What you will learn from this chapter excerpt: How Sender ID provides e-mail authentication and helps organizations avoid phishing.
Sender ID provides another authentication method. Microsoft began implementing Sender ID to protect mailboxes at Hotmail and MSN. Sender ID is a proposed specification developed within the MARID IETF Working Group between May and October 2004. Sender ID works by looking at information both in the "envelope" of the e-mail message and in the message itself.
Thought of as SPF + Caller ID, Sender ID compares that information with data published by domain owners in the Domain Name System (DNS), to confirm that the e-mail actually came from the domain that it appears to be from. For example, recipients could be sure an e-mail from email@example.com was actually from someone at the yahoo.com domain.
Unfortunately, several major issues arose during the operation of the Sender ID working group, MTA Authentication for DNS (MARID), which led to its demise. Technical questions arose as to whether Sender ID would work as specified. Most of these questions were rooted in the basic differences between path authentication and message authentication and remain unresolved.
Microsoft also filed for patents on parts of Sender ID, making the developer community unhappy about the strict licensing and ownership control Microsoft exerted, such as requiring Sender ID implementers to sign a license agreement to protect undisclosed and unspecified patents. Although the actual patent application was eventually published toward the end of the life of MARID, it came too late.
Another factor in MARID's demise was that eager technology reporters frequently reported email authentication as the final cure for spam. This created great expectations for email authentication, which were dashed once the hard truth settled in that email authentication did not stop spam.
As a result, any useful work of the MARID group slowed to a crawl with the IETF eventually shutting down the group. Recently AOL has withdrawn its support and is falling back on Sender Policy Framework (SPF). Evidently AOL has technical concerns that Sender ID may not be fully backwardly compatible with the original SPF specification.
The Sender Policy Framework (SPF)
Cisco Identified Internet Mail
PHISHING: CUTTING THE IDENTITY THEFT LINE|
By Rachael Lininger and Russel Dean Vines
334 pages; $29.99
John Wiley & Sons
Read Chapter 6, Helping your organization avoid phishing
This was first published in May 2005