August 9, 2005 4:00 AM PDT

Sender ID's fading message

(continued from previous page)

exist. There are several versions of SPF, and there is Sender ID, for example.

Those could be reasons why the technology hasn't proved too popular with businesses. Gartner analyst Lydia Leong doesn't expect companies to start picking it up anytime soon. "Adoption will be slow, and many enterprises will not publish records until 2007," she said.

About 1 million domains currently publish SPF records, Microsoft said. That's much fewer than the 71.4 million domains that had been registered worldwide by the end of last year.

There is evidence to suggest that quite a few of the technology's adopters are senders of junk e-mail. Out of a sample of more than 17.7 million e-mail messages taken in late June, a little more than 9 percent were from domains that published an SPF or Sender ID record, according to spam-filtering company MX Logic. About 84 percent of those authenticated messages were spam, it found.

"The majority of the adoption has been by rogue senders trying to get some legitimacy for their messages," said Scott Chasin, the chief technology officer at Denver-based MX Logic.

For spammers, publishing a valid record means they will pass any Sender ID authentication part of a general spam check. Earlier this year, Microsoft said its Web-based e-mail service Hotmail would start flagging messages without valid authentication. Later this year, the company plans to introduce "tougher filtering on nonauthenticated e-mail," Craig Spiezle, director of Microsoft's technology care and safety group, said in June.

"The spammers have more of a motivation to go and do it than most other people," said Forrester analyst Paul Stamp.

Critical mass
For Sender ID to get picked up more widely, the technology needs to become easier to adopt and provide a clear benefit to users, analysts and experts said. "If we don't reach critical mass on the authentication of legitimate senders, there are going to be dire consequences," said Dave Lewis, vice president of marketing at Redwood Shores, Calif.-based StrongMail.

Many of the legitimate e-mail senders who have attempted to publish information on their e-mail servers have made errors, said Dean Drako, the CEO of Barracuda Networks, a Mountain View, Calif.-based maker of antispam appliances.

"We're big proponents of SPF, and all our boxes support it," Drako said. "But we have to recommend to our customers that they do not do any filtering on it, because there are too many false positives. A significant number of people who have published their SPF record have done so incorrectly."

Working with e-mail authentication should be made easier for companies, agreed Lewis of StrongMail. For example, makers of e-mail server software could include simple wizards that collect the needed information, he suggested. "Also, notice back should be provided if there is improper authentication," he said.

Sender ID may not be the perfect solution, Lewis said. "But if we hold out for the silver bullet, we will see a continued erosion in consumer trust in e-mail."

The problem goes beyond junk mail that advertises herbal stimulants or get-rich-quick schemes. Phishing is costing victims real money. An estimated 2.42 million U.S. adults lost money in phishing attacks in the 12-month period that ended in May, according to Gartner. Total losses amounted to nearly $929 million, the research firm said. That in turn hurts customers' relationships with online businesses.

"Where sender authentication is really valuable to enterprises, right now, is in the area of phishing," Gartner's Leong said.

That is why major e-commerce players such as eBay and banks such as Bank of America have been among the first to adopt it, Leong said. Those businesses are among the 36 companies, organizations and individuals who, along with Microsoft and SPF developer Wong, sent a letter to the Federal Trade Commission to promote industry collaboration on e-mail authentication.

Standard process
The move was only the latest for Microsoft, which has been pushing for widespread e-mail authentication since Gates unveiled the predecessor to the current Sender ID specification in February 2004. But the effort has had its critics. Some have accused the Redmond, Wash., software giant of trying to strong-arm the industry into accepting Sender ID, especially given its warning that Hotmail may treat unauthenticated messages as spam.

Critics have pointed out that Sender ID is not an accepted standard, and some say it has many shortcomings. Last year, the Internet Engineering Task Force, a standards-setting body, let a Sender ID working group expire. The Internet Engineering Steering Group, a division of the IETF, said in June that it would solicit comments on Sender ID and on SPF as two separate proposals.

There are technologies that offer an alternative to Sender ID and SPF, such as Yahoo and Cisco Systems' DomainKeys Identified Mail, which is also making its way through the standards process. DKIM attaches a digital signature to outgoing e-mail so that recipients can verify that the message comes from its claimed source.

The Sender ID and DKIM camps, however, say the technologies are complimentary, and many of the companies that back Sender ID also support DKIM.

That flexibility could prove a benefit in the fight against spam and phishing if Sender ID ends up having to co-exist with other technologies. It's also a sign that the software industry is serious in its desire to crush spam and keep e-mail functioning. At the moment, though, a lack of enthusiasm and know-how is holding up mass adoption. But for Barracuda Networks' Drako, it's actually the lack of immediate payback that's keeping a majority of the legitimate e-mail senders from using the e-mail authentication technology.

"It won't solve a problem until everybody adopts it," Drako said, echoing other experts. "If we can get to a place where a significant portion of e-mail has valid SPF records, then we can start to do things to fight spam more effectively."

Previous page
Page 1 | 2

32 comments

Join the conversation!
Add your comment
It's useless then
Wait a moment... Spammers are adopting Sender ID? But isn't it supposed to authenticate that messages claim to come from one domain actually come from there? And yet, more spammers have adopted it than legitimate users? What good can come from an anti-spam technology that spammers use to get their junk messages out?

I was initially against Sender ID because it is a propietary standard, but now that I read this, I see that it is absolutely useless.
Posted by Sentinel (199 comments )
Reply Link Flag
Well...
assuming it actually worked then I thinks it's real use would have been to stop phishing scams. Or e-mails with faked headers.

But your right, it's useless. What they really need to do is block domain names of spammers and use a technology like Sender ID to thwart phishers. Either way won't eliminate spam or people trying to steal information, but maybe it might curve it a bit.

Personally, I really like the way places like Spamhaus blocks spammers. They just block the entire IP address. It doesn't stop spammers because they just move to a new IP address, but it sure puts a hurting on anybody who shares that IP address. Of course try to explain that to the righteous spam blockers like Spamhaus who haven't done crap to stop spam.
Posted by System Tyrant (1453 comments )
Link Flag
Not Useless, unless NOBODY Adopts
I agree that I have simple requirements, but I adopted SPF in 2004, and SPF/SENDER ID works even better if the SPAMMERS adopt it and you use RBL's, plus it kills the ZOMBIE home machines. I guess the people who write articles and some of the people who read those articles really don't understand the mechanics involved in the process.
Posted by tbeckner (56 comments )
Link Flag
Way to go MS...
So first they (MS) are trying to push a proprietary standard. For obvious reasons it was not accepted. Then they (still MS) are trying to strong-arm their proprietary standard on the Internet. Apparently this didn't work either. And now it is everybody else's (except MS) fault emails are no longer trusted?

They can have a monopoly with their windows platform, but that is where it ends, and SenderID just proves it.

If they were that worried about the email system, they shouldn't have made it proprietary to begin with.
Posted by Steven N (487 comments )
Reply Link Flag
Way to Go Apple
So first they (Apple) are trying to push a proprietary standard. For obvious reasons it was not accepted. Then they (still Apple) are trying to strong-arm their proprietary standard on the Internet. Apparently this didn't work either. And now it is everybody else's (except Apple) fault emails are no longer trusted?

They can never have a monopoly with their OSX platform, and that is where it ends.

If they were that worried about the email system, they shouldn't have made it proprietary to begin with.
Posted by 201293546946733175101343322673 (722 comments )
Link Flag
Microsoft strikes (out)
Once again Microsoft thinks it can force a "standard." That isn't the way it works. Business is tired of paying for proprietary "standards", and if Microsoft doesn't take that to heart, they will eventually start to see revenue erosion.

My guess is that the Cisco/Yahoo initiative will be the winner anyway.
Posted by R. U. Sirius (745 comments )
Reply Link Flag
Apple Strikes (out)
Once again Apple thinks it can force a "standard." That isn't the way it works. Business is tired of paying for proprietary "standards", and if Apple doesn't take that to heart, they will eventually start to see revenue erosion.

My guess is that the Cisco/Yahoo initiative will be the winner anyway.
Posted by 201293546946733175101343322673 (722 comments )
Link Flag
Does the writer understand the subject matter?
I don't see how most of this article is relevant to anything except M$ propaganda.

Publishing an SPF record requires changes in infrastructure? or is difficult? It's just a one line TXT record, and it is easy to publish a record allowin sending from anywhere if an organization cannot tell the IP addresses (or domain names pointing to those addresses) that their users use to send email. The real change in ifrastructure that is needed to make SPF/SenderID help in preventing spam or phishing is in the receiving side. The small effort needed is incorporating it in receiving servers. The big effort needed is in rewriting all email client software to to use it. What SPF or SenderID authenticate has nothing to do with what an email client displays as the sender. There's no problem to have both SenderID and SPF authenticated and still have an email client like outlook display another address as the sender. SO it does NOTHING to prevent Phishing unless the email client software is changed to show a lot more header information. Then if it would do it, most users wouldn't know how to interpret the info anyway.

The real reason that SPF/SenderID are not widely adopted is that they do absolutely nothing of what they promise to do. The reason that a few domains did publish an SPF record is that it is extremely easy to do so if one has a few minutes to spare, and has no negative consequences.
Posted by hadaso (468 comments )
Reply Link Flag
Spam-a-rama
Face it - we will eventually need to "qualify and
verify" every message prior to opening. Why not?
After the initial set-up - what could go wrong?
Posted by ronwinship (15 comments )
Reply Link Flag
Use White List
Plain and simple. Email addresses not on my white list will go straight to the trash can :)
Posted by 201293546946733175101343322673 (722 comments )
Link Flag
Oh the sense of urgency
This article is intended to scare you into useing SenderID, listen to the tone. "There is an identity crisis for e-mail right now" -- I'm not buying into the fact that someone at Microsoft thinks there is a "crisis" because nobody is buying into their strictly licensed technology.

I can't believe CNET blindly republished the Microsoft rubbish. I've personally seen a decrease in spam in the last 6-12 months; and the filters are getting so good that they catch the rest. Anyone else having a 'crisis'?
Posted by (5 comments )
Reply Link Flag
Re: Oh the sense of urgency
This comment is intended to scare you into using Apple. Listen to the tone. "There is an identity crisis for e-mail right now" -- I'm not buying into the fact that someone at Apple thinks there is a "crisis" because nobody is buying into their strictly licensed technology.

I can't believe CNET blindly republished the Apple rubbish. I've personally seen a decrease in spam in the last 6-12 months; and the filters are getting so good that they catch the rest. Anyone else having a 'crisis'?
Posted by 201293546946733175101343322673 (722 comments )
Link Flag
Yes, it's becoming more of a problem
At the company at which I work, we employ a highly regarded spam filtering software. Up until recently, I had the ineviable task of checking mail that was quarantined for false positives. Over a period of ~ 1 year, the number of false positives remained fairly consistent (less than 1%) while the number of incoming messages correctly flagged as spam increased roughly 250%. I can't say what the increase was based on our total mail volume, but we have not grown by 250% nor have we become 250% more reliant upon e-mail.

Having good spam filtering software and employing white & black lists, Bayesian analysis, etc., is only a small part of effectively fighting spam. The real issue is the end user. Spammers (not virii/worm writers, mind you) would go away if the enterprise were not profitable. Unfortunately, like televsion & newspaper, many people believe what the see/read and follow links when they should delete the message.

Not until end users are educated will spam go away. I don't think that will ever happen.

Should the situation be called a 'crisis'? Depends on whether you're an end user who never sees the results of clicking where you shouldn't, or part of an IT staff that has to clean up the mess.
Posted by orphu (109 comments )
Link Flag
Spam is a part of all Capitalist societies
Consider the spam in your mailbox (post office).
Consider the spam you are bombarded with every
day on the drive to work on billboards.
Consider the spam on television. The driving
force behind most spam are the businesses that
advertise using these questionable marketing
techniques. Unless these businesses are eradicated,
spam will always be with us. But, do we really
want to eradicate all advertising? It depends on
your personal taste.
As for the technical solutions, one need only
be a vigilant system administrator using common
and effective techniques to slow or stop the spam
invasion. I see no major problem. Examples:

White-listing,
Black-listing,
Gray-listing
RBL,
Challenge Response,
or even Bayesian Filters

All quite effective. The old SMTP protocol really
doesn't need to be re-engineered if you know what
you are doing.
Posted by Johnny Mnemonic (374 comments )
Reply Link Flag
Gray-listing RBL
<a class="jive-link-external" href="http://www.analogstereo.com/plymouth_neon_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/plymouth_neon_owners_manual.htm</a>
Posted by George Cole (314 comments )
Link Flag
The end of SMTP Email?
Personally, I think the whole system is ready for a clean slate. I work for an ISP and see tons of SPAM moving around all the time. Some new scheme, some new way to get around security we put in place.

Why not redesign the whole transfer system?! Yeah, I know, it will cost millions, but you could support the old SMTP system for a while until people reached their software cycle's on their servers.

I don't know all the details, but why not try?!! We have some amazing engineers in this world that have developed some amazing systems, why not a relatively fool proof email system? Just think of the millions of dollars we would save in bandwidth, time, and money wasted on SPAM and Phishing schemes!

In my opinnion SMTP has seen its day come and go. Lets's move on to something new and secure.
Posted by vincefran (1 comment )
Reply Link Flag
Make the Spammers work to find you
Like may people, I have many e-mail accounts (work, home ISP, Yahoo, etc). My new work and Yahoo accounts started getting spam within a week of starting the account.

My home account does not get spammed. Spam comes from purloined address list acquired from target machines that were too lazy to set-up firewalls, virus detection, etc. In other words, people you know, you trusted, and have no idea what the source was.

Like most ISP's, my home account allows me to setup secondary e-mail accounts. These secondary accounts are the only names I use. Never give out your primary address. On the rare occasion I get a spam, I can tell by the account name what the likely source of the leaked name came from. Getting that source to fix thier system is usually effective. If it is not, I tell everyone else that I use that user account was addressed to that I am changing my e-mail name, and delete the old name.

If anyone is still trying to reach me at the old address, and they get a mail delivery failure, they know there are other ways to reach me.

For businesses, the solution is:
<a class="jive-link-external" href="http://www.e-dotcbsi.com/spam_exp.php" target="_newWindow">http://www.e-dotcbsi.com/spam_exp.php</a>

It doesn't take any special e-mail handshake, secret code, change of how the internet works, it just makes the Spammer list useless.
Posted by (16 comments )
Reply Link Flag
What about biometrics??
I have an intolerable problem with spammers hacking my Hotmail address on a daily basis. I get dozens of notices of non-deliverable messages that list my Hotmail address. I change my Hotmail address every other day or so, but within hours it's hacked again. I use sixteen symbols, alpha and numberic, and symbol characters in both upper and lower case, and it does nothing to stop the algorithms the hackers use.

I have sent numerous copies of these returns to Microsoft customer support. They responded with a generic message that meant absolutely nothing. Its obvious the problem is so rampant, Microsoft is powerless or worse, unwilling to do anything about it.

The answer might be a biometric reader of fingerprints that could hook up through a USB 2.0 port. I would like to see Bill Gates and company pioneer this for all Windows users. This could be the de facto standard for all passwords. Short of someone lifting my fingerprints off a glass or cutting off my fingers, there is no way this info could be hacked.

A small device with a laser scanner would be simple and cheap to manufacture. I would certainly pay for one if it was under a hundred bucks to stop this rampant hacking of my passwords. By the way, I have a good firewall with anti-spyware protection and an up-to-date virus program. I've also had to cancel my Pay Pal and Classmates accounts, and change my credit card and bank account numbers because of repeated attempts to gain control of my identity.

Something has to be done and quickly or I will give up Hotmail and Windows and migrate to Linux. I know that with some care Linux can be made secure at setup even if it is a pain in the ass to pass all the internal firewalls. A simple fingerprint scanner would be much better. I hope there are Microsoft people reviewing these responses.
Posted by Terry Gay (127 comments )
Reply Link Flag
BEHOLD, the AMAZING MICRO-SHILL...
I would hope I am wrong, but..

Isnt it simply amazing, how such a seemingly random comment could so, spontaneously, ask (practically BEG) "Microsoft" to do exactly what Microsoft HAS already announced that they plan, and hope, to do..?

Namely, integrate BIOMETRIC-devices into all computers, as part of "Trusted Computing", so that Microsoft (and everybody else) can finally identify, track, (and coincidentally bill, or control) virtually every individual computer-user.

Boy, wouldnt that be great? Id say that this was just another poor attempt at market-manipulation by Microsoft, designed to convince people that consumers really want another one of Microsofts pet control-schemes, shoved down the industrys-throat. But, ...after all the previous failed-attempts by Microsoft at such devious propaganda-campaigns, at this point, Microsoft really should be more subtle than this.

But, on the other-hand, notice the not too subtle JAB at Linux, which just had to be included...

Simply Amazing...
Posted by Had_to_be_said (384 comments )
Link Flag
SPF is broken (until the forwarding problem is solved)
Unfortunately, SPF is broken because of the routine nature of
aliasing (forwarding) mail received in one to another. The way
this is commonly done (not counting a manual forward in a mail
client), the sending address ("Envelope From address" or the
parameter to the SMTP "MAIL FROM:" command is unchanged.

Now the message arrives at the server handling the account to
which the mail was forwarded from the "wrong" server according
to SPF.

There is a (at least one) solution. Unfortunately, it would need
to be adopted by EVERY server which forwards mail in the above
way to fully unbreak SPF. Basically, the Envelope from address is
rewritten to be "an address" at the forwarding domain. Now that
domain's SPF matches the message. The "an address" encodes
the original Envelope from address (so that bounces can be sent
on their way). Typically it also encodes a token which the
forwarding server can look at and say "yes, I did this...the
bounce isn't a forgery intended to reach a non-sender of the
original message.

This idea (SRS) is not problem free...suppose there are several
forwarding steps...the Envelope from address grows by many
bytes at each step.

And as I say, unlike SPF (and Sender ID) which require adoption
by a "critical mass" to begin being useful, SRS needs to be
adopted by all forwarders to unbreak SPF. But mail changes are
adopted VERY slowly (the way to encrypt mail passing between
servers changed in the not-very-late 1990s...the proponent of
Sender ID still sends out new mail programs which use the old
method).

Personally, I think SMTP is dead...we just don't realize it yet (and
have no live replacement anyhow).

--John (works with mail servers daily)
Posted by (2 comments )
Reply Link Flag
Some help
Try greylisting. Simple and staightforward.
If you do not have it available on your server,
simply write a small perl script and forward
using a procmail filter. Some help:

<a class="jive-link-external" href="http://www.greylisting.org/" target="_newWindow">http://www.greylisting.org/</a>

I am assuming you are using a Unix or Linux based
mail server. If not, I pity you.
Posted by Johnny Mnemonic (374 comments )
Link Flag
No need to "fix forwarders"
There is absolutely no need to "fix forwarders". Whoever is automatically forwarding from one server to another is expecting the forwarded email at the receiving server and should set that server (if it does SPf testing) to not use SPF to reject mail coming from one particular server to one particular address.

If the individual is using a service that doesn't allow the user to control email filtering in a way that allows it, well... the user should find another email provider. There's no need to create a complicated forwarding scheme just to accomodate email providers that wish to restrict their customers. The default shoud be that the customar can control the incoming email, and not that the service censors the customers email in any way they see fit.

If there's anything that needs to be applied to forwarders, it is to set headers indicating SPF test result when recived by the forwarder so users can use it forfiltering at the final destination. And this better be user customizable so spammers can't forge it easily.

What's really broken with SPF/SenderID is that it is trivial to bypass their testing by using an envelope-from/Sender header different from the From header that is displayed to the user.
Posted by hadaso (468 comments )
Link Flag
Another Factor: In-house Apps
Many legitimate companies used SMTP for e-mail notifications and alerts sent to an audience internal or external to them. Its ease and popularity may be so much that these companies may be using it in various applications perhaps even critical to their operations. SPF kills that simplicity which requires the company to adjust all applications that use SMTP and channel all e-mails through the SPF-configured mail servers. I still see a lot of work after applying SPF...
Posted by Mendz (519 comments )
Reply Link Flag
I dont even trust Microsoft,
Why should we trust Microsoft with Sender ID? This also looks like a way for MS to put it's patented technology into all mail server software so they could, at will sue many open-source company's out of business in a few years when Sender ID is widely used.
Posted by (1 comment )
Reply Link Flag
MICROSOFT IS GREEDY
Microsoft is misguided at the least and very greedy at the most. Why is it waiting for the acceptance of a program that will identify spammers? This should be automatic. The hot mail and other Microsoft emails should identify the email senders and the IP addresses of the computers from which the emails are being sent. That will put a little scare into the minds of the spammers.

It is a shame that spamming is considered a dirty word. People can't set up their own web sites with a message. If the site is considered to be a spam it is doomed by the search engine. This is destructive. For example if a pesron has a better idea for solving the problem of spam he can't solicit donations to finance the cost of developing the most definitive anti-spam program. This is destructive. That is why the most productive anti-spam pprograms have not been developed. Not every one has the capital or the influence need to approach the venture capitalists. Hence people have to change their attitude as to spamming that vshould apply only to the use of automatic machines to send millions of e-mails automatically to persons whose e-mail addresses are taken from web sites or even sending of individual e-mails to unknown persons. Talking about a project and soliciting the donation to fund the cost of its development should not be considered a spam.

Only on August 17, 2005 a worm infected the computers operated by windows 2000 and shut them down forcing IBM to issue an update which followed the issuance of three other updates. Four updates, one after the other.

It's obvious that there is something totally wrong with an internet infrastructure that gives so much power to the owners of personal computers to play havoc with the computers of total strangers. This infrastructure has to go as has been discussed at <a class="jive-link-external" href="http://www.newerawisp.blogspot.com/" target="_newWindow">http://www.newerawisp.blogspot.com/</a>

The development of a new infrastructure, that can stop this, depends upon the willingness of giant corporations to fund the cost of development of the new infrastructure.
Posted by newerawisp (47 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.