Work on Sender ID goes on

After running into opposition to its Sender ID antispam plan, Microsoft Corp. has revised and resubmitted it to the Internet Engineering Task Force (IETF) for consideration, according to a company spokesperson.

The new plan, which was resubmitted to the IETF on Monday, resolves disputes with ISPs (Internet service providers) and the open-source software community about the use of patent-pending technology in Sender ID and should lead to broader adoption of the standard, according to Meng Weng Wong of Pobox.com, a co-author of the revised Sender ID proposal.

Sender ID is a technology standard that closes loopholes in the current system for sending and receiving e-mail that allow senders, including spammers, to fake, or "spoof," a message's origin. The standard combines two earlier authentication standards: Caller ID, developed by Microsoft, and Sender Policy Framework (SPF), developed by Meng. Organizations publish a list of their approved e-mail servers in the DNS (domain name system) and can verify the origin of e-mail messages by checking source information either in "mail-from," also known as the "envelope from" field, in the message envelope. Alternatively, an e-mail address in the message header known as the purported responsible address (PRA) can be checked.

Microsoft submitted a draft of Sender ID to an IETF working group in June for consideration as a new e-mail authentication standard. However, that process became bogged down over questions about patents that Microsoft said it had around algorithms used to check PRA addresses and licensing requirements Microsoft wanted to place on organizations that deployed Sender ID.

Among other concerns, open-source advocates objected to Microsoft's requirement that anybody using Sender ID authenticate the PRA address, not just the mail-from address used in SPF checks, Meng said.

The dispute produced some high-profile defections from the proposed specification, including the Apache Software Foundation and the Debian Project, which said in September that they cannot support the Sender ID e-mail authentication standard in their products. America Online Inc. (AOL), an early SPF supporter, also said it would not fully implement Sender ID in September, because it was not compatible with early forms of SPF.

The new version of the standard addresses those concerns by allowing organizations to do either SPF checks on the mail-from address, or the fuller PRA checks, Meng said.

AOL will support the revised Sender ID specification because it did not require the 100,000 domains that have published SPF records to change their DNS listings, the company said Monday.

"This saves AOL and many others a great deal of time, resources and development work," the company said.

Microsoft expects the specification to be given "experimental" status by the IETF, but does not know if it will be taken up for formal approval by the group, according to Microsoft spokesman Sean Sundwall.

Regardless, the Redmond, Washington, company expects to rally support for the specification among leading ISPs. Mail bound for Microsoft's Hotmail Web-based e-mail service will be checked for valid PRA addresses by the end of 2004. Messages that fail the PRA check will be submitted to additional filtering using Microsoft's SmartFilter technology, the company said.