X

Antispam framework scores Microsoft endorsement

The software giant agrees to merge its Caller ID for E-mail technology with the Sender Policy Framework, making SPF an increasingly important weapon in the fight against junk e-mail.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
3 min read
An ongoing effort to consolidate antispam authentication schemes took a big step forward with the merging of Sender Policy Framework and Microsoft's Caller ID for E-mail.

Microsoft said on Tuesday that it had agreed to combine its Caller ID efforts with the SPF, a specification crafted by Pobox.com Chief Technology Officer Meng Wong. The two had said last week that they were cooperating toward that end.

Wong called Microsoft's embracement of SPF a crucial win for the technology, which has already gained the backing of America Online, EarthLink and Google.

"Microsoft was the last remaining obstacle," Wong said. "Almost everyone else was already onboard. Nobody wants to be squashed by Microsoft, so I'm glad they came around to our point of view on their own."

SPF, which formerly stood for "Sender Permitted From," and Caller ID attack a fundamental weakness in the omnipresent Simple Mail Transfer Protocol: E-mail recipients have no way of determining whether senders are who they say they are.

That's an especially vexing problem for Internet service providers like Microsoft and its MSN division, Yahoo, AOL and others, which would like to stop fraudulently addressed, or "spoofed," e-mail long before it gets delivered to subscribers' in-boxes--before it's sent, if possible.

Technical proposals abound for fixing the authentication problem. A recent crop focuses on the idea that ISPs could publish the range of Internet Protocol addresses associated with their e-mail domains. That way, a recipient's service provider could check the sender's stated domain against the published IP address. If there's no match, the recipient's ISP can safely assume that the message is spam--or at least fraudulently addressed.

E-mail authentication helps prevent another e-mail scourge, "phishing," which happens when online con artists convince people to hand over user names, passwords and credit card numbers by posing as a legitimate business. That con is made easier, because SMTP lets e-mail senders claim to be anyone.

Efforts to merge several similar authentication schemes have been under way since the fall.

The combined SPF and Caller ID, which has yet to be named, will use XML (Extensible Markup Language) to let Net service providers post IP addresses in the Domain Name System, the giant database that translates alphanumeric domain names like "news.com" into numerical IP addresses for Web servers.

SPF and Caller ID let service providers publish their numerical IP addresses for outgoing mail servers, as well as Web servers, in a machine-readable format in the DNS.

Microsoft called the specification merge an important boost for the worldwide antispam effort.

"The convergence of the two proposals is a very positive milestone in the war on spam and brings together the best of both SPF and Caller ID," said Microsoft spokesman Sean Sundwall. "We anticipate this proposal will be something the whole industry can rally around to eliminate domain spoofing and bring much-needed relief to e-mail users around the world."

Microsoft and Wong plan to publish their combined proposal and submit it to the Internet Engineering Task Force, a key standards body, next month. Microsoft promised that the combo would be compatible with existing versions of SPF.

AOL, which in December began testing SPF, hailed Microsoft's collaboration with Wong.

"We welcome Microsoft to the position we have long held concerning the attributes of SPF," AOL spokesman Nicholas Graham said. "And on the need for a joint standard that is about more than one technical standard, one technology or one company. We were the first ISP to agree to test and implement SPF, back in December, and we think this convergence is the right approach at the right time."

Other systems for authenticating mail are also in progress. Sendmail and Yahoo have gotten behind DomainKeys, which authenticates e-mail through digital signatures and is not mutually exclusive with DNS-based systems. Yahoo has already submitted DomainKeys to the IETF.

Wong said he was working with Yahoo to figure out how to make SPF and DomainKeys cooperate with and complement each other.

"DomainKeys is the long-term approach; SPF is the short-term approach," Wong said. "If all goes well, we will meet in the middle and squash spammers like a bug."