Microsoft touts 'Sender ID' to fight spam, scams

Proposed tech standard would verify senders' IP addresses to cut malicious phishing and annoying Viagra pitches.

Dawn Kawamoto
Dawn Kawamoto Former Staff writer, CNET News
Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.
3 min read
Microsoft on Thursday is holding a summit with members of the E-Mail Service Provider Coalition to address the use of Sender ID technology as a standard to fight spam and phishing.

The software giant said it would gather more than 80 members of the ESPC coalition at its Redmond, Wash., headquarters to discuss using Sender ID as a way to ensure that e-mail originates from the Internet domain it claims to come from. Fighting the annoyance of spam and the dangers of fraud activity such as "phishing" is among the top concerns of Internet users and the companies that serve them.

Sender ID validates the server Internet Protocol address of the sender to assure an e-mail recipient that a message claiming to be from a credit card company actually is. The technology relies on Microsoft's Caller ID for E-Mail technology and the Sender Policy Framework, authored by Meng Weng Wong, chief technology officer at Pobox.com.

The Internet Engineering Task Force is currently evaluating Sender ID as an industry standard for e-mail authentication. Thursday's meeting will look at what Sender ID can do to control unwanted e-mail and at the challenges the technology will bring to legitimate users of e-mail.

Several companies have already announced plans to roll out products and services that support Sender ID, including Cloudmark, DoubleClick, IronPort Systems, Sendmail, Symantec, Tumbleweed and VeriSign, Microsoft said in a statement.

DoubleClick, which delivers Web advertising, will use Sender ID in the e-mail system it uses to communicate with its customers. Ken Takahashi, DoubleClick's senior director of e-mail operations and ISP relations, said a framework like Sender ID is only part of the solution to controlling unwanted and fraudulent e-mail.

"Since the spam epidemic exploded in the past few years, we have always maintained that a solution could only come from a combination of legislation, technology, industry self-regulation and consumer education."

Companies and individuals are increasingly deluged with spam and phishing scams, in which con artists send e-mail purportedly from a recipient's bank, credit card company or Internet provider requesting sensitive information such as "lost" credit card numbers or passwords "needing confirmation."

Spammers often "spoof" their return addresses--forging them to make them look legitimate to the recipient's spam filters. This can trick recipients into opening the unwanted mail, because it appears to be from a known contact. The technique also assists in the dissemination of e-mail viruses.

Other efforts
The e-mail problems have sparked efforts by other e-mail giants such as America Online and Yahoo to research their own authentication systems. AOL and Yahoo have technologies in the works, and plan to implement them into their e-mail systems by year's end.

AOL has been testing a system called Sender Permitted From, or SPF, that uses the domain name server (DNS). A company spokesman said SPF tests for outbound mail are currently compatible with SenderID. The company plans to test inbound SPF with SenderID beginning in September. AOL also will test technology supported by Yahoo by the end of the year.

"This isn't an online medal race to see who gets the gold when it comes to spam-fighting," AOL spokesman Nicholas Graham wrote in an e-mail. "We're all on the same team."

As for Yahoo, the Web portal is testing its so-called DomainKeys system for Yahoo Mail. The technology creates an encrypted e-mail address signature and then uses DNS to prove a message verify it came from Yahoo. Recipient e-mail servers must add software to use domain keys.

A Yahoo spokeswoman said the company is also looking into SenderID technology.

"We are evaluating IP-based solutions like SenderID," said company spokeswoman Terrell Karlston. "We are eager to see the results of some rounds of testing by other industry leaders."

CNET News.com's Jim Hu contributed to this report.