Microsoft to Deploy SPF for Hotmail Users 562
wayne writes "In a show of just how much Microsoft wants to put an end to email forgery, Hotmail, MSN and Microsoft.com will start enforcing Sender ID checks by Oct 1. In late May, MicroSoft announced that they would be adopting the Open Source SPF anti-forgery system (with a slight modification to make it Sender ID) and they have been working together with the IETF MARID working group to help create an RFC to define the Sender ID standard. Already tens of thousands of domain owners, such as AOL, Earthlink, and Gmail, have published SPF records, and thousands of systems are already checking SPF records. Publishing SPF records is easy, as is checking SPF records."
Curious (Score:2, Insightful)
Great (Score:4, Insightful)
False Sense of Security (Score:4, Insightful)
"Have confidence that mail that SAYS it's coming from your bank, your credit card company, or the government really is!"
The problem arises though when the phisher/spammer uses a domain which is fairly similar to your bank or credit cards website, for example www.XYZCapitol.com instead of www.XYZCapital.com.
Re:Curious (Score:5, Insightful)
Proof that technology (not legislation) works. (Score:5, Insightful)
That Microsoft is taking part is to their credit. Finally the Internet at large is going to actually try to apply a solution to spam at the source. Although the unsolicited commercial email problem is largely one of perception (as with violent computer games, smoking in public, or 'indecent' radio broadcasting) perhaps the solution will have less of a negative impact on society. One can only hope.
Re:PGP/GPG? (Score:1, Insightful)
All the computation need to be local and not remote.
This is nice (Score:3, Insightful)
The SMTP protocol have sucked for ages, and we applaud any action taken to improve it.
Re:I'm confused.. maybe I've had too much free bee (Score:4, Insightful)
Solves the 1998 spam problem? (Score:4, Insightful)
But now that the problem is spam zombies on millions of user PCs, how will this put a dent in the problem? Sure they won't be able to connect directly to Hotmail to say they're someserver.com, but it won't stop them from sending spam through their own ISP's mail server. Since the key to spam zombies is having a lot of PCs that send relatively few spams per PC, it will be very difficult for each ISP to track down and stop each zombie.
Dispite being a Microsoft hater (Score:2, Insightful)
- They are going about it the right way (IETF rfc as an open standard, open source system)
- They have a lot of weight to actually make it happen
- This is something that should have been done a long time ago.
If they modified things from other proposals, I don't care. This is just something that simply has to happen!
So despite coming from microsoft, this is great news.
So umm (Score:1, Insightful)
Yeah this will work...
Re:Curious (Score:3, Insightful)
What XML? I don't see any XML in the spf1 records.
Re:False Sense of Security (Score:3, Insightful)
Re:"enforcing" (Score:4, Insightful)
Give the man a fish, and you feed him for a day. Teach the man to fish, and you feed him for a lifetime.
How will this stop spamming? (Score:5, Insightful)
If anything, the SPF idea primarily favors the big ISPs and consolidated mail services. Microsoft and others aren't doing the industry a favor at all by adopting this standard. It clearly benefits them more than it does small and medium-sized Internet hosts. I am under the impression that for any Internet operation that doesn't control all the inbound and outbound mail for domains they manage will have a much higher administrative burden than the big guys. So this scheme makes sense for large ISPs and costs more time and money for smaller ones.
And ultimately, it would only stop spam if every system on the planet adopted it. Otherwise a spammer will simply operate from a host that isn't SPF-compliant. Until the lion's share of systems adopt SPF, no ISP can afford to arbitrarily reject non-compliant systems.
This scheme seems to heavily favor the "all-in-one" Internet companies, who manage both sending and receiving. If you're having one company manage your domain and using a local ISP for SMTP, then you run into problems. As an owner of a hosting company, if this scheme were adopted, I'd probably get several phone calls a day from customers freaking out that their mail bounced, and even if I had an automated system where they could specify authorized smtp hosts, I'd still have to waste a bunch of time explaining to them that if they configure their local client to be "from" their domain, and they change ISPs, they need to update these records as well.
Ultimately, this is bad. It makes the largest ISPs, who can afford to offer SMTP and all other services, easier to work with, and the smaller guys have more of an administrative overhead to keep up with DNS management.
Re:Curious (Score:3, Insightful)
One way Microsoft could push this is if they implement it in Outlook, which has a monopoly where desktop e-mail clients are concerned. But implementing it through Hotmail means it has to fight with every other web-based site's methods.
Re:Curious (Score:4, Insightful)
This does not work if you are a minor player. Microsoft is a minor player in e-mail servers. This is also the reason why Microsoft wants to adopt SPF instead of creating something themselves.
Re:I guess it's time to do some research (Score:2, Insightful)
Re:Curious (Score:5, Insightful)
Besides, my understanding of SPF is that it doesn't use anything in the email header at all, only what's in the envelope.
Forwarding address ... will I be SOL? (Score:3, Insightful)
Is there any mechanism in SPF (or Sender ID) for this email setup?
not a solution (Score:2, Insightful)
Re:I'm confused.. maybe I've had too much free bee (Score:3, Insightful)
Universities? (Score:3, Insightful)
A couple universities I've been to do not allow external SMTP connections. Users need to use their ISPs' SMTP server to send email. I couldn't find how the SPF can accomodate this practice without significant change: either the university allows authenticated external SMTP connections or ISP provides another authenticated SMTP server for these users (to user whatever address they want).
Re:This is not a solution. (Score:2, Insightful)
Here are some ideas that may help.
1. Identify the networks you control and list those. If you know all the mail servers, great, list those... but if you don't, you can also get by with just listing the network ranges that you own and that allows any server in those ranges to send.
2. Offer mobile users an SMTP AUTH server. This will allow mobile/roaming users to send outbound mail back to corporate HQ to be sent out, rather than sending out through whatever DSL or cable ISP they happen to be on.
3. Phase it in slowly. Add ?all to the end of your record to allow sending from anywhere. There are additional optional things you can do to detect when mail is being sent from servers you haven't approved yet... You can do something like altavista.com does -- they use "exists:" in the record to trigger a second DNS query and then they can log those queries.
Re:PGP/GPG? (Score:3, Insightful)
Adoption of SPF or other technologies (domain keys for example) needs to be near 100% to be useful in reducing spam. Lack of records can be somewhat useful as a scoring tool in spamassassin for example, but that's about it. Spammers will just find another way to spam - maybe they will start publishing SPF records on the 8782374651872356 domains that they have registered or taken over.
Spammers already control a large percentage of windows machines - they really don't care if what they are doing is illegal or not. Grandma's machine will start spewing spam using her real email address via her ISP slowly - a few dozen messages every day. Of course there are millions of other grandmother's machines to use.
If you control the domain... (Score:3, Insightful)
Basically it's like this.. You have a domain like example.com. You send email from bob@example.com. But you want to send email through some other SMTP server, call it smtp.com, for whatever reason, and keep the From: line as bob@example.com. Since you control the domain, all you need to do is to change the DNS settings for your domain to add SPF records that say "smtp.com is a sender of email for example.com".
Problem solved. When a SPF enabled receiver gets your email, they query example.com's DNS, read the SPF info, see that it's okay for smtp.com to send email for that domain, and all is well.
Now, if you don't have access to your DNS records on that level, then I seriously suggest a) griping at your domain host/provider to let you have that sort of access, or b) switching to a new provider.
In the short term, however, this won't affect you at all. Not having an SPF record essentially means that the default will be used by SPF enabled receivers. The sane default, for the moment, is to allow email from anywhere in the event that SPF records do not exist on the domain in question (assuming SPF is being used as a straight block/no-block type of method, as opposed to a weighting factor in some spam prevention algorithim).
In the long term, eventually everybody will have to implement SPF if they want their email to be received by SPF enabled systems. But that's way, way long term.
Step one of many (Score:2, Insightful)
In my mind, Sender ID and SPF have nothing to do directly with spam. They are designed to combat fraudulant e-mail headers, nothing more.
Granted, almost all of the current spam has fraudulant headers, but if Sender ID and SPF catch on, that will gradually change. Spam will simply be tagged with the correct relay.
One could say that illegal spam will be easier to track down, but that isn't really true... you can track spam with excellant accuracy today by following the linkage to the company selling the products. That linkage has to be accurate, or there is no profit to be had.
You could also say that spam will be easier to blacklist, but I don't think that is true either. Simple shifts in the spammers' methodologies, such as rotating their DNS names, would suffice to get around blacklists.
What we really need to combat spam is better e-mail management tools. The reason we get unwanted e-mail is because the sender has control, not the individual or company. That needs to change.
Would a large company allow a random outside person walk into their building, go to anybody's cube, and start talking? Never, but that's what happens electronically today with e-mail.
Instead of today's simplistic systems, imagine a multi-tier system of contacts -- a top level of corporate maintained partners and customers, a mid level of department specific contacts, and a bottom tier of personal contacts and exceptions.
This contact list would be paired with a routing system based on well-defined business rules. As companies regain control, the From will become far more important than the To.
But sophisticated management depends on clean data, and clean data is exactly what today's e-mail isn't.
The more checks we can add into the process to validate the headers, the better the tools can become, and the sooner unwanted e-mail will become a thing of the past.
Why do you need a new ISP? (Score:2, Insightful)
The only downside I can see is that you'll loose your email and need to inform every one of the change, but then you were planning on doing that anyway. If you're happy with MSN dial-in but not the email just use one of the ones above.
Alternatively you could NOT use outlook (any version) and use Thunderbird link [slashdot.org] instead.
Just some idea you can try, and maybe avoid the hassle of changing ISP's.
Re:Sending from other networks (Score:2, Insightful)
Probably the best fix is to use SMTP AUTH to connect back to your home server, and it can send the mail out from there in the normal way.
Re:Curious (Score:2, Insightful)
Mike Scanlon
Re:I'm confused.. maybe I've had too much free bee (Score:2, Insightful)
I quote from the "sender-id" page linked to from the SPF site:
If you are a software developer and are interested in implementing this specification in software, please review the terms of the Caller ID for E-Mail Implementation License [slashdot.org] before you begin, as the patent license discusses the rights that Microsoft would grant you or your organization. Please note that a license agreement is not required for individuals, companies, or ISPs who only wish to publish their Sender ID records.
I think SPF is the shiznit, So does MS, thats why they're tying themselves to the protocol. I just hope this is not going to be another Samba fiasco [google.com]Re:How will this stop spamming? (Score:2, Insightful)
As for wasted bandwidth, I'm not sure this is much more of an impact than, say, a PTR lookup on every incoming connection -- which most MTAs do. DNS is heavily cached, and TXT records have TTLs, too.
At any rate, this already has more momentum behind it than most people realize it. Big companies are on board, small shops are on board (as it happens, I'm involved from both sides), and maybe I'm just anal-retentive, but I set up SMTP AUTH on the servers I provide and share w/friends years ago, anyway, and made everyone start using it, and next time some jackass spams three million Hotmail users using my email address, maybe Hotmail won't send 200k bounces to me. That, frankly, would make setting up SMTP AUTH, publishing records, and compiling the Milter app to do checks 100% worth it for me.
Re:Curious (Score:2, Insightful)