Feeds

Sender authentication is coming

A cure for spam? Sadly not

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

Sender authentication will almost certainly become a de facto standard part of the Internet's email infrastructure over the next few years, but it will not stop the spam problem by itself.

Microsoft, in a refreshing break from its usual standards strategy, has merged its Caller ID For Email specification with that of a competing independent project, Sender Policy Framework. The merged spec, now called Sender ID, is going through the Internet Engineering Task Force and is already gaining significant support.

SPF is already supported by tens of thousands of email servers, and Sender ID will be backwards compatible. Some companies are deploying SPF now with that in mind. Some of the biggest email providers in the world, namely AOL, Microsoft, and Yahoo are promoting Sender ID, along with Comcast and EarthLink in the US, and BT in the UK. Sendmail is adding support to its mail transfer agents.

Sender ID is expected to be relatively simple to deploy, requiring little ongoing maintenance. In essence, all you need to do is publish the IP addresses of approved outgoing email MTAs in your domain name records. When your users send email, the recipient can make sure the mail is coming from authorized IP addresses by checking the DNS for the domain in the "From:" field.

The spec is designed to mitigate the problem that a good 95 per cent of spam, not to mention joe-jobs (spam forged to appear as though it came from an innocent party) and email worms, use spoofed From: information to hide their source. Fortunately, it's a lot harder to spoof source IP addresses, although it is possible. Experts point out that if hackers gain the ability to forge IP addresses on a large scale, we'll have bigger problems to worry about than spam.

Sender ID won't solve the spam problem. At first nobody will make an accept/deny filtering decision based purely on the fact that the sender is authenticated, but they will likely use it as a heavily weighted factor to consider during a spam scoring operation.

There are also many legitimate reasons why a good email may originate from an IP address outside the authorized range, mainly to do with remote and traveling workers and mobile devices. It should also be considered that spammers will very probably start to publish their own Sender ID records, meaning the authentication will be pointless. There's also the problem that a compromised MTA could be used to send spam.

While Sender ID will not be a cure-all for spam or worms, it will probably do a good job of reducing the number of phishing attacks. The rate of adoption and support being seen in the industry means it will soon no longer be a question of if it will become the norm, but when.

Source: ComputerWire/Datamonitor

Related stories

Anti-phishing group backs email authentication
Chairman Bill's magic spam cure - a revenue opportunity?
We'll kill spam in two years - Gates

Next gen security for virtualised datacentres

More from The Register

next story
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Microsoft: We plan to CLEAN UP this here Windows Store town
Paid-for apps that provide free downloads? Really
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.