Even with Microsoft lending its clout to an expanding anti-spam movement centred on authenticating e-mail senders, experts caution the approach comes laden with technical challenges and unanswered questions.
The software giant last week published its Caller ID for E-mail specification, which lays out how to thwart the spoofing of e-mail addresses, a popular spammer trick. The specification, which Microsoft hopes will become a standard, is the first piece of the company's long-term spam-fighting strategy called the Coordinated Spam Reduction Initiative (CSRI), which also was introduced last week at the annual RSA Conference in San Francisco.
Caller ID is one of several IP-based proposals addressing sender authentication, including efforts such as the Sender Policy Framework (SPF) launched by anti-spam researcher Meng Weng Wong, and the Lightweight MTI Authentication Protocol (LMAP) under development at the IETF.
The unifying premise of these efforts is simple: Authenticate the sender of an e-mail using DNS as a way to thwart spammers. Spam-filtering providers such as Brightmail and Postini use proprietary technology to authenticate senders. Yahoo has developed an authentication scheme using digital signatures called DomainKeys.
But deploying a standard mechanism for the Internet is not without potential problems. These challenges include the potential for hits on network performance associated with checking every e-mail and the need for almost universal adoption. There are also technical challenges related to modifications to mail headers and DNS, the Internet's database that routes e-mail and locates Web pages.
"It makes sense; it's the right way to think about using DNS," says Paul Mockapetris, who created DNS 20 years ago and is now the chief scientist and chairman of IP address-management software vendor Nominum. Technologies such as radio frequency identification (RFID) and Enum, the international electronic numbering domain system, also use DNS for similar look-ups.
"One thing is ominous, however," says Mockapetris, who has been touting DNS as a building block for these new technologies. "More people are putting more things in DNS and it increases the chances people will try to screw with you by corrupting your DNS server." He says that makes DNS Security, which has been a work in progress at the IETF for 10 years, that much more critical.
To underscore the challenges presented in creating a standard for authentication of e-mail senders, the IETF had no luck with six other specifications that addressed the issue. But interest is high, with more than 8,000 companies testing or having implemented SPF alone, including AltaVista, Amazon.com, AOL, Google, SAP and Sendmail. "We've just started testing SPF, we're in an experimental phase and we're only using it on outbound e-mail," says AOL spokesman Nicholas Graham. "We're aware of Microsoft's Caller ID proposal and welcome it."
Sendmail and Amazon.com are also backing Caller ID. Sendmail plans to add support to its open source and commercial message transfer agents and Amazon.com plans to add it to its messaging servers. Microsoft added support for Caller ID in its Hotmail e-mail service last week and plans to support an enterprise implementation as part of a new Simple Mail Transfer Protocol gateway set for beta testing in May.
Microsoft's Caller ID specification, like SPF, works by having companies register the IP addresses of their outgoing e-mail servers in DNS. Currently, only the e-mail servers that accept incoming mail are registered in DNS. With Caller ID, a recipient's e-mail system would verify through DNS if the IP address used in the e-mail header of a message corresponds with an authorised server in the domain used in the sender's message.
However, using DNS requires companies to rewrite TXT files within their DNS servers to carry the XML-based Caller ID lists of outgoing e-mail servers. Some observers debate whether the verbose nature of XML will cause problems for DNS. There are also performance and scalability issues with Caller ID because each e-mail has to be opened by the receiving e-mail system so the header can be read. The issue is unique to Caller ID because SPF reads only the e-mail address in the message and doesn't require opening the message or even downloading it.
Ron Moritz, chief security strategist at Computer Associates, says widespread use of DNS look-up would likely create additional CPU processing demands on mail servers. "Mail is store and forward and any process that changes this, changes the SMTP standard," he says. "Anything that disrupts the flow of mail could be a challenge."
In addition to other DNS concerns, users would have to be aware of the "time-to-live" settings on locally-cached DNS records, which could complicate the addition, or removal of, mail servers from the network.
Other technical issues revolve around how mail is delivered, especially services that forward e-mail, such as Pobox.com, where SPF co-author Wong is president and CTO. Forwarding services would have to support mechanisms for adding the original sender's IP address in the message header. There are similar issues for mobile users, mailing lists, Web mail and outsourced mail. "[Caller ID] would require a lot of changes. But it would work for spam," says David Houser, security architect at Nationwide Mutual Life Insurance Company in Columbus, Ohio.
"The deployment issues don't seem huge. The big issue will be developing critical mass and that is a political issue," says Rand Wacker, director of product strategy and planning for Sendmail, which develops open source and commercial message transfer agents that handle almost 75% of all e-mail traffic. Others say the time it will take to reach that mass could greatly deter adoption. "Spam is an issue today and there is good filtering available today," says Andrew Lochart, director of product marketing for Postini. "Caller ID sounds good until you look at the fine print, and then people ask how long will this take to deploy."
Still others think Microsoft's plan lacks innovation and reveals ulterior motives.
"What Microsoft is doing is nothing revolutionary," says James Kobielus, analyst with Burton Group. "It's reverse DNS checking. Everybody does it." He says Microsoft is playing catch-up but now wants to sell [messaging] products to the ISPs by having a stronger anti-spam product that contains anti-spoofing features.