Email Authentication Proposals Target Fraud
The battle against spammers, especially those involved in online scams, has been raging for years. Numerous companies have proposed solutions to the problem, but as of yet there has been no consensus.
SenderID was recently approved by the Internet Engineering Steering Group (IESG). The protocol builds on the AOL-supported Sender Policy Framework (SPF) and proves that a sender is who they say they are by matching their claimed domain (@site.com) with the actual one in the DNS record found in every email server.
The effort is an attempt to fix an inherent flaw in the current mail system, Simple Mail Transfer Protocol (SMTP), which has been used since the internet's infancy. Standard SMTP has no way of authenticating the sender. This shortcoming has caused widespread abuse of the system for scams such as phishing -- posing as a legitimate online business in order to steal personal information -- and faking one's email address.
In addition to the original and revised versions of SenderID, Microsoft has proposed other options. One was called No Spam at any (CPU) speed, which makes the computer perform a ten-second computation before sending a letter. This is fine for the casual user, but the number of emails a spammer could send each day would be drastically decreased, from millions to tens of thousands. Another scenario involves the sender paying a tax to the recipient if they don't seem trustworthy.
Microsoft claims in the above article that incorporating SenderID into a current email server is simple, but many people disagree. Among issues raised are the possibility of incorrectly-published records, a lack of feedback on whether the configuration was done correctly, and email systems which are spread out geographically and across partner companies.
Other groups have suggested solutions in lieu of SenderID. Yahoo! and Cisco are backing DomainKeys, which relies on a digital signature to authenticate message senders and will be royalty-free to anyone who wants to use it. Some of the original creators of email's basic technologies have suggested solutions which include the current SMTP over SSL/TLS setting or even rebuilding a new system from the ground up. The latter would prove difficult, though, based on the universal use of SMTP.
Until a solution can be universally accepted and implemented relatively easily, online identity fraud and other abuses of email will continue to plague the world.
SenderID was recently approved by the Internet Engineering Steering Group (IESG). The protocol builds on the AOL-supported Sender Policy Framework (SPF) and proves that a sender is who they say they are by matching their claimed domain (@site.com) with the actual one in the DNS record found in every email server.
The effort is an attempt to fix an inherent flaw in the current mail system, Simple Mail Transfer Protocol (SMTP), which has been used since the internet's infancy. Standard SMTP has no way of authenticating the sender. This shortcoming has caused widespread abuse of the system for scams such as phishing -- posing as a legitimate online business in order to steal personal information -- and faking one's email address.
In addition to the original and revised versions of SenderID, Microsoft has proposed other options. One was called No Spam at any (CPU) speed, which makes the computer perform a ten-second computation before sending a letter. This is fine for the casual user, but the number of emails a spammer could send each day would be drastically decreased, from millions to tens of thousands. Another scenario involves the sender paying a tax to the recipient if they don't seem trustworthy.
Microsoft claims in the above article that incorporating SenderID into a current email server is simple, but many people disagree. Among issues raised are the possibility of incorrectly-published records, a lack of feedback on whether the configuration was done correctly, and email systems which are spread out geographically and across partner companies.
Other groups have suggested solutions in lieu of SenderID. Yahoo! and Cisco are backing DomainKeys, which relies on a digital signature to authenticate message senders and will be royalty-free to anyone who wants to use it. Some of the original creators of email's basic technologies have suggested solutions which include the current SMTP over SSL/TLS setting or even rebuilding a new system from the ground up. The latter would prove difficult, though, based on the universal use of SMTP.
Until a solution can be universally accepted and implemented relatively easily, online identity fraud and other abuses of email will continue to plague the world.
posted by Adam Gentry @ 6:56 PM
0 Comments:
Post a Comment
<< Home