Major ISPs Look To Sender Authentication To Block Spam

An alliance including Microsoft, America Online, Yahoo and Earthlink on Tuesday endorsed sender authentication as part of an array of best practices for fighting spam. "Really, what this is about is taking the anonymity out of e-mail," said Ken Hickman, senior director for mail platforms at Yahoo.

The vendors in the Anti-Spam Technical Alliance said sender authentication can go a long way to help stop so-called "zombies," which are major sources of spam. "Zombies" are computers that have been taken over by hackers and used to send spam without the owners' knowledge. Frequently, the takeover happens when the computers are infected by viruses and worms.

AOL found in a recent study of its own mail traffic that zombies were responsible for 89 percent of spam it received, said Carl Hutzler, director of anti-spam operations for AOL. Likewise, Yahoo is finding that 40 percent of spam comes from zombie machines.

Spammers also have other means of taking over other people's computers, such as hijacking mis-configured web proxies and e-mail relay servers.

These attacks succeed in part because e-mail recipients now have no reliable means of authenticating the sender of a message. In other words, the recipient can't verify that the sender of a message is who he claims to be.As a means of solving that problem, the alliance endorsed two leading technologies for sender authentication:

- IP authentication, where the receiver authenticates the sending computer using the sender's IP address. A leading example of IP authentication is Sender ID, which is championed by Microsoft. Sender ID is a merger of two other IP authentication technologies: Microsoft's own Caller ID for E-mail, and Sender Policy Framework (SPF), authored by Meng Wong, co-founder and CTO of Pobox.com.

- Cryptographic authentication of the contents of a message. The leading example of cryptographic authentication is DomainKeys from Yahoo.

The companies said they will conduct tests of the technologies for the remainder of the year, and make hard recommendations by year's end as to how the technology should be adopted by themselves and other e-mail providers.

Microsoft said it plans to start testing IP authentication on incoming mail by the end of the summer. Microsoft will run the test using its own Sender ID technology. The company plans to submit the specifications for Sender ID to the Internet Engineering Task Force (IETF) for approval as a multi-vendor standard, within a couple of weeks. Microsoft hopes to implement content signing by the end of the year.EarthLink is now publishing Microsoft Caller ID and SPF records, and will test content signing by the end of the year.

The alliance members said sender authentication would be only one tool used to fight spam. Third-party lists of reputable e-mail senders would also be necessary.

"Identity is the first step. Once we have identity, we can layer in reputation and accreditation systems. That's where the user will see a reduction in spam," said Stephen Currie, director of product management for Earthlink.

Once the true identity of an e-mail sender can be determined, it would then be checked against lists that measure the reputations of e-mail senders. If the sender of a particular piece of e-mail doesn't have a good reputation, the recipient would have the option of blocking the message.

Sender authentication could also be used to block forged, or "spoofed" headers, where the "From:" address of an e-mail is altered to make it appear to come from an address different from the actual origin. About 50 percent of the mail received at Microsoft is forged, said Ryan Hamlin, general manager of Microsoft's Anti-Spam Technology and Strategy Group.The alliance also released recommendations for best practices for stopping spam.

The recommendations are designed for Internet service providers, e-mail service providers and large senders of e-mail including governments, private companies and online marketing organizations. The recommendations are designed to eliminate domain spoofing by implementing sender authentication technologies, and also to help prevent ISPs and customers from being sources of spam.

"We will consider this a big win if postmasters all over the world show this to their management and say, 'Hey, these guys have figured out what the best practices should be for being a good neighbor, and we need to start implementing them,'" Hickman said.

The recommendations are available from the web sites of the members: Microsoft, AOL, Earth link, and Yahoo.

The report recommends that consumer PCs infected with spam-sending viruses should be cut off from their Internet connections. American Online is already following that practice.AOL has developed technology to find machines on other ISPs' networks and impose rate limits on those PCs even when the other ISPs can't, said Hutzler.

Microsoft looks for abnormal mail sending patterns. "Before, a user might have been sending out limited numbers of mail and it was good mail. Now, they are sending out a high volume of mail, and a lot of it is coming back with spam complaints," Hamlin said.

Among the practices recommended by the group:

- Block or limit the use of Port 25, the port used for sending e-mail. - Implement rate limits on outbound e-mail traffic. - Close open relays and proxies, which can be hijacked to send spam. - Detect compromised zombie computers. - Educate users to increase use of existing tools. - Develop effective complaint reporting systems.

The group also had recommendations for legitimate bulk e-mailers, including:- Don't harvest e-mail addresses without the owners' affirmative consent. - Always provide clear instructions on how to unsubscribe or opt out of receiving e-mail. - Avoid using forged headers.

And consumers are advised to install firewalls and anti-virus software, and use spam filtering technologies.