Linux.com

Sendmail plans to test many mainstream sender authentication schemes in order to figure out which ones, or which combinations, are effective at reducing or eliminating unwanted email messages. Once a set of effective schemes is identified, Sendmail plans to release plug-ins for both the open source sendmail Mail Transfer Agent (MTA) and Sendmail's commercial email message products.

The testing is currently taking place and will continue through Q2 2004, with an expected release of the open source plug-ins sometime in Q3.

"Our approach is that these schemes will remain invisible to the end user," Sendmail's Todd Blaschka said. "There is no 'winner take all' from the OS or applications perspective as to what scheme becomes dominant."

To that end, one of the first schemes receiving Sendmail's attention is DomainKeys, which Yahoo! announced late last year as a way to combat spoofed email. The DomainKey scheme uses public/private key cryptography as its authentication method. DomainKeys digitally signs an outgoing email message with a private key. The system receiving the message uses public key data to validate the message and allow it through.

Sendmail plans to test the Yahoo! DomainKeys scheme with a variety of open standards in efforts to help a more rapid adoption across the Internet in through the second quarter. Sendmail is uncertain about how the release schedule will look, but the plan is to release an open source package that will enable other email systems to generate and validate the DomainKeys authentication information -- as well as the other schemes -- when Sendmail has determined they are effective and ready for release.

Another scheme available for testing -- but which Sendmail says they are not currently testing -- is Sender Policy Framework (SPF), an extension to the SMTP standard that requires MX records to add SPF protocol information which checks DNS to see if the originating IP address on the message comes from the originating domain. This sender authentication scheme provides a way for MTAs to verify that an email message came from where it claims to have come from before moving it to users' inboxes.

On Tuesday, Sendmail announced an endorsement of Microsoft's "Caller ID" technology. Working with the "Caller ID" spec that Microsoft provided, an open source plug-in will be developed and tested.

The "Caller Id" spec is based on an IP check of the email header against a published text record in the domain's DNS record. George Webb, Group Business Manager, Anti-spam Technology and Strategy Team, explained, "We took one year of development before we released the spec, working outside of Microsoft and with feedback with other partners. The whole goal is to solve the spam problem- which requires teamwork and partnership. Signature based and IP based solutions are both promising and complementary as part of a long term solution."

The "Caller ID" pilot test includes outbound mail passing through Microsoft.com, amazon.com and hotmail.com in addition to the testing with Sendmail. Inbound "Caller ID" tests are scheduled for early summer. Microsoft declined to reveal whether it will be incorporating other sender authentication schemes in its products.

Unrelated to sender authentication, Microsoft plans to deploy its SmartScreen technology to Exchange Server 2003. Microsoft already uses SmartScreen technology in its Outlook email client and on its Hotmail and MSN services. SmartScreen algorithms identify email messages and filter them before they reach users' inboxes.

"Anything done to fight spam is a good thing," said Mark Levitt, VP for collaborative computing at IDC. "Winning the war on spam will take many players on many different levels cooperating with service providers and users. There is no wrong way to fight spam, and it will take a coordinated effort -- the challenge being to take the money out of spam and make it harder to do business as spammers."

Sender authentication will not solve the spam problem alone, conceded Levitt, "but it?s a welcome sharing of technology that is a good step to dedicate product strategies toward fighting spam instead of commercializing products."

Share    Print    Comments