More than a third of all e-mail now carries digital markers to help prove where it came from, which helps reduce spam. You can typically find the telltale signs of spam in a message’s header—a normally ignored part of an e-mail file that contains information about the message’s path through the Internet,the sender’s e-mail client, and more in-depth information about the sender, recipients, and subject line. Now two technologies for verifying the source of an e-mail message are finding their way into headers as well.
The behind-the-scenes technologies, known as Sender ID and DomainKeys, are designed to help users detect spam and fraudulent e-mail by identifying messages that claim to be from a legitimate company but, in reality, are scams. In typical spam and phishing attacks, fraudsters use a real domain, such as bankofamerica.com or ebay.com, to convince people that the message is authentic. Combating this requires some changes—albeit small ones—to the infrastructure of the Internet. The approaches use different ways to verify that the source of an e-mail message—as stated in its header—matches the information contained in the Internet’s phone book, the domain-name system (DNS).
Sender ID—a hybrid of two previous plans, Microsoft’s Caller ID and the Sender Policy Framework (SPF)—checks the numerical address of a message’s source (contained in the header) against a list of allowed e-mail servers published by the owner of the domain from which the e-mail originated. The result can be “none” if Sender ID was not used, “pass” if the message has a Sender ID and the sources match, or “softfail” if the server is not listed in the domain’s known mail server list.
It’s easy for an organization to deploy Sender ID. All it has to do is identify its e-mail servers and publish the data in its DNS record. DomainKeys uses public-key encryption to create a stronger means of authentication. Public-key encryption creates two codes—one that encrypts the message, and one that decrypts it (only the second code can decrypt the message). Usually, the owner who created the key pair keeps one part secret (the private key) and publishes the other part (the public key). Someone can verify a message signed by a company’s private key by using the public key published in the fi rm’s DNS record.
Already, major Internet service providers—such as AOL, Google, the Microsoft Network, and Yahoo!—are using the technologies to reduce spam. In May, the companies met with ISPs at the second annual E-Mail Authentication Summit to push adoption of the technologies. At the summit,Microsoft stated that more than 2.4 million domains have published the additional information required for Sender ID, up from a mere 20,000 two years ago. Meanwhile, Yahoo!, the creator of DomainKeys, receives about a billion messages a day signed with the DomainKeys technology through its public e-mail service, the company said.
Other steps you can take to protect your inbox are to have separate e-mail accounts for friends and work, as well as a throwaway address (for when you have to register to use a Web site or for shopping online); and making sure your e-mail provider uses Sender ID or DomainKeys. Verifying the source of e-mail messages does not solve the spam problem, but it does provide a tool to prevent fraudsters from dressing up a message to make it look as if it came from a legitimate source.