Hotmail To Junk Non-Sender-ID Mail

William Robinson writes "If your e-mail does not have a Sender ID, Microsoft wants to junk your message. Somewhere after November, MSN and Hotmail will consider it as spam. Sender ID is a specification for verifying the authenticity of e-mail by ensuring the validity of the server from which the e-mail came. Some experts feel that 'Sender ID' is not an accepted standard and has many shortcomings. Some also feel that Microsoft is trying to strong-arm the industry into the adoption of an incomplete and not accepted standard."

Re:Who uses hotmail?

[Anonymous Coward]

My sister's boyfriend does. I don't think he is smart enough to be a spammer.

Re:Brilliant Move Microsoft. I salute you!

[__aaahtg7394]

it'll be a lot easier to use up those invites.

Unless, of course, hotmail doesn't like gmail's SPF records =)

Re:Brilliant Move Microsoft. I salute you!

[wcdw]

I disagree that SPF records are completely useless. They do pick off about 1% of my incoming spam.

And if more people would use them, I'd get fewer bogus bounce messages. They're annoying, and it's not that hard to DDoS my mail server by sending out a few zillion messages with known bogus addresses and a forged from address through one's favorite botnet.

People that configure them to 'soft fail', now that's pretty worthless.

Re:Damn if they don't, damn if they do...

[I confirm I'm not a]

2. Microsoft fights SPAM. Slashdot equally outraged.
Conclusion: Microsoft is always evil no matter what they do.

Nope, Microsoft isn't fighting SPAM - if they were they'd be cooperating with the "rest of the Internet", instead of promoting their own proprietary scheme - SenderID - that's so un-open as to provoke this comment [apache.org] from the Apache Software Foundation:

We believe the current license is generally incompatible with open source, contrary to the practice of open Internet standards, and specifically incompatible with the Apache License 2.0. Therefore, we will not implement or deploy Sender ID under the current license terms.

Various other disparate organisations have raised similar concerns, eventually resulting in the IETF ditching Microsoft's proposal.

Microsoft, at least in this case, weren't interested in a working solution; they were interested in a Microsoft-friendly, FLOSS-hostile solution. Which is daft, given the open-source nature of most Internet technologies.

I've got 50 gmail invites for hotmail users!

[mshiltonj]

If you are are hotmail user, just send me a request at mshiltonj at gmail dot com and I will send you an invitation to use the gmail service. Free. First come, first serve. Hotmail users only!

Re:Damn if they don't, damn if they do...

[asc4]

If this were actually a push to prevent spam you might be right. Unfortunately that is not the case. First and foremost this is a blatant attempt by Microsoft to try to force their sender identification standard (which, incidentally they have patents on) on the rest of the world.

Furthermore, SPF/Sender-ID and all their ilk will do little if anything to help with the spam problem. Spammers can publish SPF records just as easily as anyone else. The only major effect it can have is to protect corporate identities by helping to prevent forged From: addresses. Which is great for corporate behemoth's like Microsoft, but does nothing for you or I.

You don't get it!!!

[Anonymous Coward]

Sender ID is just one criteria used to determine if an email is spam. No sender ID will increase an emails spam score, not cause it to be rejected alltogether. Here is what an article I read says "Microsoft's Hotmail and MSN services have been checking Sender ID records as one test in determining whether a message is junk."

I for one am glad somebody is doing something, how bad does it have to get before there is unified action?

Why don't you discuss solutions instead of trashing MS or any other company?

But then again this is slashot, nadir of the internet...where the solution to every problem is to trash MS.

Re:Home workers

[Da w00t]

In this case, you have your employee connect to your mail server over ssl, usually port 589. Require SMTP auth. Require SSL.

Also, require SRS. Sender Recipient Signing is the shit. I used to get metric assloads of joe-job spam at 4 (out of 12) of the domains I own, and now the only joe-job bounces I get are delayed bounces that aren't really bounces at all. SRS proves that the "bounce" you're getting actually came from your server. It's great.

Rejecting mail (Hmm.... sound like Earthlink?) based on the lack of SPF/SID records is just plain stupid in today's Intarweb. Tagging them, on the other hand, is a more intelligent thing to do. I have SPF, SID, DomainKeys, SRS, and 20 something DNSRBLs in my sendmail setup. Tag the mail so spamassassin, dspam, or crm11 can assign a better score with this extra information.

Yes, you heard me right, I said sendmail. No, I'm not batty. Those of you who are going to preach on about Postfix, Qmail (jesus christ what the fuck are all these dot files! why do I have 30 distinct files instead of one config file! What? I have to supply all my DNSRBLs on the command line!? ... hate much? Yes. Yes I Do.), or Exim need to do one thing first:

Tell me what your favorite MTA can do that mine can't.

I've got nothing against the other popular MTAs, but I can't stand "linux makes the baby jesus cry", "why are you using deadrat, use {debian,gentoo,suse,lfs,slackware} instead!", "sendmail sucks", "FreeBSD(M) sucks, use OpenBSD" zelots.

Re:Wikipedian?

[TheRaven64]

if a web standard is not accepted by the W3C (the only real web standards authority), then it is not a standard

This isn't a Web standard, it's an Internet standard (or, rather, non-standard). The correct standards body would be the IETF, not the W3C.

Re:Stop using Hotmail

[grub]

How? Simple, this is from my /etc/mail/access file:

From:hotmail.com ERROR:"550 rejected: Hotmail is whitelist only. [20030405]"

At the top of the file I have the allowed addresses ala "foo@hotmail.com OK"

Re:One little problem: MSN Messenger

[Erik Hensema]

I've never had an hotmail.com or msn.com account and I've been using msn messenger for years. Go visit passport.com and register your email address with them. No, they don't spam. Never.

Re:Brilliant Move Microsoft. I salute you!

[jon3k]

And yes, I publish spf records, no I do not make use of them. They are not useful.

Anyone who makes statements like this truely doesn't understand the purpose of SPF.

Its "sender policy framework" - not "spam prevention framework."

SPF isn't designed to stop spam, why is that so hard to understand? Its just used to make sure that whatever domain an email was sent from, that the envelope sender matches. Thats it. End of discussion.

This doesn't stop spam, but it makes sure that no one can forge an address from your domain, unless it wasr eally sent from your domain.

If everyone respected it, your users wouldn't be getting any more phishing scams from "someuser@paypal.com" - or "attn@bankofamerica.com".

You're going to sit there and tell me that its "not useful" ? Get your head out of the sand.

Email statistics

[BaudKarma]

Some of you might find this interesting. I was working with an Email list for job applicants to my company this morning. I decided to do a quick analysis of what domain these candidates had their Email at.

These are applicants for an entry-level blue collar job. They're supposed to be at least 21 years old, but at this point of the employment process, that hasn't been verefied yet. About 2/3 or our applicants are male. We have locations in all 50 US states, as well as Puerto Rico and Canada.

yahoo.com 7110
aol.com 3255
hotmail.com 2857
msn.com 556
sbcglobal.net 539
comcast.net 334
bellsouth.net 293
earthlink.net 134
gmail.com 132
cox.net 118

I'm not sure what this all means, but it does explain why you're having trouble finding a Yahoo ID that hasn't already been taken.

Re:Ambiguous praise

[duffahtolla]

Nope, you were clear. Unfortunately, what is also clear is that MS doesn't have our collective environment at heart.

They tried to get a standard in place that could not be implemented with open source. There's restrictive liscensing and I think a patent as well. This is a move to benefit their Server bussiness to the detriment of Open Source Mail servers everywhere.

Since they wouldn't drop the resreictions against open source, the initiative was refused. So now they are going to use their marketing muscle to force it down our throughts as a defacto standard anyways.

Microsofts gesture could be characterized more as a middle finger than an olive branch.

Re:strongarm what?

[zaxus]

GMail will integrate with a fat client over POP3. Check here: http://mail.google.com/support/bin/answer.py?answe r=12103&topic=194 [google.com]

Re:Home workers

[TheRaven64]

For anyone interested, there is a tutorial for setting up Sendmail for authenticated relaying here [pingwales.co.uk], including a sendmail configuration file that can be used. While it is targetted at OpenBSD, most of it can easily be translated to other *NIX flavours (file locations are about the only things that need changing). The next article in the series (spam filtering) is a bit more OpenBSD specific, since it uses OpenBSD's spamd tar pit, although this could probably be persuaded to work with NetBSD and FreeBSD, since they both have working pf ports.

Re:Home workers

[Szaman2]

In this case, you have your employee connect to your mail server over ssl, usually port 589. Require SMTP auth. Require SSL

Been there, done that. I had to drop this because 90% of my employees use Outlook 2002. And SSL support is broken in Office XP. You need to install office service pack 3 or 4 to actually have it working. That of course is a 20+ MB download, which requires you to have a Office CD on you. My users usually have laptops, and they work in the field where they often only have dialup access. And we don't give them Office CD's - laptops get serviced in the office.

Needless to say, once we switched SSL on no one could send out emails anymore, we had to send every single person a copy of Office XP cd, and istruct them how to do the upgrade.

And that's just the tip of the icebearg. Most of my users use Norton Antivirus which by default scans outgoing emails. It does it by proxying them. So if you have outgoing email scanning enabled, you won't be able to send emails with Outlook with SSL enabled - it's as simple as that.

Consequently, we decided to drop the whole SSL idea. It was just to much hassle for our technologically challanged employees.

SPF spec author says: SenderID is crap

[wayne]

I am the current editor of the SPF specification [ietf.org]. Both Meng Wong and I agree that SenderID is a horrible idea, that it doesn't work as well as SPF, and that SenderID is abusing current SPF records in incompatible way.

While both SPF and SenderID break on many forwarded emails, SenderID breaks on many mailing lists also. Moreover, one of the most promising solutions to the SPF forwarding problem (a specialized DNS server, as outlined in section 9.3.1.2 in the SPF spec) breaks when SenderID uses it.

So, SenderID is a patented system that is incompatible with many of the F/OSS mail servers that currently dominate the internet, it doesn't work as well as other technologies, it damages the use of SPF, and outside of MS, it is being used by almost no one.

If this was just a matter of hotmail and MSN hurting themselves, then I wouldn't have any problems with it. However, this appears to be a case of Microsoft working hard to hurt the entire internet email environment.

Re:Home workers

[Anonymous Coward]

In this case, you have your employee connect to your mail server over ssl, usually port 589. Require SMTP auth. Require SSL.

Are you going to field the help desk calls where a person has (a) a peronal e-mail account with their ISP, and (b) a work e-mail account?

They would then have to configure their mail client to send messages for (a) to their ISP's SMTP server while messages for (b) to their employer's SMTP server.

That's going to be really fun for the help desk people.

Re:Only if other ISPs go along with it

[frankie]

Plenty of big ISPs already go along. Out of the big 4, AOL, Earthlink & MSN have SPF records; only Yahoo is sitting out due to DomainKeys. Other SPFs include Gmail, RR, and Adelphia. Another interesting note: top spam sources MCI, SBC, Comcast, and XO do NOT publish SPF.

As an anti-spammer, I really hope that Hotmail has the cojones to follow through with this. It would be a huge wake-up call to lots of ISPs if millions of emails suddenly get rejected.

BTW, what's the correct SMTP error code to put on an SPF hard bounce?

Re:One little problem: MSN Messenger

[sobachatina]

I have friends that use each of the services. I use Gaim and the problem is solved.

Re:Nothing wrong with that

[Ryosen]

Hotmail people will have to check their spam folder so regularly for for things that aren't actually spam that Sender-ID will just annoy them so much that they'll abandon Hotmail.

That's not how SenderID works. The emails that fail validation will be refused. They will not be forwarded to a user's spam folder.

Microsoft can push SenderId all that they want. All that they will accomplish is excluding their domains from useful communication. This will be rolled back in under 60 days, if it is implemented at all.

I can't think of any companies that are going to make considerable modifications to their email systems just to please Microsoft (or any other for that matter). Furthermore, the use of SenderId/SPF breaks some email delivery features (such as forwarding).

I think that it's great that a company like pobox.com is financing the implemntation of SPF on the OSS side, but I don't expect a wide-spread adoption given the administration costs. Also, I feel compelled to ask, is Microsoft truly doing this to combat spam or do they want to force people to upgrade to Exchange 2006? And SenderId itself will never become a standard protocol as long as M$ owns it. There is too much concern that they would try to lock out OSS from implementing a protocol that they own the rights to.

It's a valid cause but the implementation is flawed and doomed for failure.

Re:Ambiguous praise

[vandon]

It will stop SPAM that is from a forged sender, which is a non-trivial amount. Meaning, I can't send you a message purporting to be from billgates@microsoft.com, which is how things are right now. Look over your SPAM headers, and you'll see, most of the return-addresses do not match the machine that relayed the message.

But what if I buy a domain, and enter into the zone file editor this:

spamer.com TXT "v=spf1 ip4:1.0.0.0/2 ip4:64.0.0.0/2 ip4:128.0.0.0/2 ip4:192.0.0.0/2 a mx ptr ?all"

I just authorized everyone on the internet to send mail using my domain name, and it only cost me about $10 to register and 2 minutes to add a completely valid [pobox.com] SPF line. Now hotmail users can see my spa^H^H^Himportant messages about stock tips.

Re:Brilliant Move Microsoft. I salute you!

[Malc]

"Do you think Yahoo would have given you those two gigs if gmail hadn't done it first?"

And that's a reason to switch to Gmail? I think not.

"And how much marketing has Google given gmail? Absolutely none."

And what do you call this whole thing with invites? It's viral marketing. It's much more subtle than tradition approaches, and clearly sneaked past your marketing detector.

But then how will they be able to buy my

[burndive]

H3RBAL VI@GRA???

It's called Gmail Notifier

[burndive]

Get it here [google.com].

Re:Brilliant Move Microsoft. I salute you!

[gclef]

I'm on speakeasy, and I'm fine. The only trick is that I'm running my own DNS for my domain, and am publishing my own SPF records. Is speakeasy running DNS for your domain, or is that somewhere else?

(Speakeasy will put reverse DNS on your IPs, if you have statics, which also helps immensely.)

Re:Brilliant Move Microsoft. I salute you!

[zsazsa]

You will be shitlisted unless suffusions.net adds an 'include:adelphia.net' directive in their SPF entry. You of course could add this line yourself to your glitterandtwang.org DNS if you started using that domain for your your email, as you have control over your own domain.

Re:One little problem: MSN Messenger

[Backspin]

I use Gaim and the problem is solved.

Not really. You're still using the service, even if you're not using the official client. And you have to have an account for each of the services you want to use (AIM, Yahoo, MSN, Jabber, etc). I for one refuse to sign up for an MSN account of any sort. Using its messaging service with or without the official client ranks only slightly lower on my not-gonna-do-it list. Then again, if that doesn't bother you, then for you, the problem is solved.