Five of the Internet’s heaviest hitters will begin applying two systems to help spot whether email messages come from the addresses they purport to come from, and to reject those messages whose sources can’t be verified.
America Online, Yahoo, Hotmail, EarthLink, and Comcast would have implemented a single, combined version of Sender Policy Framework with Sender-ID except for Sender-ID’s creator, Microsoft, insisting on individuated licensing for the Caller-ID technology it developed as part of the Sender-ID package. That led to an apparent final collapse of efforts to merge Sender-ID into SPF.
But email system maker SendMail chief executive Dave Anderson said that collapse didn’t mean Sender-ID was out of the spoof and phishing gang fight loop. "The SPF and Sender-ID people are still working together and are going to be using a common record format so you don't have to put up two sets of data," he told the BBC. "By the end of this year we expect that half of the email sent in the U.S. will have SPF records or some other form of authentication on it. But the more effective we are at filtering out spam, the more they will send."
With AOL, Yahoo, Hotmail, EarthLink, and Comcast imposing SPF and Sender-ID standards on bulk mailers, users sending mail through those systems which can’t be authenticated to its sources will be presumed spam or phishing attacks and will be rejected by those five systems.
“It makes a huge difference on the phishing side,” Anderson said about the e-mail attacks that involve faked company notices aiming to trick recipients into giving up sensitive personal financial information. But he also said it makes a big difference in fighting the spammers.
"For spammers this breaks the mechanism they have been using,” he said. "The reality is that well north of 90 percent of spam that's sent never comes from the same address twice. We really have to change the way we think about this."
