January, AOL began testing a similar system called Sender Policy Framework, or SPF, which checks a different part of the message.
Yahoo’s proposed solution takes yet another approach. It would use encryption to sign messages digitally. If the sender or message content is altered, the signature gets rejected. Yahoo announced its proposal, called DomainKeys, in December but has yet to make details public.
The big three eMail providers are not alone in trying to tackle address spoofing. Leading eMail software vendor Sendmail Inc., spam-filtering company Brightmail Inc., and frequent eMailer Amazon.com are also at it, each planning to test one or more systems.
All these competing proposals are enough to get the internet’s standards-setting bodies in a lather.
One of them, the Internet Engineering Task Force, has scheduled a session on authentication March 4 in South Korea. Experts predict some combination of the techniques will be ready for use later this year, though formal standards will take longer.
There’s much work to be done in the meantime, including proving the systems can actually work beyond controlled, laboratory environments.
Caller ID and SPF, at least, are likely to disrupt mail-forwarding services that colleges and companies offer to let alumni and subscribers route eMail through a domain name other than their own service provider’s.
They also could break “send to a friend” features, in which someone clicks on a web link to pass an interesting item to someone else.
Issues to be worked out for all three systems include how to properly send eMail from cyber cafes, hotels, and public Wi-Fi hotspots and how to preserve privacy when using anonymous re-mailers, which are used by whistleblowers and others to intentionally mask the origin of messages.
“A lot of people have said that eMail today is broken, and now we’re going to break it a little more,” Meng Weng Wong, lead developer of SPF, acknowledged. “Some of the things people are used to doing, they won’t be able to do it in quite the same way.”
But the gain in fighting spam outweighs any pain from change, Wong argued.
Authentication also can help limit the spread of eMail viruses and, with Caller ID and DomainKeys, help flag fraudulent “phishing” messages that try to trick people into revealing passwords and credit card information.
The proposals require no changes to existing protocols for eMail or the domain name system, and developers of all three pledge eventually to seek standards status (Wong has already submitted SPF for review).
For now, the three can coexist, although adoption could be limited until a consensus emerges around one or a combination.
But these solutions alone will not stop spammers, experts say.
Systems will have to be established to evaluate the reputation of domains that relay eMail, and that raises questions about who would develop such lists and who would arbitrate disputes.
In the short term, authentication will be useful mostly for verifying newsletters and other bulk mailings that are often misidentified as spam today, said Margaret Olson, co-chair of the eMail Service Provider Coalition’s technology committee.
Once enough service and software providers adopt the technology, “getting unauthenticated mail delivered will be extremely difficult,” she said.
And that could hurt eMailers in other countries where adoption of English-language specifications tend to lag, and smaller service providers may be forced to accept whatever the giants decide, critics warn.
At EarthLink Inc., which is experimenting with authentication, chief architect Robert Sanders said no service provider wants to suddenly stop eMail from non-participants.
But he likened the technology to telephone’s caller ID: “You may still get a phone call with caller ID, but you may not choose to answer it.”
Internet Engineering Task Force
eMail Service Provider Coalition