Microsoft to enforce Sender ID checks

Microsoft Corp. will soon put some bite into its Sender ID antispam plans by checking e-mail messages sent to its Hotmail, MSN and Microsoft.com mail accounts to see if they come from valid e-mail servers, as identified by the Sender ID, according to a company executive.

The company is strongly urging e-mail providers and Internet service providers (ISPs) to publish Sender Policy Framework (SPF) records that identify their e-mail servers in the domain name system (DNS) by mid-September. Microsoft will begin matching the source of inbound e-mail to the Internet Protocol (IP) addresses of e-mail servers listed in that sending domain's SPF record by Oct. 1. Messages that fail the check will not be rejected, but will be further scrutinized and filtered, said Craig Spiezle, director of Microsoft's Safety Technology and Strategy Group.

Spiezle announced the company's plans while speaking to a group of antispam luminaries on Thursday at The Open Group Conference in Boston.

Sender ID is a proposed technology standard, backed by Microsoft, for verifying an e-mail message's source. It combines two previous standards: the Microsoft-developed "Caller ID," and the Meng Weng Wong-developed SPF. The proposed standard was submitted to the Internet Engineering Task Force (IETF) in June for consideration. If adopted, Sender ID could provide a way to close loopholes in the current system for sending and receiving e-mail that allow senders -- including spammers -- to fake, or "spoof," their message's origin.

Microsoft Chairman and Chief Software Architect Bill Gates unveiled Caller ID in March. The proposed standard asks e-mail senders to publish the IP address of their outgoing e-mail servers. E-mail servers and clients that receive messages from Caller ID domains could check the DNS record and match the "from" address in the message header to the published address of the approved sending servers. E-mail messages that didn't match the source address could be discarded or quarantined.

DNS is the system that translates numeric IP addresses into readable Internet domain names.

SPF also requires e-mail senders to modify DNS to declare which servers can send mail from a particular Internet domain. However, SPF only checks for spoofing at the message transport or "envelope" level, verifying the "bounce back" address for an e-mail, which is sent before the body of a message is received and tells the receiving e-mail server where to send rejection notices.

Under the merger proposal, organizations sending e-mail will publish SPF records identifying outgoing e-mail servers in DNS. Companies will be able to check for spoofing at the envelope level, as proposed by SPF, and in the message body, as proposed by Microsoft.

Tens of thousands of SPF records have already been published in DNS by companies and Internet service providers such as Microsoft and America Online Inc. However, few companies have taken the added step of using information from the published SPF records to confirm the "purported responsible address," or PRA that the e-mail message claims as its source.

A failed PRA check will be a "factor" that Microsoft's SmartFilter technology will use to determine whether a given message is spam, according to George Webb, business manager for the Antispam Technology & Strategy group at Microsoft. The extra filtering will be akin to extra security screening at an airport, slowing unauthenticated messages down, compared with messages with confirmed PRAs.

"We're at a point where we think it's clear people should be publishing SPF records," Webb said.

As one of the largest e-mail providers, Microsoft's decision to enforce SPF record checking will ripple throughout the Internet. However, administrators at e-mail provider and ISPs ultimately decide whether to validate incoming messages' PRAs, and what to do with messages that fail the check, according to Webb. Mail Transfer Agent (MTA) vendors, which make e-mail servers, must also design their products to act on the Sender ID authentication information, he said.

Microsoft is reaching out to major ISPs through the Global Infrastructure Alliance for Internet Safety, an international ISP working group, informing them of its plans and encouraging them to publish SPF records. The company is also working with leading MTA makers, including Sendmail Inc. and IBM Corp., Webb said.