Bill Gates, who was recently reported as saying Microsoft could help solve the spam problem within two years, yesterday unveiled a raft of proposals for making the vision a reality, including introducing an internet-wide “caller ID” for email.
Softening his words somewhat, Gates said in his keynote address at the RSA Conference in San Francisco yesterday: Our goal here is to get rid of spam, and we believe that over the next several years… we can reduce spam to not being a huge problem.
The company introduced Caller ID for E-Mail, a sender authentication system that calls for relatively simple but system-wide changes to email systems and the way the internet’s domain name system works.
Gates called the unauthenticated nature of email a huge security hole. He added: Like so many of the standards and protocols that grew up on the Internet in the early days, we need to strengthen these in this environment where there is malicious activity.
In a nutshell, this means publishing the IP addresses of outbound email servers in the DNS, and having receiving email servers configured to cross-check domains with these IP addresses before accepting incoming mail.
It’s already easy enough to blacklist spammers’ domains, and to whitelist friendly domains, but spoofing spoils all that. If email can be authenticated against a domain, it makes it a lot easier to assign a reputation to that domain based on its email behavior.
Caller ID for E-Mail requires an email policy document to be published in the TXT field of a domain’s DNS record. This field has always been in DNS, used to store extraneous or random ASCII text data about the domain.
Gates said Microsoft has patents on Caller ID, which will be made available for royalty-free license. We’re talking with other ISPs and mail providers, and we believe that by this summer, with the right agreements, we can put this in place, he said.
Microsoft will support Caller ID in its email products and services, and Sendmail Inc, one of the larger providers of mail transfer agent software, yesterday said it too will support the Microsoft initiative, as well as a similar initiative from Yahoo! Inc.
Sendmail CTO Eric Allman said the company will support any similar technically sound measure that garners industry support. Currently, he said, Yahoo’s DomainKeys and Microsoft’s Caller ID have their strengths and weakness.
DomainKeys resembles a public key infrastructure, but no certificates are required. It is technically similar to Caller ID, but instead of IP addresses in the TXT field of the DNS record, a cryptographic public key is placed there instead.
A key pair is generated. Email senders sign their outgoing mail with their private key, and recipients check it against the public key in the DNS. This has the added benefit of making the email tamper-resistant, Allman said.
Gates has been introducing the world to these ideas for half a year, and they are both included in a white paper entitled Coordinated Spam Reduction Initiative that Microsoft published yesterday as a thought-tool for the industry.
This article is based on material originally published by ComputerWire