Microsoft Set to Show Spam Strategy
E-mail 'Caller ID' system validates the source of messages.
Paul Roberts,
IDG News Service
Tuesday, February 24, 2004

Microsoft Chairman and Chief Software Architect Bill Gates will use the RSA Conference in San Francisco to unveil a proposed open technology standard that Microsoft hopes will make it harder to fake the source of unsolicited commercial e-mail.

On Tuesday, the company will release a specification for an antispam technology called Caller ID, a Microsoft-developed take on sender authentication technology that tries to validate the source address associated with an e-mail message, according to John Levine, co-chairman of the independent Antispam Research Group, part of the Internet Engineering Task Force.



Spam Fight
A Microsoft spokesman could not confirm the information about Caller ID, but said that Gates will be talking about spam in a variety of different contexts in his keynote speech at the RSA security show, and that Microsoft's internal Anti-Spam Technology & Strategy Group will be making an announcement as well.

Sender authentication is rapidly gaining acceptance among e-mail experts and Internet service providers as a weapon in the fight against spam. On Monday, Sendmail announced that it will develop and distribute sender authentication technologies to its customers and the open source community to combat spam, viruses, and identity fraud in e-mail.

Sendmail will incorporate a selection of sender authentication technologies into its open source Mail Transfer Agent, including a technology called DomainKeys that is championed by Yahoo and proposals put forward by Microsoft and others, Sendmail said. A Microsoft spokesman confirmed reports that the company will be releasing a sender authentication plug-in along with Sendmail.



Tracking the Source
Caller ID is akin to other sender authentication proposals circulating among leading ISPs and e-mail security experts, Levine said. In particular, it is similar to a nascent technology called Sender Policy Framework, developed by independent antispam researcher Meng Wong of e-mail forwarding service Pobox.com.

Instead of analyzing the content of messages to spot spam, the SPF protocol allows Internet domain administrators to describe their e-mail servers in an SPF record that is attached to the Domain Name System record using a special SPF description language. Other Internet domains can then reject any messages that claim to come from that domain but weren't sent from an approved server, Wong said.

Caller ID also relies on administrators adding lists of published e-mail servers to the DNS record for their Internet domains. Whereas SPF uses its own syntax for listing the domain addresses, Microsoft's Caller ID uses Extensible Markup Language to describe the valid e-mail servers, Levine said.

Also, SPF allows e-mail gateways to analyze the e-mail envelope, a wrapper for the message that is transferred between mail servers before the full message is sent. Messages that do not come from a valid server at the domain are dropped before any message content is sent. In contrast, Caller ID analyzes the sender IP address information stored in the e-mail message header, which requires the whole message to be downloaded by the receiving e-mail server before it can be accepted or rejected, he said.

Microsoft has been developing Caller ID internally for the last year and consulting with antispam researchers in private for the last month, Wong and Levine said.



Experts Take a Look......................................
More at PCWorld