Hotmail To Junk Non-Sender-ID Mail

William Robinson writes "If your e-mail does not have a Sender ID, Microsoft wants to junk your message. Somewhere after November, MSN and Hotmail will consider it as spam. Sender ID is a specification for verifying the authenticity of e-mail by ensuring the validity of the server from which the e-mail came. Some experts feel that 'Sender ID' is not an accepted standard and has many shortcomings. Some also feel that Microsoft is trying to strong-arm the industry into the adoption of an incomplete and not accepted standard."

Stop using Hotmail

[drewzhrodague]

This means that I will stop using Hotmail -- go figure!

Only if other ISPs go along with it

[matt_morgan]

This is a trial baloon. If some other big ISPs decide to go along with this, I can see it happening. If nobody else goes along with it, they won't enforce it. No need to panic here.

The Problem is patents !

[Anonymous Coward]

The problem is, that the experts think, that the patents which MS owns endanger Free implementations of the "standart".

Re:Stop using Hotmail

[Blindman]

Not using hotmail is one thing, but it looks like you might not be able to continue sending e-mail to those with hotmail accounts and don't share your view.

Ambiguous praise

[tezbobobo]

Not one to get caught up in Microsoft bashing, I salute the company. It may not make the best decisions, but it is making decisions. At some point something is going o have to happen to stem the tide of crap floating round the internet. This may not be the best secision, but maybe it will inspire other people to start making decisions. Once again Microsoft has proven itself to be a market leader, even if in bad ideas.

So?

[Tim C]

Every time RBLs are discussed here, there are a great many comments (quite a lot at +5) to the effect of "they're my mail servers, I can drop any mail I want to" from those defending their use of the various RBLs.

How is this any different?

Re:Stop using Hotmail

[Raistlin77]

And that's a bad thing? Eventually, Hotmail users will get so pissed off that either Microsoft stops the stupidity or the users go elsewhere.

Re:Stop using Hotmail

[LWATCDR]

Time to start handing out those gmail invites.

Who will use hotmail?

[blue_adept]

Hotmail has been on a steady decline every since Microsoft bought it. Just compare it to gmail or yahoo (which you CAN use with almost ANY useragent, even ones that don't support javascript). Most other webmail providers are now more rhobust, with a cleaner interface.

Not to mention you don't have to worry about them trashing your Non-Sender-ID emails.

Good for the gander...

[pla]

Some also feel that Microsoft is trying to strong-arm the industry into the adoption of an incomplete and not accepted standard.

...And some (like me) feel that anything from Hotmail most likely counts as spam anyway, and have the entire domain in my filter list.

So Hotmail can't get mail from me anymore. Boo-frickin'-hoo. What next, AOL doing the same? Then perhaps Yahoo?

Sorry, but until a major provider that matters picks an anti-spam tech, they will accomplish nothing more than effectively depriving their customers from using email.

Comment removed

[account_deleted]

Comment removed based on user account deletion

One little problem: MSN Messenger

[mindaktiviti]

MSN Messenger is the crazy glue that holds together the consumer with the hotmail account. I gave all of my friends gmail accounts which are far superior going by interface alone (and they agree with this). However because they use MSN Messenger they almost always prefer to check their hotmail accounts. What Google needs to do to successfully compete with MSN is to release their own messenger program that's tied in with GMail, only then will it be easier to switch your friends over to another free email service.

Wikipedian?

[mnemonic_]

Some experts feel that 'Sender ID' is not an accepted standard and has many shortcomings. Some also feel that Microsoft is trying to strong-arm the industry into the adoption of an incomplete and not accepted standard.

Let me guess, the story submitter is a Wikipedian? Let's try to avoid weasel terms [wikipedia.org]. Unlike Wikipedia, Slashdot has no neutrality obligation, but if you want to attack something then be clear about it. Don't be redundant either; if a web standard is not accepted by the W3C (the only real web standards authority), then it is not a standard. Let me show you:

Opponents believe the non-standard 'Sender ID' is flawed, and that Microsoft is trying to force the industry to adopting an incomplete protocol.

See? It's shorter, unequivocal while maintaining all previous meaning. Weasel words do not sanitize an opinion in any way.

-- User:Xmnemonic [wikipedia.org]

Well, what were you expecting?

[Walkiry]

Microsoft has been using this kind of "embrace and extend" or pure "we implement and damned what everyone says" with their OS for so long, that they have forgotten how to do anything else. They're going to have quite a wakeup call when they try this in a market where they're far from being the main dominant force.

Re:Big Surprise

[schon]

it will only be a matter of time until the spammers figure out a way to get around this

A way around what, exactly?

Sender-id is *not* an anti-spam measure. It will do absolutely nothing (as in _NOTHING_ ) to stop spam.

All it does is say "this email comes from a server that the owner of the domain says is OK."

How, exactly, does that stop a spammer from sending spam?

Thank you Microsoft

[hacker]

Well that cinches it... now I can block Hotmail permanently, since they are refusing to deliver mail from my legitimate MX.

There are lots of alternatives to using Hotmail... Gmail, Yahoo mail, and others. Use them instead.

99% of the mail coming from Hotmail is spam anyway, so this gives me more reason to stop the spam coming from Hotmail to my users. I'm protecting my users by blocking Hotmail.

I for one am tired of Microsoft claiming to embrace standards by strangling off the air from the lungs of the real standards bodies. When Sender-ID is a widespread industry standard (i.e. in every MTA without patching), THEN I'll begin working with Microsoft to stop spam.

I will not be strong-armed by Microsoft, ever, especially where it affects MY server and MY users and MY mail. Period.

Until their OS stops being a malware replication engine, their services stop harboring spammers by the millions, and their patches actually FIX problems instead of CAUSING them, they can go pound sand.

Re:And then...

[bhtooefr]

Heh... I use a GMail account for normal use, and have a Hotmail account for use with Hotmail users. (it appears that Hotmail automatically blocks GMail e-mails)

I tell the person in the first e-mail (from the Hotmail account) to make my GMail address a contact - therefore whitelisting it. I also usually send a GMail invite their way once they whitelist me.

Re:Home workers

[afidel]

Get them a VPN, get them a corporate email account and some way (webmail, RPC over HTTP, etc) to send email, etc. Sorry but relying on known broken mechanisms for your business isn't my problem. Sure I believe Sender-ID is dead, but the idea that they embraced and extended (SPF) is not. Many ISP's already either block messages or give them extremely high spam scores based on the lack of an SPF record, this isn't that new. SPF is about raising the bar for spammers, and hopefully we can eventually figure out which registrars are helping the spammers setup throw away domains and either pull their ability to create new domains, or find some other way to get them to stop support the scum.

does this mean they'll stop sending spam?

[Anonymous Coward]

I hope microsofts new steps towards curbing spam will end the millions of messages from hotmail accounts that end up in my mailbox...

Re:this one could be a problem for casual users

[ajs]

Ways in which this would suck for businesses:

• Applicants can't recieve email (e.g. an offer letter or response to resume submission
• Customers send feedback and support requests, but cannot recieve responses
• Newsletters stop being recieved
• Receipts of purchase stop being recieved
• Warnings about termination of service stops being recieved

On the plus side, I'm hoping that they will accept SPF-Classic, and that my ISP will list one, finally. I'm tired of getting mail bounced because my SPF inclusion of my ISP isn't honored (due to their lack of SPF listing).

Re:Home workers

[nagora]

Tell me what your favorite MTA can do that mine can't.

Dunno. My problem with Sendmail was that I only had to install it every couple of years, so I'd forget how to configure it and have to go through the Bat book again. The fourth time I lost it and decided that it would be faster to write my own email server. So I took a week off and did:

http://freshmeat.net/projects/cmg/

It certainly doesn't do everything Sendmail does, but it does everything I and my companies need it to, and I never have to wade through hundreds of configuration options for things I don't even understand, let alone need from a mail server.

TWW

Re:Stop using Hotmail

[tomhudson]

... an additional thing to think of - change your signature to the following in gmail:

If you are receiving this at your Hotmail account, please keep in mind that you might not be able to receive it after November, when Microsoft implements YABIS (Yet Another Broken Incompatable Standard).

You may want to switch to a GMail Account or a Yahoo Account if you want to continue receiving emails from non-Microsoft accounts.

See ... Microsoft isn't the only one capable of spreading FUD.

Re:One little problem: MSN Messenger

[Anonymous Coward]

Or get someone to write a plugin for gaim or trillian that will give them a "You've got mail" when mail arrives in their gmail box. We don't need another IM program.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Brilliant Move Microsoft. I salute you!

[Trepalium]

It's an incomplete standard covered by a patent awarded to Microsoft who is only providing it under non-OSI compatible terms (it's non-transferrable, so each party needs to get a license directly from Microsoft). This is Microsoft trying to bully everyone else into adopting their patented standard. However, I believe they have overestimated their strength in this matter.

Re:Ambiguous praise

[schon]

It will stop SPAM that is from a forged sender

Bullshit. It will do no such thing.

Most spam comes from trojaned machines (zombie networks), and there is *NOTHING* that will stop the trojan authors from simply having the zombie do a whois lookup and setting the return address to something that will bypass sender checks (even if it means sending through an upstream mail server.)

Result? The From: address will still be forged, legitimate forwarded email is stopped, nobody wins.

Look over your SPAM headers, and you'll see, most of the return-addresses do not match the machine that relayed the message.

Which will *WILL NOT CHANGE*, even with SPF.

And as someone else said, there is *nothing* to stop a spammer from spending $10 to register a domain, spamming for a week or two using Sender ID/SPF legitimately, then abandoning the domain if it gets blacklisted.

If you think this is an anti-spam measure, then you really don't have a clue as to how email operates, or how spammers operate, or both.

Re:Typical Slashdot FUD

[Anonymous Coward]

Bullshit! Many domains have published SPF records that deal with MAIL FROM, you can't apply those policies to arbitrary mail headers (PRA). Microsoft would be abusing the published policy of hundreds of thousands of domains (including several of mine) by doing PRA checks on SPFv1 records.

Re:Brilliant Move Microsoft. I salute you!

[SirCyn]

Your link is barely more than a long rant.
The examples given apply to 1% of internet mail users.
Most of the examples are such extreme exceptions to the norm that I would have no qualms with blocking them alltogether.

I understand what SMTP was designed to be, but that was what the internet needed 20 years ago. What we need now has changed. SMTP can still work, just not entirely as it was designed; and SPF is a step in the right direction.

How can you say SPF fixes nothing? Numerous examples have been given of how SFP can help alot. Phisher are one good example. Many of the virii that went around last summer would have been stoped by SPF and were on the networks I admin (those virii that use from admin@yourdomain.com, "run this program please")

SPF Records and Filters need to be configured correctly to be effective. But critisizing SPF because it breaks antiquated "features" of SMTP is no excuse to totally reject it.

Re:Damn if they don't, damn if they do...

[Breakfast Pants]

Does nothing for me and you? Speak for yourself, I know that it would be great to not have to explain to grandma that the newest email from paypal.com isn't from paypal.com and if she follows any links therein she will be giving away access to her checking account.

Re:Who uses hotmail?

[ShieldW0lf]

I wouldn't use gmail anyways, and I won't send emails to a gmail account.

No, no privacy concerns. That's all FUD.

I mean, they scan all your personal email to build and keep a profile on you, but that's not a privacy concern.

And they keep duplicate copies of all your email forever, even if you try to delete it from the server, but that's not a privacy concern.

And they make it all searchable by any government agency that might want a peek, but that's no concern.

And then, aside from privacy concerns, there's the fact that they will be manipulating you with targeted advertising every single time you use their service to communicate. I don't know about you, but I stopped watching TV because I hate advertising, and stopped listening to the radio because I hate advertising, and don't visit websites whose advertisements I can't block. Why would I want to sign up for gmail? It's like having a telephone where every time you get a call, a telemarketer who's been tracking your conversations whispers in your ear telling you what you should buy. Would you buy a phone like that?

Me neither. Hotmail might be bad. But GMail is WORSE.

Re:Brilliant Move Microsoft. I salute you!

[sobachatina]

I'll concede that it may not be worth the work to change email addresses especially since you have had that email address for so long.

When it really comes down to it there probably isn't a "got to have" feature of any webmail except recieving and displaying text messages. I tried out various php based webmail systems on my home server and they all were functional. You could log in and read and send mail. Some, however, were easier to use, provided more options, etc.

Gmail offers quite a bit that is worthwhile compared to Yahoo's free webmail. Threaded conversations, POP access, powerful filters that include forwarding to other addresses, simpler and more responsive interface.

Some of those options are available from Yahoo if you pay for it but that is an irrelevant comparison.

The point is, as with so many of Google's offerings, what you have may be good enough but they've improved upon it greatly. Whether it is important enough to you to invest the work to switch is your business but it isn't just another "peice of marketing".

Re:Stop using Hotmail

[drakaan]

That's an interesting post. So, Microsoft is saying that SPF records fine and dandy, I don't really care one way or the other. It's not exactly difficult to add an SPF record for your mailserver (no-ip.com even has a little SPF wizard for those on dynamic DSL connections).

For once, this sounds like a solution I can live with. A lot better than AOL's recent decision to stop accepting mail from mail exchangers with no PTR record. Forward resolution is one thing, getting changes to x.x.x.in-addr.arpa zones can be a royal pain.

EMAIL IS BROKEN TOO

[autopr0n]

Look, who cares if SPF breaks things. The things it breaks arn't really that important, and the internet email system is so clogged with spam it's worthless anyway.

Re:Ambiguous praise

[drakaan]

So, what's your point? The whole purpose of SPF was to verify the sending domain, which is still being done. The reason things *still* work out well in your example is that it's relatively simple to shut off mail from "spamer.com". You then have a situation where the spammer in question has to spend more time changing DNS records and registering domain names than it takes for hotmail admins to block them.

Yes, everyone can crapflood hotmail through your server (for a short period of time), but the flood is a lot easier to stop with SPF required.

Re:Nothing wrong with that

[shmlco]

... but I don't expect a wide-spread adoption given the administration costs.

What administration costs? It took about about 10 minutes for me to create and install a SPF record for my site.

As for supporting it on the other side, future releases of mail software will do so the next time I would have upgraded anyway.

I'm all for it. You would not believe the number of phishing emails, purporting to be from my site, that say, "Your account information is enclosed. Please open and read."

It may break some forwarding, but I'd rather END phishing and trojans. Besides, we're not supposed to be open relaying anyway...

Yes, but don't tar SPF with the same brush

[Anonymous Coward]

While I agree with everything you said (except that you imply that Sender-ID might actually work, when it doesn't) it's important to distinguish between SPF and Sender-ID.

SPFv1 is an anti-forgery system that works. It does not claim do anything whatsoever to stop spam . But, preventing forgery is necessary before you CAN do anything to stop spam (think about it).

SenderID, AKA SPFv2(pra) is an attempt by Microsoft to seize control over an open standard (SPFv1) so that they can control who gets to send email and who doesn't. They claim it prevents forgery (but it doesn't) and that it does not break some forms of forwarding the way SPF does (they lie) and that it is open (actually, they've submarine-patented parts of it) and that it is an anti-spam measure (which it wouldn't be even if it worked).

Once someone really understands these two facts, all becomes clear. The 800-pound gorilla is beating its chest and waving its tiny pecker around, hoping you will be either be afraid enough to adopt MS-controlled SenderID, or outraged enough to not adopt open, useful SPFv1.

For more information you might want to read some SPF-discuss list threads [gossamer-threads.com].

Having to forge one's own address

[tepples]

It's not exactly difficult to add an SPF record for your mailserver

Unless your primary e-mail account is with a provider that offers POP3 and IMAP but not SMTP (e.g. spamcop.net), and you must forge your own address through your ISP's outgoing server. Or unless your primary e-mail account is with your ISP and your ISP hasn't implemented SPF. How should one handle that situation?

Re:Ambiguous praise

[flakier]

Not true. A lot of spam is now sent via thousands of zombies which would be nearly impossible to encompass in an SPF record.

It is true that SPF will not stop spam on its own. As part of the whole puzzle, SPF is best used along with a reputation system if you want to stop spam.

There are some problems for legitimate senders and are confined to situations where there is unknown or uncontrollable forwarding going on. There are ways around these problems too (SRS et al...)

Another problem is that M$ is trying to co-op SPF with this "Sender-ID" which is NOT the same thing!

Re:Ambiguous praise

[drakaan]

s/bounce address' domain/spf-associated domain/

Lets run through it. I want to send spam from buymycrap.com e-mail addresses to hotmail users.

I have a buddy at buyhiscrap.com who has a mail server he'll let me use.

I add an spf record for my domain that says "yes, the buyhiscrap.com mail server is allowed to send mail for the buymycrap.com domain".

I start spamming hotmail.

Hotmail says "don't accept any e-mail from buymycrap.com e-mail addresses"

I can only send e-mail from spf-validated mail servers, so the mail has to go through a published mail-server (no zombies, open relays, etc)

I try to send more spam to hotmail.

I can't.

I buy a new domain name. Rinse, repeat.

The burden in this scenario has just shifted from the recieving mail server to the spammer. Now the spammer has to do more legwork and the hotmail mail server admin has to do less.

when you get to the "MAIL FROM:" part of the SMTP conversation, you have total control over what happens, which means you don't have to play games with mail from: versus reply-to: addresses. If I'm not sending through a server that's supposed to be sending mail for the domain in my mail from: address, the connection is dropped. If I have that right, and I've offended the mail server admin with previous messages from that domain, the connection *can* be dropped (before a message gets transmitted).