Feeds

Sender authentication is coming

A cure for spam? Sadly not

  • alert
  • submit to reddit

Remote control for virtualized desktops

Sender authentication will almost certainly become a de facto standard part of the Internet's email infrastructure over the next few years, but it will not stop the spam problem by itself.

Microsoft, in a refreshing break from its usual standards strategy, has merged its Caller ID For Email specification with that of a competing independent project, Sender Policy Framework. The merged spec, now called Sender ID, is going through the Internet Engineering Task Force and is already gaining significant support.

SPF is already supported by tens of thousands of email servers, and Sender ID will be backwards compatible. Some companies are deploying SPF now with that in mind. Some of the biggest email providers in the world, namely AOL, Microsoft, and Yahoo are promoting Sender ID, along with Comcast and EarthLink in the US, and BT in the UK. Sendmail is adding support to its mail transfer agents.

Sender ID is expected to be relatively simple to deploy, requiring little ongoing maintenance. In essence, all you need to do is publish the IP addresses of approved outgoing email MTAs in your domain name records. When your users send email, the recipient can make sure the mail is coming from authorized IP addresses by checking the DNS for the domain in the "From:" field.

The spec is designed to mitigate the problem that a good 95 per cent of spam, not to mention joe-jobs (spam forged to appear as though it came from an innocent party) and email worms, use spoofed From: information to hide their source. Fortunately, it's a lot harder to spoof source IP addresses, although it is possible. Experts point out that if hackers gain the ability to forge IP addresses on a large scale, we'll have bigger problems to worry about than spam.

Sender ID won't solve the spam problem. At first nobody will make an accept/deny filtering decision based purely on the fact that the sender is authenticated, but they will likely use it as a heavily weighted factor to consider during a spam scoring operation.

There are also many legitimate reasons why a good email may originate from an IP address outside the authorized range, mainly to do with remote and traveling workers and mobile devices. It should also be considered that spammers will very probably start to publish their own Sender ID records, meaning the authentication will be pointless. There's also the problem that a compromised MTA could be used to send spam.

While Sender ID will not be a cure-all for spam or worms, it will probably do a good job of reducing the number of phishing attacks. The rate of adoption and support being seen in the industry means it will soon no longer be a question of if it will become the norm, but when.

Source: ComputerWire/Datamonitor

Related stories

Anti-phishing group backs email authentication
Chairman Bill's magic spam cure - a revenue opportunity?
We'll kill spam in two years - Gates

Choosing a cloud hosting partner with confidence

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
The hidden costs of self-signed SSL certificates
Exploring the true TCO for self-signed SSL certificates, including a side-by-side comparison of a self-signed architecture versus working with a third-party SSL vendor.