Hotmail To Junk Non-Sender-ID Mail 651
William Robinson writes "If your e-mail does not have a Sender ID, Microsoft wants to junk your message. Somewhere after November, MSN and Hotmail will consider it as spam. Sender ID is a specification for verifying the authenticity of e-mail by ensuring the validity of the server from which the e-mail came. Some experts feel that 'Sender ID' is not an accepted standard and has many shortcomings. Some also feel that Microsoft is trying to strong-arm the industry into the adoption of an incomplete and not accepted standard."
Stop using Hotmail (Score:2, Insightful)
Only if other ISPs go along with it (Score:5, Insightful)
The Problem is patents ! (Score:1, Insightful)
Re:Stop using Hotmail (Score:4, Insightful)
Ambiguous praise (Score:1, Insightful)
So? (Score:4, Insightful)
How is this any different?
Re:Stop using Hotmail (Score:1, Insightful)
Re:Stop using Hotmail (Score:3, Insightful)
Who will use hotmail? (Score:4, Insightful)
Not to mention you don't have to worry about them trashing your Non-Sender-ID emails.
Good for the gander... (Score:3, Insightful)
So Hotmail can't get mail from me anymore. Boo-frickin'-hoo. What next, AOL doing the same? Then perhaps Yahoo?
Sorry, but until a major provider that matters picks an anti-spam tech, they will accomplish nothing more than effectively depriving their customers from using email.
Comment removed (Score:3, Insightful)
One little problem: MSN Messenger (Score:5, Insightful)
Wikipedian? (Score:4, Insightful)
Let me guess, the story submitter is a Wikipedian? Let's try to avoid weasel terms [wikipedia.org]. Unlike Wikipedia, Slashdot has no neutrality obligation, but if you want to attack something then be clear about it. Don't be redundant either; if a web standard is not accepted by the W3C (the only real web standards authority), then it is not a standard. Let me show you:
Opponents believe the non-standard 'Sender ID' is flawed, and that Microsoft is trying to force the industry to adopting an incomplete protocol.
See? It's shorter, unequivocal while maintaining all previous meaning. Weasel words do not sanitize an opinion in any way.
-- User:Xmnemonic [wikipedia.org]
Well, what were you expecting? (Score:3, Insightful)
Re:Big Surprise (Score:3, Insightful)
A way around what, exactly?
Sender-id is *not* an anti-spam measure. It will do absolutely nothing (as in _NOTHING_ ) to stop spam.
All it does is say "this email comes from a server that the owner of the domain says is OK."
How, exactly, does that stop a spammer from sending spam?
Thank you Microsoft (Score:3, Insightful)
Well that cinches it... now I can block Hotmail permanently, since they are refusing to deliver mail from my legitimate MX.
There are lots of alternatives to using Hotmail... Gmail, Yahoo mail, and others. Use them instead.
99% of the mail coming from Hotmail is spam anyway, so this gives me more reason to stop the spam coming from Hotmail to my users. I'm protecting my users by blocking Hotmail.
I for one am tired of Microsoft claiming to embrace standards by strangling off the air from the lungs of the real standards bodies. When Sender-ID is a widespread industry standard (i.e. in every MTA without patching), THEN I'll begin working with Microsoft to stop spam.
I will not be strong-armed by Microsoft, ever, especially where it affects MY server and MY users and MY mail. Period.
Until their OS stops being a malware replication engine, their services stop harboring spammers by the millions, and their patches actually FIX problems instead of CAUSING them, they can go pound sand.
Re:And then... (Score:4, Insightful)
I tell the person in the first e-mail (from the Hotmail account) to make my GMail address a contact - therefore whitelisting it. I also usually send a GMail invite their way once they whitelist me.
Re:Home workers (Score:3, Insightful)
does this mean they'll stop sending spam? (Score:1, Insightful)
Re:this one could be a problem for casual users (Score:3, Insightful)
Re:Home workers (Score:2, Insightful)
Dunno. My problem with Sendmail was that I only had to install it every couple of years, so I'd forget how to configure it and have to go through the Bat book again. The fourth time I lost it and decided that it would be faster to write my own email server. So I took a week off and did:
http://freshmeat.net/projects/cmg/
It certainly doesn't do everything Sendmail does, but it does everything I and my companies need it to, and I never have to wade through hundreds of configuration options for things I don't even understand, let alone need from a mail server.
TWW
Re:Stop using Hotmail (Score:5, Insightful)
Re:One little problem: MSN Messenger (Score:1, Insightful)
Comment removed (Score:5, Insightful)
Re:Brilliant Move Microsoft. I salute you! (Score:3, Insightful)
Re:Ambiguous praise (Score:4, Insightful)
Bullshit. It will do no such thing.
Most spam comes from trojaned machines (zombie networks), and there is *NOTHING* that will stop the trojan authors from simply having the zombie do a whois lookup and setting the return address to something that will bypass sender checks (even if it means sending through an upstream mail server.)
Result? The From: address will still be forged, legitimate forwarded email is stopped, nobody wins.
Look over your SPAM headers, and you'll see, most of the return-addresses do not match the machine that relayed the message.
Which will *WILL NOT CHANGE*, even with SPF.
And as someone else said, there is *nothing* to stop a spammer from spending $10 to register a domain, spamming for a week or two using Sender ID/SPF legitimately, then abandoning the domain if it gets blacklisted.
If you think this is an anti-spam measure, then you really don't have a clue as to how email operates, or how spammers operate, or both.
Re:Typical Slashdot FUD (Score:1, Insightful)
Re:Brilliant Move Microsoft. I salute you! (Score:2, Insightful)
The examples given apply to 1% of internet mail users.
Most of the examples are such extreme exceptions to the norm that I would have no qualms with blocking them alltogether.
I understand what SMTP was designed to be, but that was what the internet needed 20 years ago. What we need now has changed. SMTP can still work, just not entirely as it was designed; and SPF is a step in the right direction.
How can you say SPF fixes nothing? Numerous examples have been given of how SFP can help alot. Phisher are one good example. Many of the virii that went around last summer would have been stoped by SPF and were on the networks I admin (those virii that use from admin@yourdomain.com, "run this program please")
SPF Records and Filters need to be configured correctly to be effective. But critisizing SPF because it breaks antiquated "features" of SMTP is no excuse to totally reject it.
Re:Damn if they don't, damn if they do... (Score:3, Insightful)
Re:Who uses hotmail? (Score:2, Insightful)
No, no privacy concerns. That's all FUD.
I mean, they scan all your personal email to build and keep a profile on you, but that's not a privacy concern.
And they keep duplicate copies of all your email forever, even if you try to delete it from the server, but that's not a privacy concern.
And they make it all searchable by any government agency that might want a peek, but that's no concern.
And then, aside from privacy concerns, there's the fact that they will be manipulating you with targeted advertising every single time you use their service to communicate. I don't know about you, but I stopped watching TV because I hate advertising, and stopped listening to the radio because I hate advertising, and don't visit websites whose advertisements I can't block. Why would I want to sign up for gmail? It's like having a telephone where every time you get a call, a telemarketer who's been tracking your conversations whispers in your ear telling you what you should buy. Would you buy a phone like that?
Me neither. Hotmail might be bad. But GMail is WORSE.
Re:Brilliant Move Microsoft. I salute you! (Score:2, Insightful)
When it really comes down to it there probably isn't a "got to have" feature of any webmail except recieving and displaying text messages. I tried out various php based webmail systems on my home server and they all were functional. You could log in and read and send mail. Some, however, were easier to use, provided more options, etc.
Gmail offers quite a bit that is worthwhile compared to Yahoo's free webmail. Threaded conversations, POP access, powerful filters that include forwarding to other addresses, simpler and more responsive interface.
Some of those options are available from Yahoo if you pay for it but that is an irrelevant comparison.
The point is, as with so many of Google's offerings, what you have may be good enough but they've improved upon it greatly. Whether it is important enough to you to invest the work to switch is your business but it isn't just another "peice of marketing".
Re:Stop using Hotmail (Score:3, Insightful)
For once, this sounds like a solution I can live with. A lot better than AOL's recent decision to stop accepting mail from mail exchangers with no PTR record. Forward resolution is one thing, getting changes to x.x.x.in-addr.arpa zones can be a royal pain.
EMAIL IS BROKEN TOO (Score:3, Insightful)
Re:Ambiguous praise (Score:3, Insightful)
Yes, everyone can crapflood hotmail through your server (for a short period of time), but the flood is a lot easier to stop with SPF required.
Re:Nothing wrong with that (Score:3, Insightful)
What administration costs? It took about about 10 minutes for me to create and install a SPF record for my site.
As for supporting it on the other side, future releases of mail software will do so the next time I would have upgraded anyway.
I'm all for it. You would not believe the number of phishing emails, purporting to be from my site, that say, "Your account information is enclosed. Please open and read."
It may break some forwarding, but I'd rather END phishing and trojans. Besides, we're not supposed to be open relaying anyway...
Yes, but don't tar SPF with the same brush (Score:4, Insightful)
SPFv1 is an anti-forgery system that works. It does not claim do anything whatsoever to stop spam . But, preventing forgery is necessary before you CAN do anything to stop spam (think about it).
SenderID, AKA SPFv2(pra) is an attempt by Microsoft to seize control over an open standard (SPFv1) so that they can control who gets to send email and who doesn't. They claim it prevents forgery (but it doesn't) and that it does not break some forms of forwarding the way SPF does (they lie) and that it is open (actually, they've submarine-patented parts of it) and that it is an anti-spam measure (which it wouldn't be even if it worked).
Once someone really understands these two facts, all becomes clear. The 800-pound gorilla is beating its chest and waving its tiny pecker around, hoping you will be either be afraid enough to adopt MS-controlled SenderID, or outraged enough to not adopt open, useful SPFv1.
For more information you might want to read some SPF-discuss list threads [gossamer-threads.com].
Having to forge one's own address (Score:3, Insightful)
It's not exactly difficult to add an SPF record for your mailserver
Unless your primary e-mail account is with a provider that offers POP3 and IMAP but not SMTP (e.g. spamcop.net), and you must forge your own address through your ISP's outgoing server. Or unless your primary e-mail account is with your ISP and your ISP hasn't implemented SPF. How should one handle that situation?
Re:Ambiguous praise (Score:3, Insightful)
It is true that SPF will not stop spam on its own. As part of the whole puzzle, SPF is best used along with a reputation system if you want to stop spam.
There are some problems for legitimate senders and are confined to situations where there is unknown or uncontrollable forwarding going on. There are ways around these problems too (SRS et al...)
Another problem is that M$ is trying to co-op SPF with this "Sender-ID" which is NOT the same thing!
Re:Ambiguous praise (Score:3, Insightful)
Lets run through it. I want to send spam from buymycrap.com e-mail addresses to hotmail users.
I have a buddy at buyhiscrap.com who has a mail server he'll let me use.
I add an spf record for my domain that says "yes, the buyhiscrap.com mail server is allowed to send mail for the buymycrap.com domain".
I start spamming hotmail.
Hotmail says "don't accept any e-mail from buymycrap.com e-mail addresses"
I can only send e-mail from spf-validated mail servers, so the mail has to go through a published mail-server (no zombies, open relays, etc)
I try to send more spam to hotmail.
I can't.
I buy a new domain name. Rinse, repeat.
The burden in this scenario has just shifted from the recieving mail server to the spammer. Now the spammer has to do more legwork and the hotmail mail server admin has to do less.
when you get to the "MAIL FROM:" part of the SMTP conversation, you have total control over what happens, which means you don't have to play games with mail from: versus reply-to: addresses. If I'm not sending through a server that's supposed to be sending mail for the domain in my mail from: address, the connection is dropped. If I have that right, and I've offended the mail server admin with previous messages from that domain, the connection *can* be dropped (before a message gets transmitted).