Mon Oct 24, 4:37 PM ET
When the telephone rings, most people check the caller ID window before answering. If they see the name or phone number of a family member, friend, or business associate, the conversation begins without fear or inconvenience.
The telephone equipment cannot be tricked. Even when the caller ID window displays "out of area" or "name blocked" messages, telephone users do not have to worry about risking their identity or placing personal information at risk if they decline to answer.
But this is not the case with e-mail. Malefactors can easily spoof the sender's address to trick the recipient into opening the message. Tricksters often make the subject line so inviting that the user cannot wait to click on a message that, once opened, might contain harmful computer code that installs ID-sniffing components or makes the computer susceptible to more unwanted e-mails, otherwise known as spam.
A solution to this problem might soon be available. The computer industry is fast-tracking a system called e-mail authentication, which will attempt to do for e-mail what caller ID does for telephone calls. E-mail authentication will assure the recipient that the sender actually is the person identified in the message header.
"I have no lack of confidence that, given time, it will be fully implemented, possibly within the next 18 months," said Tom Peterson, vice president of technology for IronPort Systems, an e-mail security firm.
Equipment Lacking
In addtion to being an annoyance to consumers, receiving unwanted e-mail messages also is a worsening problem for businesses. But at the enterprise level, companies have I.T. departments and third-party equipment to detect spam and messages containing viruses and spyware.
Consumers, however, have neither the specialized equipment nor the training to keep all unwanted e-mail from entering their home computers. So the computer industry is aiming the fix at the sender level instead of at the consumer level.
When the solutions are broadly adopted by Internet service providers (ISPs), consumers will not have to do anything other than be aware of the process because ISPs and e-mail gateway services are responsible for making sure the mail they handle complies with the authentication policies.
However, even before these technologies come to market, consumers should understand the implications of opening mail that is suspect. Also, consumers who send larger-than-normal volumes of e-mail will run the risk of having their messages blocked or delayed by e-mail-authentication systems.
Authentication Basics
The crux of the authentication process is assigning a reputation score to the sender.
And just like CIOs of larger companies, entrepreneurs will have to know about reputation scores. Those who lack resources for I.T. consultants will have to reach out to their ISPs or third-party mail gateway services to ensure that their e-mail servers are not flagged with low or failing reputation scores, Peterson said.
"The e-mail authentication process puts the burden on the consumer's ISP and the enterprise's mail gateway," said George Bilbrey, vice president and general manager of delivery assurance solutions for Return Path. Outbound mailing applications make it easier for corporations to use the authentication standards.
Consumers and small business owners might have to rely on software that identifies the reasons why a message has failed to meet reputation standards. For example, people who engage in more than casual e-mailing might be treated as an offending bulk e-mailer, Bilbrey said.
Two Systems
Peterson is encouraged by the progress in the deployment of e-mail authentication. But he expressed frustration that the adoption process is not moving more quickly.
Full deployment of authentication is being slowed, Peterson said, because some of the terminology is confusing and the industry has not yet solved some ambiguity issues. Part of that confusion stems from having two competing authentication systems: Domain Keys and Sender ID Framework.
Neither method attacks the cause of e-mail security issues -- vulnerabilities in the e-mail infrastructure itself. But many industry leaders feel authentication will make a big dent in spoofing, phishing, fraud, and, of course, spam.
Knowing the Score
Domain Keys, created by Yahoo (Nasdaq: YHOO - news), requires a two-part verification process of the e-mail sender. The ISP or e-mail gateway service first authenticates the message sender, and then the message sender receives a favorable reputation score.
Sender ID Framework (SIDF), the second method, is a merger of proposals by Microsoft (Nasdaq: MSFT - news) and the developer of Sender Policy Framework (SPF) that requires two levels of authentication before an e-mail message is delivered. The message originator first registers for inclusion on a list that confirms the sender's Internet Protocol (IP) address and then must gain mail-server confirmation before sending.
Most security experts agree that the Domain Keys method is more rigorous because it involves using encryption. But it also takes longer to implement, making it easier for ISPs and mail gateway services to rely on the less secure Domain Keys method.
