The author of the study, email services provider MX Logic, analysed nearly 10 million bulk email messages that it had filtered on behalf of its clients in late August. The company found that nearly a sixth of the sources of the junk messages used a protocol known as Sender Policy Framework (SPF) to certify that the email addresses used in the messages were real.
While SPF has been touted as a way to stop spam, the data has shown that the true value of the protocol is more about preventing fraud, said Scott Chasin, chief technology officer of the Denver company.
"Authentication (with SPF) by itself is not a spam cure-all," Chasin said. "SPF -- as it relates to having an impact on spam -- will hurt only those who spoof domains. You are still going to need content filtering to see if the message was unsolicited."
SPF is one of two technologies currently being considered as part of a hybrid method, dubbed Sender ID, for certifying the source of email messages. Another technology, Microsoft's Caller ID for E-mail, makes up the other half of the proposed standard. Because it used technology that Microsoft is attempting to patent, Sender ID may require that users sign a licence from the software giant, which has angered many project groups in the open-source world.
That debate has caused many Internet engineers and mail administrators to take another look at SPF, created by Meng Wong, the founder of email service firm Pobox.com.
The Internet Engineering Task Force, the technical committee creating the standard, debated the issues extensively over its e-mail list during the last two weeks.
MX Logic's Chasin argues that SPF does not really solve the problem of spam -- at least not until there are supporting services to provide a measure of the reputation of the various email senders.
"SPF is great at combating fraud such as phishing," he said. Phishing is the Internet scam that usually uses email designed to look as if it came from an official organisation, such as a bank or government agency, to elicit personal data. "Phishing attacks are all about spoofing someone's domain name."
The majority of the SPF users found that spam was coming from "gobbledygook" domain names, not from legitimate companies, he said.
Chasin argues that new services are needed to give email recipients a measure of the reputation of the sender. Such services would basically certify that certain servers belong to "good" email senders, allowing message-filtering software to classify such email as legitimate.
"The email filters could then let through legitimate email," he said. "It would be 'guilty until proven innocent.'"
