AOL backs away from Microsoft antispam plan

It has decided against moving forward with Microsoft's Sender ID spam-fighting plan

America Online Inc. has decided not to fully support Microsoft Corp.'s Sender ID spam-fighting plan after the Internet Engineering Task Force (IETF) and the open-source community expressed intellectual property concerns.

"AOL will now not be moving forward with full deployment of the Sender ID protocol," spokesman Nicholas Graham said in a statement sent via e-mail yesterday. Instead, the Dulles, Va.-based Internet service provider will support only the sender policy framework (SPF) to fight spam by verifying the source of e-mail sent to its users, he said.

AOL's rejection comes a week after an IETF group considering Sender ID as a standard said the proposal needed rewriting (see story). Earlier this month, open-source groups The Apache Software Foundation and the Debian Project dismissed Sender ID because the license would prevent them from supporting the technology.

AOL is concerned about the lack of acceptance for Sender ID in the open-source community, Graham said. In addition, the Internet service provider is afraid that recent changes to Sender ID will make it incompatible with the original SPF specification, he said. AOL had endorsed Sender ID when it was submitted to the IETF in June.

Although AOL's decision could be seen as another setback for Sender ID, Microsoft said AOL's action is fully in line with the Sender ID proposal, which is being revised.

Support for SPF equals support for Sender ID, said Microsoft spokesman Sean Sundwall. "AOL's decision to conduct just the SPF check reflects exactly the flexibility provided by the Sender ID proposal. Sender ID is still alive, and there are two ways to do the checking."

Sender ID combines SPF, which was developed by Meng Weng Wong of, and the Microsoft-developed Caller ID specification. In May, Microsoft and Meng agreed to merge their proposals and submitted it to the IETF a month later.

The Sender ID proposal to the IETF is being rewritten to allow flexibility on which checking method is used, either the SPF method or a check for the Purported Responsible Address, which was first published as part of Microsoft's original Caller ID plan, Sundwall said. "AOL's news is much ado about nothing," he said.

Microsoft and Wong propose Sender ID as a standard for e-mail authentication, designed to prevent faking of e-mail addresses and the origin of an e-mail message. For example, criminals have used the ability to forge the origin of an e-mail in schemes involving e-mail that looks like it is from a bank in order to trick users into giving up personal information.

With SPF, organizations publish a list of their approved outgoing e-mail servers, called an SPF record, in the Domain Name System. That SPF record is then used to verify the source of e-mail messages sent to other Internet domains. Microsoft's Caller ID works in a similar way.

AOL isn't completely backing out of Sender ID. It won't check Sender ID records on mail coming in, but it will publish Sender ID records for outbound mail, Graham said.

AOL said it is also looking at Domain Keys, a technology developed by rival Yahoo Inc., for possible use in tandem with SPF. With Domain Keys, each e-mail gets a digital signature to verify its source.

Copyright © 2004 IDG Communications, Inc.

Shop Tech Products at Amazon