Microsoft has revised its anti-spam specification Sender ID following the spec's near-death in the technical community.
The software giant said Monday that it has rewritten Sender ID -- a specification for verifying the authenticity of email with Internet Protocol records -- to address criticisms of the spec's earlier incarnation. Among other changes, Microsoft removed language in its pending patents for Sender ID that could have included claims to Sender Permitted From, or SPF, a widely used system for email authentication that was merged with Microsoft's CallerID for Email to create Sender ID, according to Microsoft's Ryan Hamlin.
"We wanted to complete what we started," said Hamlin, general manager for Microsoft's safety technology and strategy group. Microsoft has resubmitted the specification to the Internet Engineering Task Force, a technical standards body.
Last month, the IETF shut down the working group that was charged with building consensus for Sender ID and turning it into an industry standard. Consensus became impossible after some people in the open-source community said Microsoft's patent claims could enable the software company to eventually charge royalties. Others were critical of the system's inability to work with previously published records in SPF.
As a result, America Online and open-source groups pulled their support of Sender ID. And Meng Wong, the architect of SPF, said he would retrench on his technical specification alone.
Microsoft's Hamlin said on Monday that the company has revised Sender ID by making it backward-compatible with 100,000-plus SPF records already published. He also said Sender ID will give email providers a choice to publish records in SPF, which verifies the "mail-from" address to prevent fraud, or in PRA -- purported responsible address.
PRA records let an email provider check the "display address" of an email in its headers against the numerical IP address of the sender. That process can prevent so-called phishing attacks by spammers who forge the display address.
Email providers and senders now have the ability to publish in and check the authenticity of email with both methods in Sender ID.
"We've been trying to make it as user-friendly as possible. We've got the spec to the point where you only have to publish one record for two purposes. I see that as a little victory," said Wong.
Still, some people in the open-source community are concerned about Microsoft's other pending patent over Sender ID, which prevents users of the specification from sublicensing it.
AOL said on Monday that it has renewed support for Sender ID in its current form.
The IETF has granted Sender ID "experimental" status so that the industry can test it, along with competing email authentification proposals, and build consensus that way.
Talkback
Sigh. This won't help because things still can get spoofed and it's a far cry from preventing systems getting breached and abused as spam relay hosts.
What it will do is increase management traffic on the Internet as well as adding more public info into DNS records.
So don't be surprised if SenderID will only make things worse. Along with a little Microsoft surprise later on (there are still some unresolved issues in that area).
In all it's symptom fighting. The causes are still wide open for further exploration.
The US government has totally the wrong approach to spam fighting. It will never be possible to track down all the sleezes who fill our mailbox with unwanted trash.
What they need to be doing is targeting those who BENEFIT from spam.
Think about it, every porn site, drug sale, penis enlargement is designed to make someone spend money. Almost always by credit card.
Freeze the credit card accounts of the companies collecting money in sales and there is no more reason to advertise with spam. And do it QUICKLY. As soon as the emails come out. Not months later.