Earthlink to test sender authentication

ISP (Internet service provider) Earthlink Inc. will soon begin testing new e-mail security technology, including Microsoft Corp.'s recently released Caller ID technology, a company executive said.

Earthlink will be experimenting "very soon," with "sender authentication" technology including Caller ID and a similar plan called Sender Policy Framework (SPF). The Atlanta-based ISP will be evaluating other e-mail security proposals as well, but is not backing any specific technology, said Robert Sanders, chief architect at Earthlink.

Plans to secure e-mail by verifying the source of e-mail messages have garnered much attention in recent months, as the volume of unsolicited commercial e-mail, or spam, has swelled and the number of Internet scams has increased.

Spammers and Internet-based criminals often fake, or "spoof," the origin of e-mail messages to trick recipients into opening them and trusting their content. Sender authentication technologies attempt to stop spoofing by matching the source of e-mail messages with a specific user or an approved e-mail server for the Internet domain that the message purports to come from.

So far, Earthlink has stayed out of the sender authentication fray while Web-based e-mail services, including Yahoo Inc. and Hotmail, and major ISP America Online Inc. (AOL), have all backed slightly different sender authentication proposals.

Yahoo is promoting an internally developed technology called DomainKeys, that uses public key cryptography to "sign" e-mail messages. AOL said in January that it is testing SPF for outgoing mail, publishing the IP (Internet protocol) addresses of its e-mail servers in an SPF record in the DNS (Domain Name System). Finally, Microsoft-owned Hotmail is publishing the addresses of its e-mail servers using that company's recently announced Caller ID standard.

Earthlink believes that sender authentication is necessary, and is prepared to support multiple sender authentication standards if necessary. However, the company hopes that one clear winner emerges from the field of competing proposals, Sanders said.

"I don't think it's unlikely that we'll see two or three coexisting proposals go into production. We had hopes that they would be able to merge, but I think at this point each standard adds a different function, and we're unlikely to see a merger," he said.

For now, Caller ID and SPF will probably make it into production first, because neither require companies to deploy new software to participate in the sender authentication system, he said.

Earthlink is also interested in proposals like Yahoo's DomainKeys, which allows e-mail authors to cryptographically sign messages, enabling recipients to verify both the content of a message and its author. However, DomainKeys is more complicated to deploy than either Caller ID or SPF and requires software changes that will slow implementation, he said.

Earthlink is not backing any proposal but is interested in looking at the results of its trial deployments, and those of other organizations.

"We have to get real world data from people who have deployed SPF or Caller ID," he said.

The company is also a member of the Anti-Spam Technical Alliance, an industry group that includes Microsoft, AOL, Yahoo, Comcast Corp. and British Telecommunications PLC, and continues to participate in meetings and initiatives through that organization, he said.

Microsoft's backing of Caller ID and its plans to use that technology for Hotmail tips the scales in favor of that technology, he said.

"One factor that determines what you, as an e-mail sender, deploy is the important question of 'Who am I sending mail to?' What the larger (e-mail) receivers deploy is what you're going to support," he said.

REFERENCES:
AOL testing new antispam technology, Jan. 22, 2004
Gates promotes Microsoft's security efforts, Feb. 24, 2004
Yahoo pitching antispam initiative to industry, Dec. 5, 2003