washingtonpost.com  > Technology > Special Reports > Spam

E-Mail Firms Seek Spam Solution

By David McGuire
washingtonpost.com Staff Writer
Tuesday, November 9, 2004; 6:36 AM

Representatives from America's largest e-mail companies will meet in Washington today and Wednesday to look for a way to reduce the amount of "spam" clogging the nation's e-mail accounts, but experts said a concrete solution remains months or even years away.

The Federal Trade Commission organized the two-day meeting for the top Internet service providers to hash over different technological proposals to determine the origin of individual e-mail messages.

_____Spam In The News_____
Microsoft E-Mail Looks Like Spam to Some Recipients (The Washington Post, Nov 5, 2004)
Jury Finds 2 Guilty of Felony Spam (The Washington Post, Nov 4, 2004)
Political Spam Pervades Personal Computers (washingtonpost.com, Nov 2, 2004)
More Spam News

The technology, known as "authentication," would try to thwart spam by tying e-mail addresses to real locations and identities, reducing the ability of junk mailers to hide their identities from people who do not want to receive their messages.

Authentication would cut down on spam by allowing e-mail providers to bounce messages with falsified addresses. It also could underpin future technologies that make it easier for users to get only the e-mail messages that they want to receive.

For an authentication scheme to work, most e-mail providers must agree to use the same system. If they do not, Yahoo Inc., for example, could determine that messages sent from one Yahoo account to another are legitimate, but could not verify messages coming in from America Online Inc., EarthLink Inc., Microsoft Corp. or other providers not using Yahoo's system.

Those four largest companies agree that authentication is the goal, but disagree on how to get there.

Some technology industry observers hoped that the participants would use this week's conference to agree on a common authentication method, but so far no consensus has emerged.

"I would be astonished if anything concrete came out of it," said John Levine, author of the book "The Internet for Dummies" and chairman of an Internet Engineering Task Force (IETF) group that is tackling the authentication problem. "Everyone agrees that we need to do something to make it easier to tell who sent an e-mail, but given how big the e-mail system is and how little experience we have with all the proposals, it's way too early to point at any of them and say, 'This one is ready for everyone to use.'"

"I think it's also a good time for the companies to level with the FTC in terms of expectations," said America Online spokesman Nicholas Graham. "Unfortunately the expectations are a little ahead of where they ought to be. This is going to be a long process and necessarily so."

At its core, the e-mail system is not designed to prevent fraud. As a result, said Dan Salsburg, assistant director of the FTC's Division of Marketing Practices, "the only thing that has to be truthful is what's in the 'to' line. Everything else can be made up."

Microsoft has been lobbying hard for an authentication proposal called Sender ID, which would create publicly accessible databases linking Internet protocol numbers to companies and service providers. Because those numbers are harder to forge than e-mail addresses, e-mail companies could check whether the "from" address in an e-mail message matches the correct Internet protocol number. If they do not match, the company would reject the message.

Yahoo, on the other hand, promotes a system in which outgoing e-mail messages would be labeled with a scrambled signature that recipients' e-mail providers could unlock with digital keys to determine their authenticity.

Sender ID can work with Yahoo's idea and is ready now, while Yahoo's Domain Keys proposal would require changes to e-mail software that could take years to put into effect, said Microsoft spokesman Sean Sundwall. "If signing is the tourniquet, at least Sender ID is a significant Band-Aid," Sundwall said.

Miles Libbey, Yahoo Mail's anti-spam product manager, said the company's plan could be implemented now.

AOL, the nation's largest Internet service provider, said it will test both companies' ideas, as well as a third. The IETF, meanwhile, is poised to convene another working group to develop a universal authentication standard.

No one knows how long it will take, but even optimistic observers said it is at least a year away.

"To think that this forum is going to be a place where the rough edges of these different proposals can be smoothed out so that they can all interlock like a jigsaw puzzle is not very realistic," said Ray Everett Church, counsel for the Coalition Against Unsolicited Email and president of a Freemont Calif.-based firm that has proposed its own authentication scheme. "In terms of a world in which all of the [e-mail providers] are dancing the same authentication dance that may be several years away still."

© 2004 TechNews.com