Microsoft to Enforce Antispam Plan
Microsoft will soon put some bite into its Sender ID antispam plans. The software giant will check e-mail messages sent to its Hotmail, MSN, and Microsoft.com mail accounts to see if they come from valid e-mail servers, as identified by the Sender ID, according to a company executive.
The company is strongly urging e-mail providers and Internet service providers to publish, by mid-September, Sender Policy Framework records that identify their e-mail servers in the domain name system. Microsoft will begin matching the source of inbound e-mail to the Internet Protocol addresses of e-mail servers listed in that sending domain's SPF record by October 1.
Messages that fail the check will not be rejected but will be further scrutinized and filtered, says Craig Spiezle, director of Microsoft's Safety Technology and Strategy Group.
Spiezle announced the company's plans while speaking to a group of antispam luminaries this week at The Open Group Conference in Boston.
Sender ID is a proposed technology standard, backed by Microsoft, for verifying an e-mail message's source. It combines two previous standards: the Microsoft-developed "Caller ID," and the Meng Weng Wong-developed SPF.
The proposed standard was submitted to the Internet Engineering Task Force in June for consideration. If adopted, Sender ID could provide a way to close loopholes in the current system for sending and receiving e-mail that allow senders--including spammers--to fake, or "spoof," their message's origin.
Microsoft Chair and Chief Software Architect Bill Gates unveiled Caller ID in March. The proposed standard asks e-mail senders to publish the IP address of their outgoing e-mail servers. E-mail servers and clients that receive messages from Caller ID domains could check the DNS record and match the "from" address in the message header to the published address of the approved sending servers. E-mail messages that didn't match the source address could be discarded or quarantined.
DNS is the system that translates numeric IP addresses into readable Internet domain names.
SPF also requires e-mail senders to modify DNS to declare which servers can send mail from a particular Internet domain. However, SPF checks for spoofing only at the message transport or "envelope" level, verifying the "bounce back" address for an e-mail, which is sent before the body of a message is received and tells the receiving e-mail server where to send rejection notices.
Under the merger proposal, organizations sending e-mail will publish SPF records identifying outgoing e-mail servers in DNS. Companies will be able to check for spoofing at the envelope level, as proposed by SPF, and in the message body, as proposed by Microsoft.
Tens of thousands of SPF records have already been published in DNS by companies and Internet service providers such as Microsoft and America Online. However, few companies have taken the added step of using information from the published SPF records to confirm the "purported responsible address," or PRA, that the e-mail message claims as its source.
A failed PRA check will be a "factor" that Microsoft's SmartFilter technology will use to determine whether a given message is spam, according to George Webb, business manager for the Antispam Technology & Strategy group at Microsoft. The extra filtering will be akin to extra security screening at an airport, slowing unauthenticated messages down, compared with messages with confirmed PRAs.
"We're at a point where we think it's clear people should be publishing SPF records," Webb says.
With Microsoft as one of the largest e-mail providers, the company's decision to enforce SPF record checking will ripple throughout the Internet. However, administrators at e-mail providers and ISPs ultimately decide whether to validate incoming messages' PRAs, and what to do with messages that fail the check, according to Webb. Mail Transfer Agent vendors, which make e-mail servers, must also design their products to act on the Sender ID authentication information, he says.
Microsoft is reaching out to major ISPs through the Global Infrastructure Alliance for Internet Safety, an international ISP working group, informing them of its plans and encouraging them to publish SPF records. The company is also working with leading MTA makers, including Sendmail and IBM, Webb says.