Feb 27, 2004 (12:02 PM EST)
Microsoft Pushes Anti-Spam Scheme Using Authentication

Read the Original Article at InformationWeek

Microsoft is suggesting a new tactic in the fight against spam. Execs have proposed a broad industry plan to publish technical details about big companies' E-mail servers, in an attempt to block fake E-mail.

The plan, which Microsoft calls Caller ID for E-mail, is part of a panoply of efforts under way at the company's headquarters, including challenge-response software that could find its way into future versions of E-mail apps, aimed at stemming junk mail that Microsoft says erodes customers' trust in Windows PCs and curbs their Internet use.

"Our goal here is to get rid of spam," chairman Bill Gates said in a keynote address at the RSA Conference, a trade show on computer security and cryptography, this week in San Francisco. Besides causing negative associations with its software for users, Microsoft says, spam dupes some users into downloading malicious software. "This is a huge security hole," Gates said.

Microsoft's proposal sheds light on current thinking about the best way to fight spam. It has published the addresses of its Hotmail E-mail servers--and got Amazon.com Inc. to do the same--as the first step in a plan to check users' incoming E-mail to make sure senders are who they say they are. This summer, Microsoft plans to turn on functionality in Hotmail that compares those addresses with those on incoming E-mail messages to try to verify a sender's identity. Eliminate obviously false messages, the thinking goes, and spam filters will have an easier job.

The company has 140 million active Hotmail users, and millions more PC users rely on its Outlook E-mail program, so anything that makes computers less enjoyable to use--like spam--can have ramifications for Microsoft.

"This is a huge issue for our customers," says George Webb, group business manager for Microsoft's 30-member anti-spam team, which came together about a year ago. "We have a huge customer-satisfaction hurdle to address," Webb says.

Microsoft's technical proposal isn't the only one. In December, Yahoo Inc. started testing technology called DomainKeys, which inserts a digital signature into E-mail, then uses public key cryptography to authenticate the sender. America Online, British Telecom, Comcast, Microsoft, EarthLink, and Yahoo--some of the world's biggest Internet service providers--have formed a group called the Antispam Technology Alliance, and AOL is said to want to use either Microsoft's or Yahoo's technique. Amazon--a big sender of E-mail and a big victim of forged addresses—has gone with Microsoft's plan. Last week, Sendmail Inc., which claims its mail-transfer software is used by 70% of the world's large companies to route messages, said it would put authentication mechanisms based on Caller ID for E-mail into commercial and open-source versions of its products. The company is also testing Yahoo's approach.

"These mechanisms are going to be needed to keep E-mail viable in the next few years," says Eric Allman, Sendmail's chief technology officer and the author of the original Sendmail Internet mail transfer agent in 1981. "Today, it's not standard practice for companies to publish lists of their mail servers," Allman says. "That's what this is all about."

The state of the art in spam blocking is content filtering, which relies on examining E-mail messages' content and their "envelopes"--the information about how and when they were sent--for telltale signs of spam. Content filters use machine-learning algorithms to recognize patterns, then score messages as either legitimate or spam. The problem is there's always the possibility of misclassification, blocking legitimate E-mail. Some consider that a bigger problem now than spam itself.

"Some people claim numbers like 1 in 10,000 false positives" from their filters, Allman says. "I haven't seen that in the real world. I've seen it in the lab. Some filters claim 1 in 100 false positives, which is awful."

To narrow the field of messages that needs to be filtered and improve accuracy, companies have started using "safe lists," or databases of recognized, legitimate senders. But safe lists live in users' E-mail address books, which are vulnerable to viruses that can crawl through those lists, and sometimes turn an infected PC into a spamming zombie.

What the industry seems to have agreed on is the need to authenticate incoming E-mail. If it's authenticated, and the sender's name is on your safe list, the E-mail goes through. Those that get past that defense get filtered for content, with a much lower chance of producing an error, in theory.

According to Microsoft's proposal, big E-mail senders would publish the IP addresses of their E-mail servers in the Domain Name System, the public guide to computers attached to the Net. Then recipients' E-mail software would check whether the domain name that claims to have sent a message matches the IP address of the purported sender. If a spammer sends a message that looks like it came from Amazon, but the sender's IP address doesn't match Amazon's, the message gets rejected. Webb says Microsoft is licensing Caller ID for E-mail "royalty-free, for now," and plans to include the code in its E-mail server and client software.

One open question is how many participants Microsoft needs in Caller ID to make the approach effective. Webb says Microsoft doesn't need 100% adoption from Internet service providers. A small group of ISPs, big E-mail senders like Amazon, and Web sites like Evite that forward lots of E-mail can cover "the majority of senders and receivers."

Another unresolved question is how to protect legitimate businesses that send E-mail marketing pitches. According to a Microsoft initiative called Coordinated Spam Reduction, large companies would be monitored by independent bodies that would issue digital certificates vouching for a sender's ethics.

For small companies, Microsoft proposes computer- and human-solvable puzzles that can be used to distinguish legitimate senders from spammers. If a computer user receives an E-mail from a sender not on a safe list, the recipient's PC would send out a puzzle that the sender or the sender's computer would have to solve. For someone sending just a few messages, the puzzles could be solved quickly. For a spammer sending thousands or millions of messages, the burden would be a disincentive.

"You want to raise the cost to the sender in economic, but not cash-based way," Sendmail's Allman says. "If physical mail were free, they'd be backing up a truck to my door every day, which is essentially what's happening with my electronic in box."