August 12, 2004 12:10 PM PDT

Microsoft touts 'Sender ID' to fight spam, scams

Microsoft on Thursday is holding a summit with members of the E-Mail Service Provider Coalition to address the use of Sender ID technology as a standard to fight spam and phishing.

The software giant said it would gather more than 80 members of the ESPC coalition at its Redmond, Wash., headquarters to discuss using Sender ID as a way to ensure that e-mail originates from the Internet domain it claims to come from. Fighting the annoyance of spam and the dangers of fraud activity such as "phishing" is among the top concerns of Internet users and the companies that serve them.

Sender ID validates the server Internet Protocol address of the sender to assure an e-mail recipient that a message claiming to be from a credit card company actually is. The technology relies on Microsoft's Caller ID for E-Mail technology and the Sender Policy Framework, authored by Meng Weng Wong, chief technology officer at Pobox.com.

The Internet Engineering Task Force is currently evaluating Sender ID as an industry standard for e-mail authentication. Thursday's meeting will look at what Sender ID can do to control unwanted e-mail and at the challenges the technology will bring to legitimate users of e-mail.

Several companies have already announced plans to roll out products and services that support Sender ID, including Cloudmark, DoubleClick, IronPort Systems, Sendmail, Symantec, Tumbleweed and VeriSign, Microsoft said in a statement.

DoubleClick, which delivers Web advertising, will use Sender ID in the e-mail system it uses to communicate with its customers. Ken Takahashi, DoubleClick's senior director of e-mail operations and ISP relations, said a framework like Sender ID is only part of the solution to controlling unwanted and fraudulent e-mail.

"Since the spam epidemic exploded in the past few years, we have always maintained that a solution could only come from a combination of legislation, technology, industry self-regulation and consumer education."

Companies and individuals are increasingly deluged with spam and phishing scams, in which con artists send e-mail purportedly from a recipient's bank, credit card company or Internet provider requesting sensitive information such as "lost" credit card numbers or passwords "needing confirmation."

Spammers often "spoof" their return addresses--forging them to make them look legitimate to the recipient's spam filters. This can trick recipients into opening the unwanted mail, because it appears to be from a known contact. The technique also assists in the dissemination of e-mail viruses.

Other efforts
The e-mail problems have sparked efforts by other e-mail giants such as America Online and Yahoo to research their own authentication systems. AOL and Yahoo have technologies in the works, and plan to implement them into their e-mail systems by year's end.

AOL has been testing a system called Sender Permitted From, or SPF, that uses the domain name server (DNS). A company spokesman said SPF tests for outbound mail are currently compatible with SenderID. The company plans to test inbound SPF with SenderID beginning in September. AOL also will test technology supported by Yahoo by the end of the year.

"This isn't an online medal race to see who gets the gold when it comes to spam-fighting," AOL spokesman Nicholas Graham wrote in an e-mail. "We're all on the same team."

As for Yahoo, the Web portal is testing its so-called DomainKeys system for Yahoo Mail. The technology creates an encrypted e-mail address signature and then uses DNS to prove a message verify it came from Yahoo. Recipient e-mail servers must add software to use domain keys.

A Yahoo spokeswoman said the company is also looking into SenderID technology.

"We are evaluating IP-based solutions like SenderID," said company spokeswoman Terrell Karlston. "We are eager to see the results of some rounds of testing by other industry leaders."

CNET News.com's Jim Hu contributed to this report.

8 comments

Join the conversation!
Add your comment
Microsoft Knows Best
Yes, something needs to be done about spam but I'm not sure this will really help all that much. I'm sure Sender ID will be just as spoofable as any email header, subject, or to field in email. Even if the IP address is recorded and validated with a third party -- I can setup a simple Linux server to masquerade as anyone (IP/Mac address) I want.

Personally, I think a new version of SMTP needs to be developed and adopted. Something that has built in security and optionally backward compatible with current SMTP protocol. SMTP was designed when the Internet was a kinder and non-commercial place when stuff like security and privacy where much less of an issue.

Of course, no single action will stop spam completely, but a more robust SMTP system should go a long way towards it.
Posted by awesomejt (32 comments )
Reply Link Flag
Have you read the proposal?
First, neither senderID, callerID or SPF are the be all, end all solutions to the spam problem. Neither Microsoft, pobox.com, AOL, earthlink, or anybody else involved with implementing the proposal says this is the TOTAL solution to the problem. They all say (and I agree with them) that a proposal like senderID is an important PART of the solution to spam.

Have you read the senderID proposal that the MARID group at the IETF is considering? If so, you would know that SPF is a subset of senderID, and that it is implemented in the SMTP server receiving the mail.

I disagree with your assertion that senderID could be fooled merely by setting up a Linux box the right way. It means you would have to be able to converse with a SMTP server through a TCP connection with a spoofed IP. Unless you have physical access to the same subnet as the server, this requires not only sending the packets to the SMTP server blind, but with the correct packet sequence numbers. Not likely, and even less likely to work with enough reliability to make such a connection undetectable.
Posted by (15 comments )
Link Flag
Sigh...
Exactly how will this Sender ID thing fix the inherent security problems that almost look designed into Windows?

Meaning, how will this stop Windows PC's from getting zombied and thus turned into a spam bot?

As usual, this is just about getting people hooked on empty promises with strings attached. As well as dealing with symptoms after the fact. Never mind the causes.

In lame terms, by the time a known spam bot (aka: someone that got zombied) is identified the spammers will have moved on. Will it help to identify spammers eventually then? Maybe on paper but those in the real world know better. Will it help to lower the amount of spam in your inbox? Maybe on paper but those in the real world know better. Will it help to get you locked into an overpriced solutions for your symptoms? Not on paper but those in the real world know better. Can I use those overpriced solutions in some sort of free way? Sure, plenty of cracks around for anyone, but only as long as is needed. Are their any experts around who would disagree with this assessment? Plenty, problem is though that they're commercially motivated to tell you so. What am I to do then? Sorry, there's no easy way out. Either you go along with the ride and do as you're told by others (see what happens later, however costly that is) or you'll learn to take matters into your own hands however problematic that'll turn out to be every now and then.

Folks, all what this Sender ID is about is: look, we're doing what we can (what we want), please stick to our way and ignore all those other alternatives.

Elas, in reality, it seems most people like to dream so a short term solution to the real causes doesn't seem at hand. The only thing that would work is a mass drop in using IE and Windows. Only that will motivate Microsoft to solve causes rather then symptoms. Without strings attached.

Let's face it people, those who stick with the program usually end up last. And getting the short end of the deal.
Posted by arthur-b (31 comments )
Reply Link Flag
Great efort
That's the way that Microsoft should always have: Thincking in new ways to improve their system.
Posted by audiophile7 (5 comments )
Reply Link Flag
A "tech standard" from Microsoft?
I think the world should be wary at least about any "standard" that Microsoft tries to introduce that purports to solve an open systems issue like e-mail authentication. They don't believe in open system and all effort is geared towards a lock in/lock out situation for their OS. Down the road they will attempt to patent certain concievable uses of the "standard" with the premise that afterall they invented it -- just as they have done with XML. An attempt to corner e-mail will even be more sinister. Looking at Microsoft past unfair tactics, I wouldn't put it beyond them.
<a class="jive-link-external" href="http://www.xmlhack.com/read.php?item=491" target="_newWindow">http://www.xmlhack.com/read.php?item=491</a>
<a class="jive-link-external" href="http://news.cbsi.com/2100-7345_3-5158432.html?part=rss&#38;tag=feed&#38;subj=news" target="_newWindow">http://news.cbsi.com/2100-7345_3-5158432.html?part=rss&#38;tag=feed&#38;subj=news</a>
Posted by (23 comments )
Reply Link Flag
What about patents?
I'm more concerned that Microsoft will use their patent licensing to block open source from being part of the effort. I mean, lets face it, they have proven before that they are not above such things.

If they really cared about "helping our customers" that much, they wouldn't be making the patents an issue. Sendmail, Qmail, Postfix etc make up a very big part of the Internet's mail systems, and if MS makes the patent license a part of the deal (thereby blocking Open source MTA's from incorporating it), they will be doing it not to "help their customers" but rather to try and help themselves. Also, it will be much less effective since most of net runs on Sendmail.

rgds

Frank
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
Worthless
How about they just fix their operating system so PC don't
become spam sending drones so easily. Instead they want to
invade out privacy and set a horrible president.
Just like Micro$hit to come up with a new "standard" instead of
fixing the root of the problem.
Posted by 198775425444042216790779840523 (102 comments )
Reply Link Flag
You're stupid
Wow, you're stupid. How is the O/S the problem?!?!... how do you know the "spam bots" are running a Windows machine? They could be running ANY operating system.
Posted by MattEvans16 (1 comment )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.