Microsoft eyeing merger of two secure e-mail specs

However, implementing that idea would require changes to the SMTP (Simple Mail Transfer Protocol) standard that is the foundation for the e-mail system, and updates to existing mail software packages for every e-mail sender and recipient who want to participate, Levine said.

"SMTP has worked the same way for 20 years. ... If the solution is that we get to change the way SMTP works, there's a long list of other things we'd like to change about it, too," he said.

Wong acknowledges that the change to SMTP will require software changes from organizations that make e-mail software. Those updates would then have to be deployed by mail administrators. However, the transition could happen quickly if the new standard has the backing of large companies like Microsoft and leading ISPs.

Wong said that the two companies recently discussed the merged standard with representatives from leading ISPs at an IETF meeting in San Francisco and met with approval.

"There were a lot of important players in the room and a lot of heads nodding," he said.

Less clear is the fate of a related standard from Yahoo Inc. called DomainKeys.

Yahoo submitted a draft for DomainKeys to the IETF standards body on Monday to begin the standardization process. The Sunnyvale, California, company is one of a number of industry players, including Microsoft, that are proposing technologies that will make it harder for e-mail senders to fake the origin, or "from" address of messages.

DomainKeys works differently than Caller ID and SPF, using encryption to generate a signature based on the e-mail message text that is placed in the message header, said Miles Libbey, antispam program manager at Yahoo.

Levine believes that Yahoo's technology is more secure than Caller ID and SPF, because even if an e-mail message gets forwarded across various e-mail servers, it's signature stays intact, allowing the receiving system to verify its origin.

"By the time we get to future, hopefully all e-mail messages will be (cryptographically) signed, but today nobody is signing e-mails at all," Wong said.

While DomainKeys is a better long-term fix for the spam problem, Caller ID and SPF -- or a merged standard -- have the advantage of being light-weight and easy to implement, while closing many of the technical loopholes exploited by spammers, Levine and Wong said.

"Something is going to change because the pain of spam is excruciating," Levine said. "Doing nothing isn't an option."

REFERENCES:
Competing technologies could shake up e-mail, Mar. 1, 2004
AOL testing new antispam technology, Jan. 22, 2004