Sender ID's fading message
By Joris Evers
http://news.com.com/Sender+IDs+fading+message/2100-7355_3-5824234.html
Story last modified Tue Aug 09 04:00:00 PDT 2005
At the start of last year, Bill Gates told the world's elite at an annual
conference in Davos, Switzerland, that the problem of spam would be solved
in two years.
But if the Microsoft chairman was betting on Sender ID to play a major role
in achieving that goal, it looks like a losing bet.
The Microsoft-backed protocol to identify e-mail senders aims to stem spam
and phishing by making it harder for senders to forge their addresses and by
improving filtering. So far, though, there's been a lack of adoption by
legitimate businesses. Instead, it's been proving popular with a group it's
meant to deter--spammers.
That could spell trouble. Confidence in e-mail is falling, as its abuse for
online scams is growing. If legitimate businesses don't sign up for Sender
ID or similar technologies, that trend could continue and undermine e-mail's
usefulness.
"There is an identity crisis for e-mail right now," said Samantha McManus, a
business strategy manager at Microsoft. "The e-mail infrastructure was built
in a different era, when you actually knew who was sending you e-mail and
you did not have to worry."
Phishing uses spam e-mail with a forged sender name and a link to a
fraudulent Web site in an attempt to trick the victim into giving up
sensitive personal information such as passwords. That fraud scheme and
other cyberthreats are taking a toll on consumer confidence that will
inhibit e-commerce growth in the United States by up to 3 percent in the
next three years, Gartner predicted in June. In the same survey, the
research firm found that more than 80 percent of online consumers in the
United States distrust e-mails from individuals or consumers they don't
know.
Basically, Sender ID checks whether an e-mail that claims to come from a
certain Internet domain (such as "[EMAIL PROTECTED]") really
originates from the e-mail servers associated with that domain
("anybank.com"). The system uses the Domain Name System, or DNS, to make
that determination. Sender Policy Framework (SPF), which merged with
Microsoft's Caller ID for E-mail Technology to become Sender ID, also uses
the same approach.
If adopted widely, an e-mail authentication technology like Sender ID could
help people make sure that a message that claims to be from their bank
actually was sent by the bank. Authentication alone does not stop junk and
spoofed messages, but it can make spam filters more effective, by allowing
filters to rate domains based on the e-mail that is sent, for example.
But the use of authentication technology requires a major change in the
e-mail infrastructure. Any organization that maintains an e-mail
server--that includes companies, schools, Internet service providers and
others--has to publish SPF or Sender ID records, or both, to identify their
mail servers.
That wide-ranging shake-up is just what the e-mail infrastructure needs,
said Meng Wong, the chief technology officer for special projects at e-mail
forwarding company POBox.com and a developer of the original SPF
specification.
"E-mail is broken," he said. "We will need some shocks to the system to fix
it. There is a certain tolerance for breaking things a bit more, as long as
you get it fixed. Kind of like when somebody's shoulder is dislocated, you
know it is going to hurt when you put it back, but at least it is
temporary."
So far, Sender ID and related technologies have not delivered on their
promise. There is a lack of adoption by legitimate e-mail senders. Spammers
have adopted Sender ID and its predecessor SPF, but without adoption by a
critical mass of legitimate e-mail senders, the technology will fail,
experts said. With that failure, one shot at fixing e-mail could be lost.
What's involved?
Microsoft argues that publishing SPF or Sender ID records is simple for
those organizations that want to do it. It usually does not require new
hardware or software. The most arduous part is doing an inventory of mail
servers and the subsequent maintenance of that record, said Samantha
McManus, a business strategy manager at Microsoft.
Large organizations often have complex e-mail systems that are managed by
many people in different geographic locations, according to Gartner. Also,
parts of the company's e-mail or DNS infrastructure may be outsourced,
making the task more complex. At the other end of the scale, many smaller
companies don't have the expertise to publish information on their e-mail
servers in their DNS record, Gartner said.
Also complicating matters are the multiple specifications that exist. There
are several versions of SPF, and there is Sender ID, for example.
Those could be reasons why the technology hasn't proved too popular with
businesses. Gartner analyst Lydia Leong doesn't expect companies to start
picking it up anytime soon. "Adoption will be slow, and many enterprises
will not publish records until 2007," she said.
About 1 million domains currently publish SPF records, Microsoft said.
That's much fewer than the 71.4 million domains that had been registered
worldwide by the end of last year.
There is evidence to suggest that quite a few of the technology's adopters
are senders of junk e-mail. Out of a sample of more than 17.7 million e-mail
messages taken in late June, a little more than 9 percent were from domains
that published an SPF or Sender ID record, according to spam-filtering
company MX Logic. About 84 percent of those authenticated messages were
spam, it found.
"The majority of the adoption has been by rogue senders trying to get some
legitimacy for their messages," said Scott Chasin, the chief technology
officer at Denver-based MX Logic.
For spammers, publishing a valid record means they will pass that part of a
spam check. Earlier this year, Microsoft said its Web-based e-mail service
Hotmail would start flagging e-mail without valid authentication as
potential spam.
"The spammers have more of a motivation to go and do it than most other
people," said Forrester analyst Paul Stamp.
Critical mass
For Sender ID to get picked up more widely, the technology needs to become
easier to adopt and provide a clear benefit to users, analysts and experts
said. "If we don't reach critical mass on the authentication of legitimate
senders, there are going to be dire consequences," said Dave Lewis, vice
president of marketing at Redwood Shores, Calif.-based StrongMail.
Many of the legitimate e-mail senders who have attempted to publish
information on their e-mail servers have made errors, said Dean Drako, the
CEO of Barracuda Networks, a Mountain View, Calif.-based maker of antispam
appliances.
"We're big proponents of SPF, and all our boxes support it," Drako said.
"But we have to recommend to our customers that they do not do any filtering
on it, because there are too many false positives. A significant number of
people who have published their SPF record have done so incorrectly."
Working with e-mail authentication should be made easier for companies,
agreed Lewis of StrongMail. For example, makers of e-mail server software
could include simple wizards that collect the needed information, he
suggested. "Also, notice back should be provided if there is improper
authentication," he said.
Sender ID may not be the perfect solution, Lewis said. "But if we hold out
for the silver bullet, we will see a continued erosion in consumer trust in
e-mail."
The problem goes beyond junk mail that advertises herbal stimulants or
get-rich-quick schemes. Phishing is costing victims real money. An estimated
2.42 million U.S. adults lost money in phishing attacks in the 12-month
period that ended in May, according to Gartner. Total losses amounted to
nearly $929 million, the research firm said. That in turn hurts customers'
relationships with online businesses.
"Where sender authentication is really valuable to enterprises, right now,
is in the area of phishing," Gartner's Leong said.
That is why major e-commerce players such as eBay and banks such as Bank of
America have been among the first to adopt it, Leong said. Those businesses
are among the 36 companies, organizations and individuals who, along with
Microsoft and SPF developer Wong, sent a letter to the Federal Trade
Commission to promote industry collaboration on e-mail authentication.
Standard process
The move was only the latest for Microsoft, which has been pushing for
widespread e-mail authentication since Gates unveiled the predecessor to the
current Sender ID specification in February 2004. But the effort has had its
critics. Some have accused the Redmond, Wash., software giant of trying to
strong-arm the industry into accepting Sender ID, especially given its
warning that Hotmail may treat unauthenticated messages as spam.
Critics have pointed out that Sender ID is not an accepted standard, and
some say it has many shortcomings. Last year, the Internet Engineering Task
Force, a standards-setting body, let a Sender ID working group expire. The
Internet Engineering Steering Group, a division of the IETF, said in June
that it would solicit comments on Sender ID and on SPF as two separate
proposals.
There are technologies that offer an alternative to Sender ID and SPF, such
as Yahoo and Cisco Systems' DomainKeys Identified Mail, which is also making
its way through the standards process. DKIM attaches a digital signature to
outgoing e-mail so that recipients can verify that the message comes from
its claimed source.
The Sender ID and DKIM camps, however, say the technologies are
complimentary, and many of the companies that back Sender ID also support
DKIM.
That flexibility could prove a benefit in the fight against spam and
phishing if Sender ID ends up having to co-exist with rival technologies.
It's also a sign that the software industry is serious in its desire to
crush spam and keep e-mail functioning. At the moment, though, a lack of
enthusiasm and know-how is holding up mass adoption. But for Barracuda
Networks' Drako, it's actually the lack of immediate payback that's keeping
a majority of the legitimate e-mail senders from using the e-mail
authentication technology.
"It won't solve a problem until everybody adopts it," Drako said, echoing
other experts. "If we can get to a place where a significant portion of
e-mail has valid SPF records, then we can start to do things to fight spam
more effectively."
Copyright ©1995-2005 CNET Networks, Inc. All rights reserved.
You are a subscribed member of the infowarrior list. Visit
www.infowarrior.org for list information or to unsubscribe. This message
may be redistributed freely in its entirety. Any and all copyrights
appearing in list messages are maintained by their respective owners.
