When the telephone rings, most people check the caller ID window before answering. If they see the name or phone number of a family member, friend, or business associate, the conversation begins without fear or inconvenience. The telephone equipment cannot be tricked. Even when the caller ID window displays "out of area" or "name blocked" messages, telephone users do not have to worry about risking their identity or placing personal information at risk if they decline to answer. But this is not the case with e-mail. Malefactors can easily spoof the sender's address to trick the recipient into opening the message. Tricksters often make the subject line so inviting that the user cannot wait to click on a message that, once opened, might contain harmful computer code that installs ID-sniffing components or makes the computer susceptible to more unwanted e-mails, otherwise known as spam. A solution to this problem might soon be available. The computer industry is fast-tracking a system called e-mail authentication, which will attempt to do for e-mail what caller ID does for telephone calls. E-mail authentication will assure the recipient that the sender actually is the person identified in the message header. "I have no lack of confidence that, given time, it will be fully implemented, possibly within the next 18 months," said Tom Peterson, vice president of technology for IronPort Systems, an e-mail security firm. Equipment Lacking In addtion to being an annoyance to consumers, receiving unwanted e-mail messages also is a worsening problem for businesses. But at the enterprise level, companies have I.T. departments and third-party equipment to detect spam and messages containing viruses and spyware. Consumers, however, have neither the specialized equipment nor the training to keep all unwanted e-mail from entering their home computers. So the computer industry is aiming the fix at the sender level instead of at the consumer level. When the solutions are broadly adopted by Internet service providers (ISPs), consumers will not have to do anything other than be aware of the process because ISPs and e-mail gateway services are responsible for making sure the mail they handle complies with the authentication policies. However, even before these technologies come to market, consumers should understand the implications of opening mail that is suspect. Also, consumers who send larger-than-normal volumes of e-mail will run the risk of having their messages blocked or delayed by e-mail-authentication systems. Authentication Basics The crux of the authentication process is assigning a reputation score to the sender. And just like CIOs of larger companies, entrepreneurs will have to know about reputation scores. Those who lack resources for I.T. consultants will have to reach out to their ISPs or third-party mail gateway services to ensure that their e-mail servers are not flagged with low or failing reputation scores, Peterson said. "The e-mail authentication process puts the burden on the consumer's ISP and the enterprise's mail gateway," said George Bilbrey, vice president and general manager of delivery assurance solutions for Return Path. Outbound mailing applications make it easier for corporations to use the authentication standards. Consumers and small business owners might have to rely on software that identifies the reasons why a message has failed to meet reputation standards. For example, people who engage in more than casual e-mailing might be treated as an offending bulk e-mailer, Bilbrey said. Two Systems Peterson is encouraged by the progress in the deployment of e-mail authentication. But he expressed frustration that the adoption process is not moving more quickly. Full deployment of authentication is being slowed, Peterson said, because some of the terminology is confusing and the industry has not yet solved some ambiguity issues. Part of that confusion stems from having two competing authentication systems: Domain Keys and Sender ID Framework. Neither method attacks the cause of e-mail security issues -- vulnerabilities in the e-mail infrastructure itself. But many industry leaders feel authentication will make a big dent in spoofing, phishing, fraud, and, of course, spam. Knowing the Score Domain Keys, created by Yahoo (Nasdaq: YHOO - news), requires a two-part verification process of the e-mail sender. The ISP or e-mail gateway service first authenticates the message sender, and then the message sender receives a favorable reputation score. Sender ID Framework (SIDF), the second method, is a merger of proposals by Microsoft (Nasdaq: MSFT - news) and the developer of Sender Policy Framework (SPF) that requires two levels of authentication before an e-mail message is delivered. The message originator first registers for inclusion on a list that confirms the sender's Internet Protocol (IP) address and then must gain mail-server confirmation before sending. Most security experts agree that the Domain Keys method is more rigorous because it involves using encryption. But it also takes longer to implement, making it easier for ISPs and mail gateway services to rely on the less secure Domain Keys method. What To Look For Neither e-mail authentication system is fully implemented just yet. So far, ISPs and popular e-mail services, such as America Online, Yahoo Mail, Google (Nasdaq: GOOG - news) Gmail, and Microsoft's Hotmail, have not done much to clue in users to the verification process. One thing consumers can do right now in anticipation of these schemes being broadly adopted is to become more familiar with the elements of authenticated mail. One way to do this is to take a look at e-mail headers. Using Yahoo! Mail, for instance, an e-mail message's full header display looks like this: X-Apparently-To: username@yahoo.com via 208.190.38.220; Sat, 01 Oct 2005 08:20:01 -0700 X-YahooFilteredBulk:70.103.249.130 X-Originating-IP:[70.103.249.130] Return-Path: Authentication-Results: mta112.mail.dcn.yahoo.com from=piquaput.bigoar.net; domainkeys=neutral (no sig) Received:from 70.103.249.130 (HELO jocingistiregatundubekifi.ip-249-130.writhle.com) (70.103.249.130) by mta112.mail.dcn.yahoo.com with SMTP; Sat, 01 Oct 2005 08:20:00 -0700 From:"Foot Locker" Add to Address BookAdd to Address Book Add Mobile Alert To: username@yahoo.com, Subject:Sports Authority - Order Confirmation #501R-VBEC348 We altered some of the information to provide a fictional sample. Notice the authentication results line. It shows the actual sender. Compare this information to the from line below it. See the difference? The sender appears to be a company whose name many consumers recognize, the athletic shoe retailer Foot Locker. But a close review of the full header details shows that the sender is not really that merchant. Also, the Domain Keys reference line in the header information gives the sender a neutral rating. Yahoo! Mail, Hotmail, Gmail, and other e-mail services are starting to attach authentication verification messages to e-mails that are from legitimate senders. For instance, on Yahoo! Mail a message from your bank might display a notification message in gray print at the bottom that verifies its authenticity. Once e-mail authentication is fully deployed, consumers simply can delete e-mail messages that do not display a "proof of sender" seal.
