AOL has backed away from introducing anti-spam Sender ID technology after a key component was rejected by the IETF because of patent concerns.
AOL said in August that this month it would add SPF (Sender Policy Framework) to screen incoming e-mail. It already used the technology for outgoing email. However, it has now confirmed that it will not be using Sender ID, which comprises SPF and Microsoft's Caller ID, because of concerns by a standard body that Microsoft was not making known pending patents on the technology.
"AOL will now not be moving forward with full deployment of the Sender ID protocol," spokesman Nicholas Graham said. Instead, the ISP will support only the sender policy framework (SPF) to fight spam by verifying the source of e-mail sent to its users. It will use the technology for outgoing e-mail but, crucially, will not apply it for incoming mail, the company said.
The giant's rejection comes a week after an IETF group considering Sender ID as a standard said the proposal needed rewriting. Earlier this month, open-source groups the Apache Software Foundation and the Debian Project dismissed Sender ID because the licence would prevent them from supporting the technology.
AOL is concerned about the lack of acceptance for Sender ID in the open-source community, Graham said. Additionally, the ISP is afraid that recent changes to Sender ID will make it incompatible with the original SPF specification, he said. AOL had endorsed Sender ID when it was submitted to the IETF in June.
While AOL's decision could be seen as another setback for Sender ID, Microsoft said AOL's action is fully in line with the Sender ID proposal, which is being revised.
Support for SPF essentially equals support for Sender ID, said Microsoft spokesman Sean Sundwall. "AOL's decision to conduct just the SPF check reflects exactly the flexibility provided by the Sender ID proposal. Sender ID is still alive and there are two ways to do the checking," he said.
Sender ID combines SPF, developed by Meng Weng Wong of Pobox.com, and the Microsoft-developed Caller ID specification. In May, Microsoft and Meng agreed to merge their proposals and submitted it to the IETF a month later.
The Sender ID proposal to the IETF is being rewritten to allow flexibility on which checking method is used, either the SPF method or a check for the Purported Responsible Address, which was first published as part of Microsoft's original Caller ID plan, Sundwall said. "AOL's news is much ado about nothing," he said.
Microsoft and Wong propose Sender ID as a standard for e-mail authentication, designed to prevent faking of e-mail addresses and the origin of an e-mail message. Criminals have used the ability to forge the origin of an e-mail, for example, in schemes to send e-mail that looks like it is from a bank and tricks users into giving up personal information.
With SPF, organisations publish a list of their approved outgoing e-mail servers, called an SPF record, in the DNS. That SPF record is then used to verify the source of e-mail messages sent to other Internet domains. Microsoft's Caller ID works in a similar way.
AOL said it is also looking at Domain Keys, a technology developed by rival Yahoo, for possible use in tandem with SPF. With Domain Keys each e-mail gets a digital signature to verify its source.