With its subscribers deluged by unsolicited commercial email, ISP AOL is trying new technology to crack down on one common spammer tool: forged sender addresses, which spammers and virus writers use to bypass blacklists and trick recipients.
AOL is testing a protocol called 'sender permitted from' (SPF) across its entire user base of 33 million subscribers.
SPF is designed to eliminate email forgeries by enabling organisations to specify which servers can send mail on behalf of their internet domain, according to Nicholas Graham, an AOL spokesperson.
SPF stops email address spoofing by modifying the domain name system (the system that translates numeric IP addresses into readable internet domain names) to declare which servers can send mail from a particular internet domain. AOL is using SPF to publish the IP addresses of the servers it uses for outgoing email.
The company briefly tested the protocol two weeks ago, before shutting it off to make technical changes based on feedback from other ISPs, says Graham, who declines to describe the changes.
The program is still experimental and for now AOL is not using SPF to filter mail from other internet domains, Graham says.
SPF "is just getting off the ground," Graham says. "AOL is interested in putting the proposal out there and getting feedback from stakeholders." Those stakeholders include other major ISPs such as Microsoft's MSN.
The long-term benefit of SPF is that, when the technology is widely deployed, email providers will be able to associate reputations with internet domains rather than with IP addresses, which are harder to track, according to Eric Raymond, president of the Open Source Initiative.
SPF itself will not stop spam, but it will help other antispam technologies like spam traps, by enabling ISPs to track spam back to specific domains and forcing spammers to move to new domains more frequently, Raymond said. The combination of technologies can be likened to a "drug cocktail" that, taken together, may stop spam, he said.
AOL's current SPF test is scheduled to run for the foreseeable future, pending feedback from ISPs, organizations receiving AOL email in bulk, and ordinary internet users. However, AOL will wait for consensus within the internet community before making any final moves regarding SPF.
"It's premature to start looking forward. This is intended to be nothing less than a collaborative, cooperative process," Graham says.