Microsoft moves to beat forged addresses in spam

29 Jun 2004

Microsoft has outlined its latest efforts to curb the rise of spam and phishing attacks with technology that would authenticate emails to verify that the sender is who they claim to be.

Issuing a progress report, Microsoft’s chairman Bill Gates said that significant advances had been made in the fight against unsolicited commercial email or spam. Filtering technology has helped to block billions of junk mails on a daily basis, he said, but this on its own is not enough to solve the problem completely, Gates said.

Microsoft and its fellow members of the industry group, Anti-Spam Technical Alliance, have outlined plans to test a system that can beat email forgery or spoofing – the practice of using false addresses in the ‘from’ field of an email message to make it appear as if the sender is legitimate. The same social engineering tactic is also used by virus writers to make unsuspecting users more likely to open a mail if they believe it comes from someone they know. Domain spoofing is involved in half of all of current spam emails, the Microsoft boss claimed.

“Many people are surprised to learn that today’s email systems cannot verify whether messages actually come from the source shown on the ‘from’ line. One way to make this possible is through the Sender ID standard that Microsoft and other industry leaders have developed and are testing.”

Last week Microsoft submitted the Sender ID specification to the internet Engineering Task Force, a standards body, for approval. According to Gates, this method will help block spam as well as curbing other abuses, such as fraudulent promotions or email that tries to lure recipients into disclosing their credit card numbers or other private information – a practice known as phishing.

“By combating domain spoofing, Sender ID will also help us use other anti-spam measures more effectively. When combined with recipients’ continued use of ‘safe’ lists for legitimate senders, wide adoption of Sender ID will mean that wanted email from known senders can pass into inboxes with minimal filtering and email from unknown senders can be filtered more thoroughly,” Gates explained.

Sender ID works by having a server check the internet protocol (IP) address of a suspicious email, as this is more difficult to fake than the ‘from’ line in a message. The Sender ID standard involves publishing the IP addresses of outbound email servers in the internet directory – the domain name system – that controls all email delivery and embedding each sender’s IP address in the hidden routing information that guides email to its destination. “Recipients’ email systems will then be able to check a message’s authenticity,” said Gates.

Another possible approach would involve senders unfamiliar to recipients having to ‘qualify’ their email in order to guarantee its delivery. For example they could demonstrate that their PC performed a special set of computations as part of the process of sending the mail. According to Gates, the amount of computing time needed to perform this would be ‘trivial’ for most senders, but would cause a dramatic slowdown in spammers’ operations, by virtue of the fact that they typically send emails in large volumes at a time.

Conversely, servers receiving suspect email could reply to the sender with a challenge, perhaps a computational puzzle or one solvable only by a human sender. If the sender responds appropriately, with human interaction or by expending a small amount of computing time, only then would the email gain access to the recipient’s mailbox.

However, Gates said he was against the idea of charging email senders a fee for delivery _ the industry watcher Forrester Research had mooted this very suggestion last year. “We firmly believe that monetary charges would be inappropriate and contrary to the fundamental purpose of the internet as an extremely efficient and inexpensive medium for communications,” said Gates. “The goal instead is to thwart spammersÅf misuse of the internet, so that everyone else can continue to enjoy its enormous benefits.”

There are, however, many legitimate organisations that send large amounts of genuine email and these would need to distinguish these communications from spam. Gates suggested the use of third-party accreditation services that would certify such senders were bona fide and that they used email appropriately. Bonded sender is an accreditation programme developed by IronPort Systems and overseen by TRUSTe, a non-profit privacy group. To be accredited, a sender must meet stringent standards for good email practices and must also post a bond with IronPort. This bond would be forfeited if a sender failed to adhere to the standards. “We think that this and other emerging accreditation programmes, such as Brightmail’s reputation service, are very encouraging developments,” added Gates.

By Gordon Smith