Microsoft eyeing merger of two secure e-mail specs

Uncertainty about sender authentication is prompting the move

After submitting its Caller ID e-mail authentication specification to the Internet Engineering Task Force (IETF) earlier this week, Microsoft Corp. is now in detailed discussions to merge the specification with another, called Sender Policy Framework, or SPF.

E-mail experts from the Redmond, Washington, software company will spend the weekend meeting with SPF author Meng Weng Wong of Pobox.com and looking for ways to merge the closely related Caller ID and SPF standards, according to Wong.

"Basically, we're going to take SPF and Caller-ID and do a 'cut and paste,'" Wong said Friday by telephone before boarding a plane to Redmond.

Unveiled by Chairman and Chief Software Architect Bill Gates in March, Caller ID makes it harder to doctor unsolicited commercial, or spam, e-mail so that it appears to come from legitimate Web domains.

With Caller ID, e-mail senders publish the IP (Internet Protocol) address of their outgoing e-mail servers as part of an XML (Extensible Markup Language) format e-mail "policy" in the DNS (Domain Name System) record for their domain. E-mail servers and clients that receive messages can then check the DNS record and match the "from" address in the message header to the published address of the approved sending servers. E-mail messages that don't match the source address can be discarded, Microsoft said. DNS is the system that translates numeric IP addresses into readable Internet domain names.

SPF is very similar to Caller ID, and also requires e-mail senders to modify DNS to declare which servers can send mail from a particular Internet domain. However, SPF only allows receiving domains to verify the "bounce back" address in an e-mail's envelope, which is sent before the body of a message is received and tells the receiving e-mail server where to send rejection notices.

The "from" address checked by Caller ID is often a more accurate indicator of the message's origin than the bounce address, said John Levine, a member of the Internet Research Task Force's Anti-Spam Research Group.

Microsoft and Wong have been discussing a merger of the two standards since January 2004 and have been under pressure from leading ISPs (Internet service providers) and other stake holders to reconcile the two, Wong said.

"In the last six months or so, there's been a fair amount of uncertainty (about sender authentication). These are two very similar proposals and do many of the same things. The big players have been telling us 'When you get your story straight, we can go ahead,' but until that happens, people have been waiting to see what happens," he said.

One possibility for the merged standard is that the two parties will agree to add Caller ID's ability to check the message's "from" address, or what is referred to as the Purported Responsible Domain, to SPF. That would allow e-mail domains using the new standard to spot threats such as online cons known as "phishing scams," but also save them from having to download the full message's text to verify its authenticity, which Caller ID requires, Wong said.

"It's an idea that enables a lot of things most people want," Wong said.

However, implementing that idea would require changes to the SMTP (Simple Mail Transfer Protocol) standard that is the foundation for the e-mail system, and updates to existing mail software packages for every e-mail sender and recipient who want to participate, Levine said.

"SMTP has worked the same way for 20 years. ... If the solution is that we get to change the way SMTP works, there's a long list of other things we'd like to change about it, too," he said.

Wong acknowledges that the change to SMTP will require software changes from organizations that make e-mail software. Those updates would then have to be deployed by mail administrators. However, the transition could happen quickly if the new standard has the backing of large companies like Microsoft and leading ISPs.

Wong said that the two companies recently discussed the merged standard with representatives from leading ISPs at an IETF meeting in San Francisco and met with approval.

"There were a lot of important players in the room and a lot of heads nodding," he said.

Less clear is the fate of a related standard from Yahoo Inc. called DomainKeys.

Yahoo submitted a draft for DomainKeys to the IETF standards body on Monday to begin the standardization process. The Sunnyvale, California, company is one of a number of industry players, including Microsoft, that are proposing technologies that will make it harder for e-mail senders to fake the origin, or "from" address of messages.

DomainKeys works differently than Caller ID and SPF, using encryption to generate a signature based on the e-mail message text that is placed in the message header, said Miles Libbey, antispam program manager at Yahoo.

Levine believes that Yahoo's technology is more secure than Caller ID and SPF, because even if an e-mail message gets forwarded across various e-mail servers, it's signature stays intact, allowing the receiving system to verify its origin.

"By the time we get to future, hopefully all e-mail messages will be (cryptographically) signed, but today nobody is signing e-mails at all," Wong said.

While DomainKeys is a better long-term fix for the spam problem, Caller ID and SPF -- or a merged standard -- have the advantage of being light-weight and easy to implement, while closing many of the technical loopholes exploited by spammers, Levine and Wong said.

"Something is going to change because the pain of spam is excruciating," Levine said. "Doing nothing isn't an option."

REFERENCES:
Competing technologies could shake up e-mail, Mar. 1, 2004
AOL testing new antispam technology, Jan. 22, 2004

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies