• by Ross Fadner , January 23, 2004

E-mail forgery, or spoofing, is one of the toughest problems facing Internet providers and anti-spam companies today. Last week, Time Warner's America Online implemented a new authentication protocol in a bid to eradicate spoofing, a widespread practice of spammers worldwide.

Spammers are able to forge other people's domain names or create false ones relatively easily because the industry-standard protocol for sending email, Simple Mail Transfer Protocol (SMTP), cannot specifically detect and verify a sender's domain identity. Because of this, it's relatively easy to spoof email addresses on a large or small scale.

AOL's new authentication protocol, Sender Permitted From (SPF), launched last week, is billed as the largest-scale test for the protocol, which is simultaneously being considered by various standards groups such as the E-mail Service Provider Coalition.

The SPF protocol prompts AOL's receiving system to take the suspected email and match it with the public registry of legitimate domain names AOL provides. The SPF system essentially asks AOL if in fact the email comes from AOL or somewhere else. If no match is made, the system rejects the email.

"All AOL users will be contained in the DNS (Domain Name System) registry database," says Nicholas Graham, an AOL spokesman. "The [matching process] is done at the system administrator level, so it's a totally transparent effort as far as the end-user is concerned."

Graham adds that spoofing is a problem for all Internet Service Providers, because ISP domain names are frequently ripped off by spammers. He says that while spoofing email addresses is relatively easy to get away with, duplicating other users' IP addresses--which is what would have to happen for a spam message to get through the SPF system--is a complex action that only mega-spammers could pull off. AOL maintains that if the SPF protocol is adopted on a wide scale, it would virtually eradicate small-time spoofing.

If the trial run proves successful, email servers and individual email address owners would effectively be protected from being falsely accused of email fraud. The endorsement of the protocol by AOL, which remains the world's largest ISP with 33 million members, could lead to its implementation by other major email providers. The trial's success would be a crucial step toward the development of email verification standard.

SPF is currently one of several email authentication protocols that are either being tested or are in development. Yahoo!, The Anti-Spam Research Group, the Internet Research Task Force, and the E-mail Service Provider Coalition are all involved in similar projects.

"You couldn't ask for a better testing ground than AOL," says Bill McCloskey, Founder and CEO of Emerging Interest, and author of MediaPost's E-mail Insider. "If it does hold up, SPF could become the standard anti-spoofing technology. While there are several standards vying for attention, AOL is the first to adopt this technology on a wide scale."

The development of these authenticated protocols indicates that the idea of filtering spam messages is running out of steam," says Jim Nail, Principal Analyst, Forrester Research. "Spammers are just throwing more volume at these filters," he adds. "Perhaps spam filters are no longer the right solution." If this is true, the task of developing and testing new technology protocols is more important than ever.