Microsoft to unveil antispam plans
- 25 February, 2004 07:06
Microsoft chairman and chief software architect, Bill Gates, will use this week's RSA Conference to unveil a proposed open technology standard that Microsoft hopes will make it harder to fake the source of unsolicited commercial email.
The company will release a specification for an antispam technology called Caller ID, a Microsoft-developed take on sender authentication technology that tries to validate the source address associated with an email message, according to John Levine, co-chairman of the independent Antispam Research Group, part of the Internet Engineering Task Force (IETF).
A Microsoft spokesman could not confirm the information about Caller ID, but said that Gates would be talking about spam in a variety of different contexts in his keynote speech at the RSA security show, and that Microsoft's internal Anti-Spam Technology & Strategy Group would be making an announcement as well.
Sender authentication is rapidly gaining acceptance among email experts and ISPs as a weapon in the fight against spam.
This week, Sendmail announced that it would develop and distribute sender authentication technologies to its customers and the open source community to combat spam, viruses and identity fraud in email.
Sendmail will incorporate a "selection of sender authentication technologies" into its open source Mail Transfer Agent (MTA), including a technology called DomainKeys that is championed by Yahoo and "proposals put forward by Microsoft and others", Sendmail said.
A Microsoft spokesman confirmed reports that the company would be releasing a sender authentication plug-in along with Sendmail.
Caller ID is akin to other sender authentication proposals circulating among leading ISPs and email security experts, Levine said.
In particular, it is similar to a nascent technology called Sender Policy Framework (SPF), developed by independent antispam researcher, Meng Wong, of email forwarding service Pobox.com.
Instead of analysing the content of messages to spot spam, the SPF protocol allows Internet domain administrators to describe their email servers in an SPF record that is attached to the DNS (Domain Name System) record using a special SPF description language. Other Internet domains can then reject any messages that claim to come from that domain but weren't sent from an approved server, Wong said.
Caller ID also relies on administrators adding lists of published email servers to the DNS record for their Internet domains. Whereas SPF uses its own syntax for listing the domain addresses, Microsoft's Caller ID uses Extensible Markup Language (XML) to describe the valid email servers, Levine said.
SPF allows email gateways to analyse the email envelope, a wrapper for the message that is transferred between mail servers before the full message is sent. Messages that do not come from a valid server at the domain are dropped before any message content is sent.
Bn contrast, Caller-ID analyses the sender IP address information stored in the email message header, which requires the whole message to be downloaded by the receiving email server before it can be accepted or rejected, he said.
Microsoft had been developing Caller ID internally for the last year and consulting with antispam researchers in private for the last month, Wong and Levine said.
The Caller ID technology has both strong points and weaknesses, according to experts.
On the one hand, it requires mail servers to download the entire content of bogus messages before rejecting them, which could put a drag on email servers. And, once it downloaded a message, it only checked it for the sender IP address, as opposed to running the message content through filters and other antispam tools, Levine said.
Caller ID also requires knowledge of XML, which makes implementation more complicated.
And the added length of the XML content required by Caller ID mighty exceed the 512-character limit for response messages to DNS requests, Wong said.
According to the DNS specification, messages that exceed that limit require DNS information to be sent through a separate TCP (Transmission Control Protocol) circuit, instead of using UDP (User Datagram Protocol). While that is technically possible, it is rarely used, introducing an element of uncertainty into the implementation of Caller ID, Wong and Levine said.
"This is a feature that has been specified for 25 years, but never used," Levine said.
However, the technology could do a better job of determining the actual source of an email message than SPF, especially since envelope email addresses didn't have to correspond to the email header address, he said.
Microsoft's dominance of the email client market might allow it to extend sender authentication technology to smaller Internet domains and the masses of Internet users, Wong said.
Levine also supported the release of the Caller ID specification and Microsoft's decision to develop Caller ID as an open standard.
"This is an important step," he said. "It's the way you get standards to work. You have people pick at them, but implement them."
Caller ID could eventually work alongside SPF, Domain Keys and other sender authentication technologies, he said.
"Solving the spam problem is like curing cancer. It's not one disease but 100 diseases, each with their own issues," he said.