Security threats Toolkit

Microsoft enforces its anti-spam tech

Tags:
Microsoft,
SenderID

Joris Evers CNET News

Published: 23 Jun 2005 09:30 BST

If your e-mail does not have a Sender ID, Microsoft wants to junk your message.

From November, Hotmail and MSN will flag as potential spam those messages that do not have the tag to verify the sender, Craig Spiezle, a director in the technology care and safety group at the software maker said on Wednesday. The move is meant to spur adoption of Sender ID, he said.

Sender ID is a specification for verifying the authenticity of e-mail by ensuring the validity of the server from which the e-mail came. While the purpose of curbing junk mail may be laudable, the debate on how to stop the tide of junk mail is still ongoing. According to Microsoft, up to 90 percent of e-mail is spam.

Critics say Sender ID, which includes technology developed by Microsoft, is not an accepted standard and has many shortcomings. Also, there are technologies that compete with Sender ID,such as Yahoo's DomainKeys.

"We think Microsoft is trying to strong-arm the industry into the adoption of an incomplete and not accepted standard," said Dave Rand, chief technologist for Internet content security at security software company Trend Micro.

Microsoft's move increases pressure on e-mail senders to adopt Sender ID. The technology requires Internet service providers, companies and other Internet domain holders to publish so-called SPF, or Sender Policy Framework, records to identify their mail servers.

About 1 million domains currently publish SPF records, Microsoft said. That's far from the 71.4 million registered domains worldwide at the end of last year. Still, because some large e-mail senders such as AOL support Sender ID, about 30 percent of e-mail today carries Sender ID information, according to e-mail filtering company MessageLabs.

Sender ID has not been a success because it is not very highly regarded, said Ray Everett-Church, co-founder of the Coalition Against Unsolicited Commercial E-mail and co-author of the book "Fighting Spam for Dummies."

"Microsoft has been trying to shove Sender ID down the throats of the Internet community for several years now, to little effect," he said.

Microsoft's unilateral move may hurt Internet users, he said. "Sender ID isn't widely deployed, meaning that average users are now at risk for having their legitimate e-mail tagged as spam when they send messages to Hotmail users."

Experts say one of the problems with Sender ID is that it doesn't work with e-mail forwarding services. The basic premise of Sender ID is to check if an e-mail that claims to be coming from a certain Internet domain is really being sent from the e-mail servers associated with that domain.

"If you receive mail forwarded through, for example, a university alumni account, the Sender ID check fails," said Matt Sergeant, a senior antispam technologist at MessageLabs.

The Internet Engineering Task Force, a standard-setting body, dissolved a working group on Sender ID in September. Still, Microsoft is plowing ahead with Sender ID, perhaps in a last-ditch effort to make good on a promise by Chairman and Chief Software Architect Bill Gates to can spam by 2006.

"All domain holders and e-mail senders should be publishing SPF records and planning to do that now if they want to improve the legitimacy of their mail, plus protect their domain and consumers. It is the responsible thing to do," Microsoft's Spiezle said.

Turning on the filters at Hotmail and MSN will give e-mail senders a reason to adopt Sender ID, Spiezle said. Without an incentive, many have said that they won't publish SPF records, he said. "We're in a catch-22," he said. "What we're trying to do is to do the right thing by giving everyone advance notice."

However, this Microsoft effort to push adoption of Sender ID is likely to fail, certainly in with such a short deadline, said Jonathan Penn, an analyst at Forrester Research. "Hotmail is in no position to dictate that organizations adopt Sender ID," he said.

Adopting Sender ID or any other technology requires time and budgets, Penn said. "Company budgets are on a yearly cycle and most of them have no money for such a project this year," he said.

Microsoft argues that publishing SPF records is simple. It usually does not require new hardware or software and the most arduous part is doing an inventory of mail servers and the subsequent maintenance of the record, Spiezle said.