INDUSTRY REPORT
Sender ID Gains Favor for Top E-Mail Security

The Internet industry has been waging a quiet battle for bragging rights to being king of the e-mail security mountain in recent months. Proponents of a new e-mail security standard dubbed Sender ID might soon claim that title.

More than 80 members of the E-mail Service Provider Coalition (ESPC) gathered at the Microsoft (Nasdaq: MSFT) campus on August 12 for a summit on the Sender ID Framework. The Coalition provides e-mail delivery services to more than 250,000 clients in North America. Members of the group voiced strong consensus for authenticated e-mail solutions to the problems of spam, domain spoofing and phishing.

The Internet Engineering Task Force is currently evaluating Sender ID as an industry standard for e-mail authentication, IronPort System's senior product manager Craig Sprosts told TechNewsWorld. "The final draft of that proposal is close to adoption," he said.

Microsoft officials said they hosted the Coalition's gathering to look at what Sender ID can do to control unwanted e-mail and to assess the challenges the technology will bring to legitimate users of e-mail.

"The coalition came to Microsoft asking for help in educating their member companies about Sender ID and in enabling ESPC as an organization to support the implementation of Sender ID. It's a collaborative effort," Craig Spiezle, director of industry and partner relations for Microsoft's Safety Technology and Strategy Team, said in a written statement.

Two Competing Methodologies

Microsoft said in a prepared statement released before the meeting that several companies plan to introduce products and services that support Sender ID. Among those listed are IronPort Systems, Cloudmark, DoubleClick (Nasdaq: DCLK), Sendmail, Symantec (Nasdaq: SYMC), Tumbleweed and VeriSign (Nasdaq: VRSN).

In fact, Sender ID is the result of two previous technology proposals. Microsoft had developed a system it called Caller ID for e-mail proposal. Lead developer Meng Wong is credited with the Sender Policy Framework (SPF) proposal. A third specification, called the Submitter Optimization, also was merged into the existing Sender ID proposal to become the industry standard.

Web portal Yahoo (Nasdaq: YHOO) is testing its own approach to the secure e-mail solution. Called DomainKeys, the technology creates an encrypted e-mail address signature and then uses DNS to verify it came from Yahoo. Recipient e-mail servers must add software to use domain keys.

By comparison, Sender ID is a totally different approach. It authenticates the sender by mapping the domain that sends the e-mail to the sender's IP address, Sprosts explained.

How Sender ID Works

The Sender ID technology requires two levels of authentication before an e-mail message is delivered. For step one, the message originator must declare the identity and be registered on a list that confirms the IP address of the sender.

"About 15,000 senders so far have published the list of who is authorized to send mail to their domains," Sprosts said.

Step two of the authentication process requires the mail server to confirm that the mail originator is approved to enter the traffic stream.

"This part of the process so far has a much lower adoption rate," Sprosts said.

With Sender ID, only authenticated messages can reach the receiver. The process includes four steps. One, the sender sends an e-mail message to the receiver's inbound mail server. Two, the receiver's server checks for a record of the sending domain published in the Domain Name System (DNS) record. Third, the inbound e-mail server determines if the sending e-mail server's IP address matches the IP address that is published in the DNS record.

Competing Systems Cooperate

Sprosts said the two approaches are not mutually exclusive. "There is room for more than one standard," he said. "There are a few challenges to both methods."

Analysts agree that one universal secure e-mail standard is not so important; there could be two or three methods that are interoperable.

"It would make things easier if there was one standard. But both of these will work together," Sprosts said.

With either system, mail sent by an unregistered sender would be slowed to a halt because e-mail servers would give priority to authenticated mail. If the unapproved e-mail weren't rejected, it would eventually find its way to the consumer's computer.

At that point, said Sprosts, traditional spam filters installed on the user's computer would either accept or reject the message just as happens now.

Works Before Spam Filter

Sprosts sees the Sender ID standard as a holistic solution to the problems of insecure e-mail delivery. He said the standard is based on improving the SMTP Internet mail protocol.

The Sender ID provides three key elements to securing delivery. It verifies authentication. It builds a reputation score for message senders. It provides a policy-based system that lets the mail server take action based on the reputation of the sender.

"This method is based on a trusted ID. Spam filters that individual computer users install are based on the content of the message only," Sprosts said.

The proposed Sender ID standard will be applied by the Internet industry. The corporate worker or individual computer user would not have to do anything different. Even sending private e-mail would not be affected.

Not a Cure All

Microsoft's Spiezle cautioned that the proposed Sender ID standard would not completely stop phishing and identity theft attacks by e-mail.

Phishing attempts to trick e-mail recipients into divulging personal information by sending e-mail pretending to be from a legitimate source, such as a user's bank, credit card company or online Web merchant.

"Sender ID does not explicitly prevent spam or phishing scams from being sent, but it does make them much easier to detect because it provides a more reliable answer to the question about who sent the message," Spiezle said in a written statement from Microsoft.

Sender ID will help reduce the number of phishing attacks, according to proponents of the proposed security standard. The great majority of all phishing attacks are sent in e-mail with forged or spoofed sender addresses. That is the niche Sender ID will shut down.

"Microsoft and the industry recognize very clearly that there is no single perfect solution to the problem. This is not the end of the journey. It's a significant step forward," Spiezle said.

Future Prospects Good

Sender ID has the full support of ESPC members. They are no longer considering the alternative proposals. ESPC Executive Director Trevor Hughes said in a written statement that Sender ID is consistent with the group's thinking in terms of how to combat the spam problem.

"So our members are eager to learn more, to work hard to implement Sender ID, and to engage in a very strong dialogue making sure that these solutions are successful in the marketplace," he said.

IronPort Systems executives echo that view. "Our customers rely on us to identify new technologies to make their networks more secure and eliminate the complexity of deploying new standards," said Tom Gillis, senior vice president for worldwide marketing at IronPort Systems.

"Sender ID significantly improves our ability to protect our customers from fraud, increases sender accountability and provides legitimate senders all over the Internet with tools to reliably identify themselves," he said.

IronPort Systems' Sprosts said the Sender ID approach will see accelerated acceptance because individual computer users will not have to do anything different in handling their e-mail.