AOL and Yahoo will add unfinished anti-spam technology to its servers in the next few months, both companies have announced.
From next month, AOL will verify the source of incoming e-mail using SPF. And by the end of the year, Yahoo will have added its own DomainKeys authentication technology to all e-mail coming out of the company's mail servers.
The decisions are part of an industry-wide push to cut down on spam and online scams by improving the ability of ISPs to check the source of e-mail messages. In the past year, spam and phishing scams have become such a menace that some over-enthusiastic observers have even predicted the death of e-mail.
A variety of protocols and technologies have been put forward to tackle the problem and are currently being considered by the IETF as standards. Currently leading the way is Sender ID, which combines Microsoft's Caller ID technology with SPF (Sender Policy Framework) - an authentication technique designed by Meng Weng Wong. If adopted, Sender ID could provide a way to close loopholes in the current system for sending and receiving e-mail that allow senders (spammers) to spoof a message's origin.
In the meantime, however, impatient companies have started adding various anti-spam technologies to help deal with the flood of rubbish electronic communication they have to deal with.
AOL has been testing SPF since January, publishing SPF records that identify AOL's outgoing e-mail servers in the DNS. However, the ISP has not yet used SPF to screen incoming e-mail. It will begin checking whether the purported responsible address, or PRA, of the e-mail server sending mail matches one of the servers listed in the SPF record for that Internet domain. Tens of thousands of e-mail domains have published SPF records. AOL will use SPF to help it determine which messages are legitimate, rather than using it as a criteria to reject e-mail, it said.
Microsoft announced in July that it will follow the same approach from October this year. Messages that fail the SPF check will not be rejected, but will be further scrutinised and filtered, said Craig Spiezle, director of Microsoft's safety technology and strategy group.
Yahoo is looking to put its thumbprint on outbound, rather than inbound, messages. It will roll out its DomainKeys technology by the end of the year, digitally signing all e-mail messages sent from its servers, said Miles Libbey, anti-spam product manager.
DomainKeys use PKI to create a unique signature for each e-mail message based on the content of the e-mail message. When e-mail servers receive DomainKeys signed messages, they use a public encryption key published by the company in the DNS record for the sending domain and the contents of the message to verify the source of the e-mail, he said.
All these efforts are a sign of the increased urgency with which e-mail and Internet service providers are treating the spam problem. "The world of e-mail is in a lot of hurt," said Greg Olson, chairman of e-mail technology company Sendmail. "It's in trouble and there's a sense of urgency we haven't seen."
Pushing technologies like Sender ID and DomainKeys into service before their official adoption is a way to safely work out problems the technologies may cause when widely deployed, Libbey said. "All these solutions are reasonably early in the life cycle. There's a lot of inter-operability testing that has to happen. Implementing DomainKeys on Yahoo will give us real-world data on how it works," he said.
"It's an iterative process," said Microsoft's Spiezle. "We have to try something. The spammers are outsmarting us and the more we delay, the more time they have to figure out what to do."