March 06, 2006
Three Ways To Authenticate E-Mail And Stop Spam
|By Christopher T. Beers, Network Computing
Page 1 of 2
As long as there's an Internet and people who see it as an opportunity to make money--or mischief--there will be spam. The main challenge for businesses is finding the best way to control the unrelenting onslaught of unwanted E-mails.
The most widely used method of blocking insidious E-mail is spam-filtering software, yet none of the filters works with 100% accuracy. But by combining E-mail sender-authentication technologies with filtering software, businesses stand a better chance of stopping spam.
There's a variety of approaches to sender authentication, but the leading ones are Sender Policy Framework, Sender ID, and Domain Keys Identified Mail. Each one requires a willing community to make it work, and the Internet Engineering Task Force, an international standards organization, also is reviewing each of them.
Check Out The Sender
A spam filter is no match for these unwanted messages.
Spammers usually want to disguise their identities and do that by using fake "from" addresses, or routing their messages not from their own machines but through unsuspecting servers or PCs hooked to the public Internet, or they combine the two methods.
Sender Policy Framework records are specially crafted Domain Name System text records that work by letting your E-mail servers share information with other E-mail servers on the Internet. SPF records are being published by E-mail providers including America Online, Hotmail, and RoadRunner, as well as large companies such as Bank of America, eBay, and Ticketmaster.
When an E-mail message comes in, SPF validates that the envelope sender, the "from" address in the Simple Mail Transfer Protocol, is indeed allowed to distribute E-mail from the sending server. AOL's outbound mail servers, for example, should never be sending messages with Hotmail envelope sender addresses. On the receiving end, an SPF-enabled E-mail server looks up the SPF record for Hotmail and determines that the sending AOL server isn't allowed to send E-mail on its behalf. The SPF record also contains a confidence-level assessment that helps the receiving E-mail system determine authenticity. With this information, the receiving E-mail system can take appropriate action.
Many E-mail security, anti-spam, and message transfer agent applications support SPF, but some tweaks are required to get SPF working. Twenty-five percent to 30% of all E-mail domains publish SPF records, according to Forrester Research, making it the most widely adopted sender-authentication technique.
The approach does have its limitations. The biggest is that SPF doesn't stop enough phishing E-mail because it's checking the envelope return address and not the "from" address that users see in their E-mail clients. This is by design; spammers could bypass SPF with phishing attacks using the correct envelope return address and outbound E-mail servers but trick users with fake content and "from" addresses seen in their mail clients.