E-Mail Providers Look to New Spam-Fighting Techniques

E-mail providers are bolstering their defenses against the onslaught of spam and phishing attacks through the adoption of new e-mail-authentication technologies, according to information offered this week at a gathering of companies that focused on promoting safety and user trust in the e-mail ecosystem.

A report issued at the E-Mail Authentication Summit by the E-Mail Sender and Provider Coalition (ESPC) indicates that AOL, Microsoft, and Yahoo -- companies that collectively handle more than half of the commercial e-mail in the U.S. -- now are enforcing at least one of the current e-mail-authentication standards.

Those standards are based either on Internet Protocol (IP) technologies or cryptographic techniques, with the primary examples being Sender ID and DomainKeys.

Enterprise Adoption

Sender ID, backed primarily by Microsoft, verifies the domain name from which e-mail is sent by checking the IP address of the server that sent the message against a list of legitimate IP addresses for that domain. Yahoo is the primary backer of DomainKeys, a technology that attaches a digital ID to e-mail so that recipients can verify the source of an e-mail message.

The ESPC also noted that authentication is moving beyond the ISP level to the corporate mail server. In fact, late last year, ESPC reported that 70 percent of Fortune 100 companies have begun to authenticate their e-mail.

"Legitimate e-mail marketers have been quick to respond by adopting authentication over the last year to ensure their mail makes it to inboxes of leading ISPs," said Trevor Hughes, executive director of the ESPC, in a statement.

According to Microsoft, there has been a threefold increase in Sender ID adoption among Fortune 500 companies, from 7 percent in July 2005 to 21 percent in March 2006. And there are now some 3.3 million .com and .net domains worldwide sending Sender ID-compliant e-mail -- to the tune of two billion e-mail messages each day.

Onus on Domain Owners

There is progress being made on e-mail authentication, said Forrester Research analyst Paul Stamp, who noted the problem is that while most e-mail systems can support a multitude of measures to ascertain who is sending a message, it is still difficult to tie the credentials of a sender to the owner of a particular Internet domain.

"The domain owners must implement a process to check the identity of people applying for a particular domain," Stamp said. "This is a serious global problem because anyone can set up a domain to launch a phishing attack."

Stamp said that both the Sender ID and DomainKeys are effective against mass spam campaigns, but he also indicated that it is unlikely that a single standard will emerge as the preferred solution.