X

On sentry duty in your in-box

Microsoft says its Sender ID is ready for action. Others say it's still early days for authentication.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
8 min read
Two years after the introduction of a caller ID-like system for e-mail, Microsoft believes it now has the arguments to sway businesses to adopt the spam-fighting technology.

At a Chicago conference on e-mail authentication on Wednesday, Microsoft plans to talk about the success it's having with Sender ID on its own hosted e-mail services, such as Hotmail. The software giant said it will outline how the verification system is benefiting its e-mail subscribers and those who send messages to them.

The proof of concept is key to Microsoft, as it continues its push for authenticated e-mail, which puts the source of messages under more scrutiny than normal. The effort includes using perhaps its greatest weapon: cash. The Redmond, Wash., company is providing funds to e-mail security vendors to promote checking for authentication in inbound messages.

"The overall goal is to restore trust and confidence in e-mail," Craig Spiezle, a director in the technology care and safety group at Microsoft, said in an interview. "We can now clearly articulate the real business value of authenticated e-mail....This is some of the hard data that has been lacking."

Sender ID is a specification for verifying the authenticity of e-mail by ensuring the validity of the server from which it came. The technology is one of several pitched by the industry to help stem the tide of spam and phishing scams by making it harder for senders to forge their addresses and by improving e-mail filters.

On e-mail that uses Sender ID, along with enhanced spam filtering, Microsoft was able to reduce the number of false positives, or e-mail wrongly identified as spam, on Hotmail by up to 80 percent, Spiezle said. In addition, for high volume "good" senders who use Sender ID, Microsoft's analysis showed their false positive rate on average dropped to nearly zero. At the same time, the number of junk messages incorrectly let through declined by more than 85 percent, Spiezle said.

"We're very excited about this," Spiezle said. "It gets back to why should I care, and what's new. We look at this as providing superior business and technical value for the entire e-mail ecosystem--a solution that has effectively no cost, no performance impact to the senders and receivers, and that is providing real results."

As part of its push, Microsoft in late February kicked off a program that offers funding to e-mail security companies to adopt e-mail authentication protocols like Sender ID, Spiezle said. The funds are available to those that provide tools to filter incoming e-mail. CipherTrust and IronPort said they're among the companies that have applied for the money, but neither would disclose actual amounts.

"It is the chicken and the egg: The more people that authenticate inbound, the higher the value is to authenticate outbound, and conversely," Spiezle said.

Results so far
If adopted widely, such e-mail authentication technology could help people make sure that a message that claims to be from their bank actually was sent by the bank. Authentication alone does not stop junk and spoofed messages, but it can make spam filters more effective, by allowing filters to rate domains based on the e-mail that is sent.

However, America Online and eBay, two of the other early adopters of e-mail authentication, haven't yet seen many real results from it, company representatives said. AOL takes in a lot of e-mail for its more than 20 million Internet access subscribers, while eBay is the source of more than 1 billion messages a month.

"I think we're starting to see where it is effective and how it can be effective, but it is still in the early stages," Hani Durzy, an eBay representative, said.

E-mail authentication has been mired in controversy, which has held back adoption. Microsoft's involvement sparked intellectual-property concerns, and the company has been accused of strong-arming the world into adopting Sender ID, even though there's still debate over alternatives and a lack of standards.

"The tide has turned; the dust has settled," Spiezle said, adding that the e-mail authentication scene is much clearer today then a year ago. "The controversy and lack of having hard data has been in a sense some noise for businesses, so they did not even hear the message. Now they want to move forward."

With the Authentication Summit in Chicago, sponsored in part by Microsoft and chaired by Spiezle, the technology industry is reaching out to Fortune 500 businesses to tell them about e-mail authentication. Major airlines, financial institutions and insurance companies are looking for direction and advice, Spiezle said.

Companies with online businesses have been grappling to fight phishing, a prevalent type of online scam through which phishers attempt to steal sensitive information such as usernames, passwords and credit card numbers. The schemes typically combine fraudulent spam e-mail and Web pages that look like legitimate sites.

E-mail ID cheat sheet
Here's the lowdown on the main technologies that are out to clean up e-mail by identifying the source.

Sender ID
Brings together two previous security technologies: Caller ID for E-mail, introduced by Microsoft in February 2004, and SPF, developed by Meng Wong. Sender ID compliant e-mail requires an SPF tag in a Domain Name System record to identify valid machines sending mail from that domain.

SPF
Short for Sender Policy Framework. Both main versions of SPF records comply with Sender ID, but they verify a different "from" address. SPF 1 validates the sender data contained in the e-mail envelope data, which is typically only read by e-mail systems. SPF 2 verifies the "from" name displayed to the user. Industry experts advise companies to publish and use both.

DKIM
Merges Yahoo's DomainKeys with Cisco Systems' Internet Identified Mail. DKIM, or DomainKeys Identified Mail, relies on public key cryptography. It attaches a digital signature to outgoing e-mail so recipients can verify that the message comes from its claimed source.

Consumer faith in e-mail is falling, as its abuse for online scams is growing. If businesses don't sign up for Sender ID or similar technologies, that trend could continue and undermine e-mail's usefulness, authentication advocates say.

"E-mail is just getting more and more broken," said Dave Jevans, chairman of the Anti-Phishing Working Group, which includes banks, Internet service providers, law enforcement agencies and technology vendors among its members. "If there is no e-mail authentication, then you have to find some other way to communicate with your customer that is not e-mail."

eBay and its PayPal online payment unit, which are the source of more than a billion transaction-related e-mails a month, are among the biggest phishing targets. If e-mail authentication delivers on its promise, it could be a boon for eBay--but it is not there yet, Durzy said. It identifies the sender of the e-mail, but it does not do much to reassure the recipient about the reputation of the sender, he noted.

The ultimate benefits really are in the future applications of e-mail authentication, agreed Nicholas Graham, an AOL representative . "E-mail authentication has to be combined with accreditation and reputation services for a comprehensive look into the quality of mail coming from any source," he said.

Microsoft is already using such reputation-based filtering, Spiezle said. These systems look at the e-mail sending habits of a particular domain, for example CNET.com, and include that in the decision as to whether messages should be junked.

"In e-mail authentication, Sender ID is your driver's license. We know who you are, but we don't know if you're a good driver," Spiezle said. The reputation score is analogous to a driving record, he added. "If you have a lot of people complain about your mail being spam, you get a negative score."

Authentication technology helps bolster reputation systems by identifying the true source of the e-mail. Previously, assigning a reputation to a domain could be shaky, because the domain could be faked.

'More product, less hype'
Many in the industry are working on reputation technology. That includes Microsoft and e-mail security vendors such as CipherTrust, but also Meng Wong, the developer of the original Sender Policy Framework (SPF) specification, now part of Sender ID. Wong is now chief technology officer for special projects at e-mail forwarding company POBox.com.

Wong divorced himself from the SPF effort after SPF was folded together with Microsoft's Caller ID for E-mail into Sender ID. This time, he's careful to avoid the mistakes made during the authentication effort, he said. "We're going to try to get our act together as an industry before telling the world we're ready: More product, less hype."

With Hotmail, Microsoft has seen a marked increase in the number of e-mails that include an SPF record. Sender ID requires Internet service providers, companies and other Internet domain holders to publish such records to identify their mail servers. This can be challenging, especially for a large organization that may have systems sending mail in multiple countries, or may hire others to send mail for them, experts said.

In March last year, 19 percent of the e-mails coming into Hotmail contained a valid SPF record. At the end of March this year, 31 percent of messages could be authenticated, Spiezle said. The number of Fortune 500 companies that sent Sender ID-compliant mail has increased from 7 percent in July last year to 20 percent at the end of March, he said.

While the number of Internet domains that publish an SPF record is increasing, the pace of growth is down, Wong said.

"Over the last year or so, things have slowed down a little bit. After the first wave, Microsoft is now trying to get the message out to the rest of the industry," he said.

However, the industry has done "a pitiful job" of attacking the e-mail problem, by submitting competing specifications and not reaching consensus, Forrester Research analyst Jonathan Penn said.

"Will they ever get their act together? If the past is any indication, it's doubtful. No wonder such ridiculous concepts such as everyone paying for e-mail delivery is getting any attention at all," he said, referring to AOL's proposal to use GoodMail's CertifiedEmail, software that requires marketers to pay to make sure their messages get past spam filters.

Before any real success can be reported, authentication needs to be adopted more broadly by e-mail senders and receivers, eBay's Durzy said. As more e-mail providers adopt these services and start authenticating with them, that will make it harder for phishers, he said.

The popularity of authentication is advancing at a reasonable pace, said Michael Osterman, head of Osterman Research, which focuses on Internet messaging. However, mass adoption is a ways out. "If I had to guess, I would say that we're three to four years away from very high penetration rates," he said.

Microsoft expects a jump in adoption in the months after Wednesday's Authentication Summit. About 500 people have registered to attend, including representatives from Allstate Insurance, Accenture, the American Association of Retired Persons, General Mills, Williams Sonoma and Starwood Hotels & Resorts Worldwide, Spiezle said.

Major marketing trade groups are also getting behind e-mail authentication. The Direct Marketing Association, for example, requires its members to adopt the technology.

The time is right to adopt e-mail authentication, industry experts agreed.

"We have had the standards hammered down," said Teney Takahashi, a market analyst with The Radicati Group. "This is the point that we really need to see broader adoption."