The "whitelist for my friends" part of "a whitelist for my friends, all others pay cash" seems to be underway... If we really do get cryptographic signatures on email in a way that works, expect 80% of all spam to be blown away as a matter of course. Cheers, RAH ------- <http://www.pcworld.com/resource/printable/article/0,aid,115094,00.asp> PCWorld.com Earthlink to Test Caller ID for E-Mail New systems could fight spam and Internet scams, company says. Paul Roberts, IDG News Service Friday, March 05, 2004 ISP Earthlink will soon begin testing new e-mail security technology, including Microsoft's recently released Caller ID technology, a company executive says. AdvertisementEarthlink will be experimenting "very soon," with "sender authentication" technology including Caller ID and a similar plan called Sender Policy Framework (SPF). The Atlanta-based ISP will be evaluating other e-mail security proposals as well, but is not backing any specific technology, says Robert Sanders, chief architect at Earthlink. Plans to secure e-mail by verifying the source of e-mail messages have garnered much attention in recent months, as the volume of spam has swelled and the number of Internet scams has increased. Spammers and Internet-based criminals often fake, or "spoof," the origin of e-mail messages to trick recipients into opening them and trusting their content. Sender authentication technologies attempt to stop spoofing by matching the source of e-mail messages with a specific user or an approved e-mail server for the Internet domain that the message purports to come from. Different Strategies So far, Earthlink has stayed out of the sender authentication fray while Web-based e-mail services, including Yahoo and Hotmail, and major ISP America Online, have all backed slightly different sender authentication proposals. Yahoo is promoting an internally developed technology called DomainKeys, that uses public key cryptography to "sign" e-mail messages. AOL said in January that it is testing SPF for outgoing mail, publishing the IP (Internet protocol) addresses of its e-mail servers in an SPF record in the DNS (Domain Name System). Finally, Microsoft-owned Hotmail is publishing the addresses of its e-mail servers using that company's recently announced Caller ID standard. Earthlink believes that sender authentication is necessary, and is prepared to support multiple sender authentication standards if necessary. However, the company hopes that one clear winner emerges from the field of competing proposals, Sanders says. "I don't think it's unlikely that we'll see two or three coexisting proposals go into production. We had hopes that they would be able to merge, but I think at this point each standard adds a different function, and we're unlikely to see a merger," he says. Coming Soon? For now, Caller ID and SPF will probably make it into production first, because neither require companies to deploy new software to participate in the sender authentication system, he says. Earthlink is also interested in proposals like Yahoo's DomainKeys, which allows e-mail authors to cryptographically sign messages, enabling recipients to verify both the content of a message and its author. However, DomainKeys is more complicated to deploy than either Caller ID or SPF and requires software changes that will slow implementation, he says. Earthlink is not backing any proposal but is interested in looking at the results of its trial deployments, and those of other organizations. "We have to get real world data from people who have deployed SPF or Caller ID," he says. The company is also a member of the Anti-Spam Technical Alliance, an industry group that includes Microsoft, AOL, Yahoo, Comcast, and British Telecommunications, and continues to participate in meetings and initiatives through that organization, he says. Microsoft's backing of Caller ID and its plans to use that technology for Hotmail tips the scales in favor of that technology, he says. "One factor that determines what you, as an e-mail sender, deploy is the important question of 'Who am I sending mail to?' What the larger [e-mail] receivers deploy is what you're going to support," he says. -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'