Microsoft agrees to merge antispam plan

Microsoft Corp. agreed to merge its recently announced Caller ID antispam proposal with another, called Sender Policy Framework, or SPF.

Free IT resource Hear how top CIOs turn change into a competitive advantage. Sponsored by HP Free IT resource Attend the SOA Executive Forum: Breaking SOA Bottlenecks SOAExecForum.com/may2007 Sponsored by InfoWorld

The company reached an agreement with SPF's author, Meng Weng Wong, to roll the two proposals into one specification. The finished specification will be published in June and submitted to the Internet Engineering Task Force (IETF) standards group for evaluation. If adopted, the specification will provide a way to close loopholes in the current system for sending and receiving e-mail that allow e-mail senders to fake, or "spoof," the origin of their message, Microsoft said in a statement.

The joint specification, which does not yet have a name, caps months of discussions between Meng, cofounder and chief technology officer at Pobox.com, and Microsoft. The proposal is intended to resolve conflicts between two similar plans for stopping domain spoofing, a common tactic of those who send unsolicited commercial ("spam") e-mail.

Caller ID was unveiled by Microsoft Chairman and Chief Software Architect Bill Gates in March. The proposed standard asks e-mail senders to publish the IP (Internet Protocol) address of their outgoing e-mail servers as part of an XML (Extensible Markup Language) format e-mail "policy" in the DNS (Domain Name System) record for their domain. E-mail servers and clients that receive messages check the DNS record and match the "from" address in the message header to the published address of the approved sending servers. E-mail messages that don't match the source address can be discarded, Microsoft said.

DNS is the system that translates numeric IP addresses into readable Internet domain names.

SPF also requires e-mail senders to modify DNS to declare which servers can send mail from a particular Internet domain. However, SPF only checks for spoofing at the message transport or "envelope" level, verifying the "bounce back" address for an e-mail, which is sent before the body of a message is received and tells the receiving e-mail server where to send rejection notices.

Under the merger proposal, organizations that send e-mail will publish the addresses of their outgoing e-mail servers in DNS using Extensible Markup Language (XML). Companies will be able to check for spoofing at the envelope level, as proposed by SPF, and in the message body, as proposed by Microsoft, the statement said.

That will allow companies to use the SPF method to reject spam messages before they are sent, if spoofing is detected at the message envelope. For messages that require a deeper inspection of the message contents, the Caller ID method can be used, Microsoft said.

Domains that have already published SPF records in text (TXT) rather than XML format will be supported, according to the merger proposal, Microsoft said.

Both Meng and Microsoft hope the agreement on a unified specification spurs wider adoption of e-mail authentication technology, which many e-mail experts say is the only way to cut off the flow of spam and "phishing" online identity scams.