Plan for Foiling Spammers Adances

Microsoft and Sender Policy Framework (SPF) author Meng Weng Wong have converged their respective e-mail authentication standards and called given in the name Sender ID. The new specification has been submitted to the Internet Engineering Task Force, an influential standard-setting body.

Sender ID, like the pervious specifications SPF and Caller ID for E-Mail, is aimed at adding an identity element to e-mail. That’s seen as a critical first step in eliminating spoofing, phishing and spam. The news comes on the heels of public support for authentication standards expressed by both the ISPs’ Anti-Spam Technical Alliance and the Federal Trade Commission.

“Over half of the e-mail targeting our Hotmail customers today come from spoofed domains, and we are committed to taking this trick away from spammers,” said Ryan Hamlin, general manager of the Anti-Spam Technology and Strategy Group at Microsoft.

Sender ID works by looking at information both in the “envelope” of the e-mail message and in the message itself. It compares that information with data published by domain owners in the Domain Name System (DNS), to confirm the e-mail actually came from the domain that it appears to be from. For example, recipients could be sure an e-mail from johndoe@aol.com was actually from someone at the aol.com domain.

There’s been some controversy over the format in which the Sender ID records should be published in the DNS. The merged specification calls for an XML format — a format many critics say is unnecessarily complicated and difficult to deal with. However, the Sender ID authors have made the specification backwards compatible with the simpler SPF text format. More than 20,000 domains have already published records in that format, according to Wong.

AOL, as one of those that published the original SPF standard, is pleased with Sender ID. “We are glad the new standard is fully backwards compatible with the existing SPF, which is in use by tens of thousands of domains on the Internet already,” said Carl Hutzler, director of Antispam Operations at AOL.

A number of e-mail service providers have already adopted SPF and other authentication technologies. AOL has said it will require those on its whitelist to publish SPF records by the end of the summer.