4 Rivals Almost United on Ways to Fight Spam
By SAUL HANSELL
large Internet service providers agreed yesterday to a partial truce in
their battle with one another over potential technology to stop junk
e-mail in hopes that they can devote their united energy to fighting
More than a year ago the four providers - America Online, Yahoo, EarthLink and Microsoft
- said that they would work together to create technical standards that
could verify the identity of the sender of an e-mail message.
spam, and nearly all of the messages in the rapidly growing
identity-theft fraud known as phishing, is done with a fake return
address. Many experts suggest that a system that could identify and
discard such falsely addressed messages is one of the most potent
possible weapons against spam.
"The biggest thing we can do to
reduce spam is sender authentication," said Brian Sullivan, the senior
director for mail operations at America Online.
Internet providers have supported different technical approaches. Last
month, Microsoft agreed to merge its proposal, called Caller ID, with
another, called Sender Policy Framework, or S.P.F., backed by America
Online and EarthLink. The new name of the combined standard is Sender
Yahoo had continued to support a very different approach,
called Domain Keys, that is more technically powerful but would take
longer to carry out.
In an announcement yesterday, the two remaining camps agreed to give limited support to test each other's technology.
the last year, we had four gorillas learning how to dance," Mr.
Sullivan said. "Finally we can work from the same choreography."
Meng Wong, the author of the S.P.F. protocol, praised the agreement.
good news because we now have a road map," he said. "We can proceed
with S.P.F. and Sender ID now and with Domain Keys as a second wave."
proponents said the two approaches had the potential to be
complementary. The Internet provider that sends an e-mail message can
use both methods at the same time to vouch for the veracity of the
sender's address. And the provider that receives a message can also
look to either approach to help determine whether a message should be
discarded as spam.
America Online and EarthLink said yesterday
that they would use Domain Keys by the end of the year. And Yahoo said
it would probably start using both Domain Keys and Sender ID by the end
of the year. Microsoft did not commit itself to using Domain Keys,
saying it was still evaluating it and some other related approaches,
like one recently proposed by Cisco.
the talk of tests, S.P.F. and the new Sender ID proposal appear to have
momentum in being adopted by major players. America Online and
EarthLink already use S.P.F. to verify their outgoing e-mail. And
Microsoft has said it will soon use the Sender ID system.
more important, America Online has said that by the end of the summer
it will look to see whether messages it receives are verified by S.P.F.
and that high-volume mailers will have to use it if they want their
messages to be delivered to AOL subscribers. Several large e-mail
senders, including Amazon.com and Google, have already taken the steps necessary to verify their mail using S.P.F.
and Sender ID have gained a following because they are the easiest to
put in effect. They are based on the fact that every computer on the
Internet has a unique identifier, called an Internet Protocol number.
That number is much harder to fake than a return e-mail address.
ID allows an organization, like an Internet provider or a company, to
designate certain I.P. addresses as the computers that are authorized
to send e-mail on its behalf. Any e-mail that pretended to be from that
organization but was not from those designated I.P. numbers would be
The problem with this approach is that there are
legitimate cases of one server's sending e-mail on behalf of another.
For example, online greeting card services often send messages with the
return address of the person who sent the message. That way, if the
recipient of that message replies to it, the response is routed back to
the original sender.
The backers of S.P.F. and Sender ID say
there are ways to work around these problems, but they may require
adjustments to the procedures of some mail senders.
Keys approach tries to verify the actual sender of a message, not the
computer used to send it. The author of an e-mail inserts a short code,
known as a digital signature, into the header of each message. The
computer that receives the message can use the signature to verify if
the message was actually created by the sender in the "from" line. This
method could let one computer send mail on behalf of another, as in the
greeting card example. But it requires greater changes to the programs
that send and receive e-mail.
The Internet providers, however,
cautioned that both of these technical approaches are just part of the
solution to the problem. Once Internet recipients can verify who is
sending them mail, they can start to keep track of who sends legitimate
mail and who sends spam.
"I don't think that users will see a
reduction in spam right away," said Robert Sanders, chief architect at
EarthLink. "Identity is just the first step."