The fight against spam is one of the biggest tasks facing the industry today, and a great deal of time and money has been invested in trying to thwart unwanted email -- but with little real success. But a new anti-spam measure currently under development, Sender Policy Framework (SPF), is attracting a lot of attention. Not only is it quick and inexpensive to implement, a recent trial by AOL indicates that it could generate the kind of widespread support fundamental for any anti-spam system to succeed
Some estimates put the level of spam at around 50 percent of all email sent over the Internet. In addition to messages advertising dubious goods and services, there are emails carrying worms that pose an additional hazard. While anti-spam and antivirus filters can help prevent these rogue messages making your inbox unusable, they can be defeated by changing the format of junk emails -- and the messages themselves are still using valuable bandwidth.
The problem is that simple mail transfer protocol (SMTP) has so few security features. Originally, any SMTP server would accept mail from anyone, for anyone -- known as an open relay. This wasn't a problem in the early days of the Internet, where there were fewer users, and virtually no commercial ones. However, open relay meant that a spammer could connect to a random server and use it to send thousands of messages. Open relay abuse can be dealt with by only permitting mail from or addressed to that server's registered users. But while open relay is no longer an issue for the vast majority of companies, mail that's correctly addressed to a valid mail address, but comes from a dubious source, is the big, big problem.
Closing the loophole
This is where SPF comes in. Also known as "Sender Permitted From", its purpose is to prevent forged email being sent by checking the sender is authorised to send email from the domain they're claiming to be from. That way, if a spammer attempts to send email from a faked address, the message will be rejected. Similarly, recent email-borne worms have pulled fake sender details from address books or Web page caches; they wouldn't be able to use this trick.
SPF uses the domain name service (DNS) to provide information about which servers will send mail on behalf of a particular domain -- in the same way as receiving mail servers are currently specified using Mail Exchange (MX) records. When a mail server gets an incoming message, it looks up the sender's domain to get the SPF record, and checks whether the sending server is in the permitted list. If not, the mail is rejected as a forgery. The use of DNS as the underlying mechanism means that no additional infrastructure is needed to make SPF work worldwide.
SPF's creators are careful not to over-hype the system's capabilities: It won't solve spam completely, overnight or unilaterally. It can't prevent spam with genuine addresses (although this is easier to trace) or from spam-friendly domains that choose not to participate in the scheme. But it will stop a large amount of the spam sent currently and will help make spammers easier to trace and prosecute.
SPF isn't yet an official standard, but is being submitted to the Internet Engineering Task Force (IETF) for consideration as a standard. There's every reason to believe it will be adopted, since it's vendor-neutral, patent-free and requires very little in the way of extra software to implement. It also doesn't require the sender to do anything special, such as visit a validation Web page or include a special code in the email. Crucially, it also doesn't rely on having a third party verify mail or provide any sort of certificate -- everyone is master of their own domain.