Microsoft is suggesting a new tactic in the fight against spam. Execs have proposed a broad industry plan to publish technical details about big companies' email servers, in an attempt to block fake email.
The plan, which Microsoft calls Caller ID for email, is part of a panoply of efforts under way at the company's headquarters, including challenge-response software that could find its way into future versions of email apps, aimed at stemming junk mail that Microsoft says erodes customers' trust in Windows PCs and curbs their internet use.
"Our goal here is to get rid of spam," chairman Bill Gates said in a keynote address at the RSA Conference, a trade show on computer security and cryptography, last week in San Francisco.
Besides causing negative associations with its software for users, Microsoft says, spam dupes some users into downloading malicious software. "This is a huge security hole," Gates said.
Microsoft's proposal sheds light on current thinking about the best way to fight spam. It has published the addresses of its Hotmail email servers -- and got Amazon.com to do the same -- as the first step in a plan to check users' incoming email to make sure senders are who they say they are.
Microsoft also plans to turn on functionality in Hotmail that compares those addresses with those on incoming email messages to try to verify a sender's identity. Eliminate obviously false messages, the thinking goes, and spam filters will have an easier job.
The company has 140 million active Hotmail users, and millions more PC users rely on its Outlook email program, so anything that makes computers less enjoyable to use -- like spam -- can have ramifications for Microsoft.
"This is a huge issue for our customers," said George Webb, group business manager for Microsoft's 30-member anti-spam team, which came together about a year ago. "We have a huge customer-satisfaction hurdle to address," Webb said.
Microsoft's technical proposal isn't the only one. In December, Yahoo started testing technology called DomainKeys, which inserts a digital signature into email, then uses public key cryptography to authenticate the sender. America Online, British Telecom, Comcast, Microsoft, EarthLink, and Yahoo -- some of the world's biggest internet service providers -- have formed a group called the Antispam Technology Alliance, and AOL is said to want to use either Microsoft's or Yahoo's technique.
Amazon -- a big sender of email and a big victim of forged addresses has gone with Microsoft's plan. Recently, Sendmail Incorporated, which claims its mail-transfer software is used by 70 percent of the world's large companies to route messages, said it would put authentication mechanisms based on Caller ID for email into commercial and open-source versions of its products. The company is also testing Yahoo's approach.
"These mechanisms are going to be needed to keep email viable in the next few years," said Eric Allman, Sendmail's chief technology officer and the author of the original Sendmail internet mail transfer agent in 1981. "Today, it's not standard practice for companies to publish lists of their mail servers," Allman said. "That's what this is all about."
The state of the art in spam blocking is content filtering, which relies on examining email messages' content and their "envelopes" -- the information about how and when they were sent -- for telltale signs of spam. Content filters use machine-learning algorithms to recognise patterns, then score messages as either legitimate or spam. The problem is there's always the possibility of misclassification, blocking legitimate email. Some consider that a bigger problem now than spam itself.
"Some people claim numbers like one in 10,000 false positives" from their filters, Allman said. "I haven't seen that in the real world. I've seen it in the lab. Some filters claim 1 in 100 false positives, which is awful."
To narrow the field of messages that needs to be filtered and improve accuracy, companies have started using "safe lists," or databases of recognised, legitimate senders. But safe lists live in users' email address books, which are vulnerable to viruses that can crawl through those lists, and sometimes turn an infected PC into a spamming zombie.
What the industry seems to have agreed on is the need to authenticate incoming email. If it's authenticated, and the sender's name is on your safe list, the email goes through.
Those that get past that defense get filtered for content, with a much lower chance of producing an error, in theory.
According to Microsoft's proposal, big email senders would publish the IP addresses of their email servers in the Domain Name System, the public guide to computers attached to the Net. Then recipients' email software would check whether the domain name that claims to have sent a message matches the IP address of the purported sender. If a spammer sends a message that looks like it came from Amazon, but the sender's IP address doesn't match Amazon's, the message gets rejected. Webb says Microsoft is licensing Caller ID for email "royalty-free, for now," and plans to include the code in its email server and client software.
One open question is how many participants Microsoft needs in Caller ID to make the approach effective. Webb says Microsoft doesn't need 100 percent adoption from internet service providers. A small group of ISPs, big email senders like Amazon, and websites like Evite that forward lots of email can cover "the majority of senders and receivers."
Another unresolved question is how to protect legitimate businesses that send email marketing pitches. According to a Microsoft initiative called Coordinated Spam Reduction, large companies would be monitored by independent bodies that would issue digital certificates vouching for a sender's ethics.
For small companies, Microsoft proposes computer- and human-solvable puzzles that can be used to distinguish legitimate senders from spammers. If a computer user receives an email from a sender not on a safe list, the recipient's PC would send out a puzzle that the sender or the sender's computer would have to solve. For someone sending just a few messages, the puzzles could be solved quickly. For a spammer sending thousands or millions of messages, the burden would be a disincentive.
"You want to raise the cost to the sender in economic, but not cash-based way," Sendmail's Allman said. "If physical mail were free, they'd be backing up a truck to my door every day, which is essentially what's happening with my electronic in box."
Copyright (c) 2003 CMP Media LLC