October 25, 2004 6:49 PM PDT

Microsoft reworks antispam spec to silence critics

Microsoft has revised its antispam specification Sender ID following the spec's near-death in the technical community.

The software giant said Monday that it has rewritten Sender ID--a specification for verifying the authenticity of e-mail with Internet Protocol records--to address criticisms of the spec's earlier incarnation. Among other changes, Microsoft removed language in its pending patents for SenderID that could have included claims to Sender Permitted From, or SPF, a widely used system for e-mail authentication that was merged with Microsoft's CallerID for Email to create Sender ID, according to Microsoft's Ryan Hamlin.

"We wanted to complete what we started," said Hamlin, general manager for Microsoft's safety technology and strategy group. Microsoft has resubmitted the specification to the Internet Engineering Task Force, a technical standards body.

Last month, the IETF shut down the working group that was charged with building consensus for Sender ID and turning it into an industry standard. Consensus became impossible after some people in the open-source community said Microsoft's patent claims could enable the software company to eventually charge royalties. Others were critical of the system's inability to work with previously published records in SPF.

As a result, America Online and open-source groups pulled their support of Sender ID. And Meng Wong, the architect of SPF, said he would retrench on his technical specification alone.

Microsoft's Hamlin said Monday that the company has revised Sender ID by making it backward-compatible with 100,000-plus SPF records already published. He also said Sender ID will give e-mail providers a choice to publish records in SPF, which verifies the "mail-from" address to prevent fraud, or in PRA--purported responsible address.

PRA records let an e-mail provider check the "display address" of an e-mail in its headers against the numerical IP address of the sender. That process can prevent so-called phishing attacks by spammers who forge the display address.

E-mail providers and senders now have the ability to publish in and check the authenticity of e-mail with both methods in Sender ID.

"We've been trying to make it as user-friendly as possible. We've got the spec to the point where you only have to publish one record for two purposes. I see that as a little victory," said Wong.

Still, some people in the open-source community are concerned about Microsoft's other pending patent over Sender ID, which prevents users of the specification from sublicensing it.

AOL said Monday that it has renewed support for Sender ID in its current form.

The IETF has granted Sender ID "experimental" status so that the industry can test it, along with competing e-mail authentification proposals, and build consensus that way.

8 comments

Join the conversation!
Add your comment
Makes use of is NOT compatible with
"Microsoft's Hamlin said Monday that the company has revised Sender ID by making it backward-compatible with 100,000-plus SPF records already published."

Sender ID PRA checks are NOT 100% compatible with SPF records. The new version of the spec says that Sender ID will make use of these records, but the use is not consistent with what the publishers of these records had in mind when they published.

Perfectly valid e-mail that would pass an SPF check can be rejected by Sender ID. SPF record publishers now have no choice. They must either:

1. Delete their SPF records (damaging both technologies).

2. Figure out how to do Sender ID.

This record hijacking by Microsoft and company makes it impossible to do SPF (a free solution, not encumbered by patents) without getting involved in Sender ID (Microsoft Patent Pending).
Posted by (2 comments )
Reply Link Flag
Great Analysis. CNET Hire This Fellow. ..
Scott,

Killer conclusion:

This record hijacking by Microsoft and company makes it impossible to do SPF (a free solution, not encumbered by patents) without getting involved in Sender ID (Microsoft Patent Pending).

What does Meng make of this?

Thanks for the insight.
Posted by Sumatra-Bosch (526 comments )
Link Flag
Makes use of is NOT compatible with
"Microsoft's Hamlin said Monday that the company has revised Sender ID by making it backward-compatible with 100,000-plus SPF records already published."

Sender ID PRA checks are NOT 100% compatible with SPF records. The new version of the spec says that Sender ID will make use of these records, but the use is not consistent with what the publishers of these records had in mind when they published.

Perfectly valid e-mail that would pass an SPF check can be rejected by Sender ID. SPF record publishers now have no choice. They must either:

1. Delete their SPF records (damaging both technologies).

2. Figure out how to do Sender ID.

This record hijacking by Microsoft and company makes it impossible to do SPF (a free solution, not encumbered by patents) without getting involved in Sender ID (Microsoft Patent Pending).
Posted by (2 comments )
Reply Link Flag
Great Analysis. CNET Hire This Fellow. ..
Scott,

Killer conclusion:

This record hijacking by Microsoft and company makes it impossible to do SPF (a free solution, not encumbered by patents) without getting involved in Sender ID (Microsoft Patent Pending).

What does Meng make of this?

Thanks for the insight.
Posted by Sumatra-Bosch (526 comments )
Link Flag
So what -- it's too late Microsoft
It's too little too late, Microsoft. The world has SPF, which is "good enough" to solve the problem spf was designed to solve: joe-jobbing. The damage that was done with the whole patent mess has completely removed any credibility Microsoft once had in this area. Who can trust an organization that participates in what it calls an open standards process, only to unleash unspecified patent attacks once the standard is adopted?

And in any case, SPF is nothing compared to the technology developed by MailChannels (www.mailchannels.com).
Posted by ttul (34 comments )
Reply Link Flag
So what -- it's too late Microsoft
It's too little too late, Microsoft. The world has SPF, which is "good enough" to solve the problem spf was designed to solve: joe-jobbing. The damage that was done with the whole patent mess has completely removed any credibility Microsoft once had in this area. Who can trust an organization that participates in what it calls an open standards process, only to unleash unspecified patent attacks once the standard is adopted?

And in any case, SPF is nothing compared to the technology developed by MailChannels (www.mailchannels.com).
Posted by ttul (34 comments )
Reply Link Flag
It's Like the Mansons Cleaning the Forks Before the Dinner Party
MSFT is sounding more and more like an insane asylum for IP laywers with traumatic brain injury every day.

Let's get this straight: The whole world is supposed to believe a convicted monopolist with a record of IP theft and astroturfing using the stolen identities of dead people (see the Utah attorney general's case during the anti-trust trials) has unquestionably valid patents for email technologies in an industrial art space occupied by thousands of companies. And the whole world is supposed to ratify that without question and then what? Mail forwarding is broken and the spammers still win. Perfect, that's what everyone wants. Settles that.

The fact that this is being reported as anything but situation comedy is a crime against every company (and engineer) that ever contributed anything to the Internet's email architecture.

CNET and reporters from all over the world need to ask the following questions of people other than Microsoft. . .

Are MSFT's intellectual property claims at all valid?

They've never been tested in court.

Could they survive any kind of test? Which claims would fall first?

What would be the precipitate of wide scale ratification of their claims to the IP space? To the funcationality of email?

If MSFT were to assert positively (sue someone) later on, what companies are rich in IP in the industrial art space who would be forced into the field to defend their own IP?

The press like brain-damaged monkeys simply report MSFT's spurious claims with no comment from an independent IP counsel.

Reporters from Road and Track would certainly go after Bendix if they tried the same thing with automotive breaking technology.

In the first instance, MSFT's proposition is preposterous.

Reporting this as news is a waste of great comedic material, CNET. If you guys had a sitcom, MSFT's OSP would be good for 6 episodes.
Posted by Sumatra-Bosch (526 comments )
Reply Link Flag
It's Like the Mansons Cleaning the Forks Before the Dinner Party
MSFT is sounding more and more like an insane asylum for IP laywers with traumatic brain injury every day.

Let's get this straight: The whole world is supposed to believe a convicted monopolist with a record of IP theft and astroturfing using the stolen identities of dead people (see the Utah attorney general's case during the anti-trust trials) has unquestionably valid patents for email technologies in an industrial art space occupied by thousands of companies. And the whole world is supposed to ratify that without question and then what? Mail forwarding is broken and the spammers still win. Perfect, that's what everyone wants. Settles that.

The fact that this is being reported as anything but situation comedy is a crime against every company (and engineer) that ever contributed anything to the Internet's email architecture.

CNET and reporters from all over the world need to ask the following questions of people other than Microsoft. . .

Are MSFT's intellectual property claims at all valid?

They've never been tested in court.

Could they survive any kind of test? Which claims would fall first?

What would be the precipitate of wide scale ratification of their claims to the IP space? To the funcationality of email?

If MSFT were to assert positively (sue someone) later on, what companies are rich in IP in the industrial art space who would be forced into the field to defend their own IP?

The press like brain-damaged monkeys simply report MSFT's spurious claims with no comment from an independent IP counsel.

Reporters from Road and Track would certainly go after Bendix if they tried the same thing with automotive breaking technology.

In the first instance, MSFT's proposition is preposterous.

Reporting this as news is a waste of great comedic material, CNET. If you guys had a sitcom, MSFT's OSP would be good for 6 episodes.
Posted by Sumatra-Bosch (526 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.