Security threats Toolkit

Microsoft revamps Sender ID

Tags:
Anti-spam,
Email,
Microsoft,
SenderID

Stefanie Olsen CNET News

Published: 26 Oct 2004 08:20 BST

Microsoft has revised its anti-spam specification Sender ID following the spec's near-death in the technical community.

The software giant said Monday that it has rewritten Sender ID -- a specification for verifying the authenticity of email with Internet Protocol records -- to address criticisms of the spec's earlier incarnation. Among other changes, Microsoft removed language in its pending patents for Sender ID that could have included claims to Sender Permitted From, or SPF, a widely used system for email authentication that was merged with Microsoft's CallerID for Email to create Sender ID, according to Microsoft's Ryan Hamlin.

"We wanted to complete what we started," said Hamlin, general manager for Microsoft's safety technology and strategy group. Microsoft has resubmitted the specification to the Internet Engineering Task Force, a technical standards body.

Last month, the IETF shut down the working group that was charged with building consensus for Sender ID and turning it into an industry standard. Consensus became impossible after some people in the open-source community said Microsoft's patent claims could enable the software company to eventually charge royalties. Others were critical of the system's inability to work with previously published records in SPF.

As a result, America Online and open-source groups pulled their support of Sender ID. And Meng Wong, the architect of SPF, said he would retrench on his technical specification alone.

Microsoft's Hamlin said on Monday that the company has revised Sender ID by making it backward-compatible with 100,000-plus SPF records already published. He also said Sender ID will give email providers a choice to publish records in SPF, which verifies the "mail-from" address to prevent fraud, or in PRA -- purported responsible address.

PRA records let an email provider check the "display address" of an email in its headers against the numerical IP address of the sender. That process can prevent so-called phishing attacks by spammers who forge the display address.

Email providers and senders now have the ability to publish in and check the authenticity of email with both methods in Sender ID.

"We've been trying to make it as user-friendly as possible. We've got the spec to the point where you only have to publish one record for two purposes. I see that as a little victory," said Wong.

Still, some people in the open-source community are concerned about Microsoft's other pending patent over Sender ID, which prevents users of the specification from sublicensing it.

AOL said on Monday that it has renewed support for Sender ID in its current form.

The IETF has granted Sender ID "experimental" status so that the industry can test it, along with competing email authentification proposals, and build consensus that way.