Hotmail To Junk Non-Sender-ID Mail

William Robinson writes "If your e-mail does not have a Sender ID, Microsoft wants to junk your message. Somewhere after November, MSN and Hotmail will consider it as spam. Sender ID is a specification for verifying the authenticity of e-mail by ensuring the validity of the server from which the e-mail came. Some experts feel that 'Sender ID' is not an accepted standard and has many shortcomings. Some also feel that Microsoft is trying to strong-arm the industry into the adoption of an incomplete and not accepted standard."

Who uses hotmail?

[richieb]

Does anyone besides spammers use hotmail anymore?

Big Surprise

[alvinrod]

From the article:

"We think Microsoft is trying to strong-arm the industry into the adoption of an incomplete and not accepted standard".

Gee, when's the last time this happened?

Personally, it will only be a matter of time until the spammers figure out a way to get around this. End result: a serious pain for everyone that accomplishes nothing.

Do as I say, not as I do

[asc4]

Despite the fact that Hotmail will only be using SPF v2 records to do the filtering, it seems that Hotmail themselves haven't bothered yet to publish one: http://www.dnsstuff.com/tools/lookup.ch?type=TXT&n ame=hotmail.com [dnsstuff.com]

strongarm what?

[tomstdenis]

I don't know ANYONE who uses hotmail for more than a throwaway address. So let them have their little party. Who cares?

Tom

this one could be a problem for casual users

[yagu]

I've had my fun with e-mail spoofing, but now that e-mail is everywhere and used by almost everyone it's probably close to "time" for mechanisms and protocols that make e-mail more trustworthy and difficult to spoof (of course there are always going to be exceptions). But Microsoft contributes little by doing their own end run on the industry.

From the article:

Microsoft's unilateral move may hurt Internet users, he said. "Sender ID isn't widely deployed, meaning that average users are now at risk for having their legitimate e-mail tagged as spam when they send messages to Hotmail users."

Experts say one of the problems with Sender ID is that it doesn't work with e-mail forwarding services. The basic premise of Sender ID is to check if an e-mail that claims to be coming from a certain Internet domain is really being sent from the e-mail servers associated with that domain.

This opens up a huge can of worms... I don't quite get why Microsoft doesn't learn from past mistake^H^H^H^H^H^H^Hefforts. The unwashed masses (read, typical computer users) already deal daily with mind numbing quirky computer behavior (or lack of). For example (and I know I'm beating a dead horse (checkmate!)), Microsoft's morphing menus with chevrons, Microsoft's dumping of random files in random directories to mold their vision of a magical world (how many have been burned by the unexpected "thumbs.db" file in their picture folders?), and bizarro network settings (ever wonder why seemingly every computer in a home network gets configured with bridging?) -- these are just a few examples of things that confuse and irritate typical users, but the ripple effect is into the "support" community (that's us).

Rolling out this semi-baked quasi-standard e-mail device could wreak havoc with the e-mail users. I'm hoping whatever they do it's configured by default to not reject non-ID'ed e-mails. Regardless, unless and until there's a stronger and more mature standard, this one's trouble.

Re:strongarm what?

[hab136]

I don't know ANYONE who uses hotmail for more than a throwaway address. So let them have their little party. Who cares?

And Mailinator [mailinator.com] does a better job at throwaway addresses anyways.

GMail?

[Andrewkov]

I wonder if G-Mail will be out of Beta by then? That could be an interesting opertunity for Google.

Anyway, G-Mail is already so superior to Hotmail, in both the interface and spam blocking, I can't imagine why people still use Hotmail.

Damn if they don't, damn if they do...

[Mensa Babe]

1. Microsoft (virri vulnerabilities) causes SPAM. Slashdot outraged.
2. Microsoft fights SPAM. Slashdot equally outraged.
Conclusion: Microsoft is always evil no matter what they do.

I bet that if it was a story about Gmail then it would be a great idea, becasue Google never does evil.

Re:Who uses hotmail?

[defkkon]

Unfortunately, yes.

There are a large number of people who haven't heard of Gmail. These are people who use the Internet to casually browse, and who check their email every other day. Hanging out in the geek community, its hard to believe people don't know their alternatives - but its true!

Many of these people view email as a very set-in-stone thing. Their friends and family all know their Hotmail address, and all their favourite news letters are delivered there. To them, its a huge pain in the arse to switch addresses. Its almost unthinkable.

Its these people that will happily put up with whatever Microsoft does to Hotmail, just so they don't have to bother with all this technical nonsense.

Home workers

[nagora]

So, how does this work for companies with large numbers of home-workers who are happily sending main aout throught their home ISP's with "spoofed" headers claiming, quite correctly, that their email comes from the company?

Frankly, Sender-ID is a dead duck for many reasons but the biggest is simply that many legitimate emails come from random IPs while plenty of spam comes from infected "authorised" machines.

This is just another, on a thirty-year-long run, example of the fact that when it comes to IT, MS is clueless. Business methods and the law are their fortes.

TWW

Re:Stop using Hotmail

[Cat_Byte]

You still have a trusted list that will redirect straight to the inbox. This will be the same as I have mine set up now because only people on my list make it to the inbox and the rest is in the junk folder. This is actually a good thing for sites like geneology.com that harvests your family tree and sends email from relatives with the same name (lame). The simple fact is, something has to be done about spam and just because Microsoft has its name attached to it doesn't make it a bad thing. No spam == good.

Re:Who will use hotmail?

[NetNifty]

Not even as long ago as when MS bought Hotmail - Hotmail has gone down in the last few months - buggy switching between accounts (at least on Firefox anyway - although it could possibly be a GAIM or Trillian problem from the places I've noticed the bug), changing the method of navigating between mails to javascript instead of a simple href (so you can't for example just middle-click on each email to open a tab with it in, at least by default in Firefox - maybe an extension can fix this), more timeouts on pages and pages not loading fully etc.

Hotmail wasn't too bad (main problem I'd say previously was spam and spam filters (many false positives)), but now it's got terrible and if I didn't know better I'd say MS was trying to kill it off.

Luckily I now use my GMail account for anything relatively important - I pretty much just keep my hotmail account around for MSN Messenger and places I may have forgottern to switch the email address over to.

I suppose it's only fair....

[Grokko]

My mail server stopped accepting mail from hotmail over 2 years ago.

Re:strongarm what?

[Launch]

I've been using hotmail for years, way before MS ever owned hotmail. At the time I signed up for hotmail everyone was chilling with their @netcom or any simular isp branded e-mail. If you're anything like me you've gone through a couple ISPs over the last 10 years. You also are probably aware what a PITA it is to change e-mail addresses. That's why I've stuck with hotmail all theses years.

I have a g-mail account, it's pretty awesome and probably better then hotmail... but one feature that hotmail has over other web-based e-mails is easy integration with a fat-client e-mail system.

I've yet to see a web-based client that can handle my e-mail needs... Even MS's OWA isn't a replacement for outlook.

I know there will be a flurry of flames about using outlook, etc etc... but the bottom line is that nothing integrates better for my needs, my palm, my blackberry, my non-work hotmail, owa, etc.

My basic point is that there are at least some merrits to using hotmail.

Don't underestimate MSN

[WormholeFiend]

a lot of people use MSN... as much as I don't like it, I have to use it to keep in touch with most of my non-tech-savvy friends, who won't use any other IM...

And to use MSN you need a hotmail account.

Google still has a lot of public awareness ground to cover IMO... when I give out my gmail address, some people ask me "so you work for the government?"

Re:Stop using Hotmail

[aklix]

I've been using GMail for over a year now and Not one message has been wrongfully marked spam, and the only spam that slipped through was anit-microsoft spam (curious no?).

Re:Who uses hotmail?

[harlows_monkeys]

Does anyone besides spammers use hotmail anymore?

Yes. A lot of ordinary users use it. Examining a database of customer addresses from people who have contacted technical support where I work, I see the following:

• 13.7% from aol.com
• 12.7% from yahoo.com
• 12.3% from hotmail.com
• 5.1% from msn.com
• 4.0% from comcast.net
• 3.1% from sbcglobal.net
• 2.1% from earthlink.net
• 1.9% from bellsouth.net
• 1.6% from cox.net
• 1.2% from charter.net
• 1.1% from verizon.net

Those are all the ones that are above 1%.

Re:Brilliant Move Microsoft. I salute you!

[Malc]

Complacent? Don't talk such rubbish. Gmail doesn't offer me anything worthwhile, so I stick with Yahoo.

I've had the same Yahoo address since about 1998. It's followed me from ISP to ISP, and country to country. I got sick of constantly changing my email address, be it personal, work or academic, which was my main reason for sticking with Yahoo. On top of that, they forward all email to my personal domain account, and tag spam in the process. I only use the web interface when I'm on the road, although I could set up a web interface on my own mail server. They also provide 2GB of disk space, which I doubt I'll ever need.

So tell me again, what is the "got to have" feature of Gmail? I certainly don't think I'm being complacent. Maybe you're just gullible and will jump at every piece of marketing foisted in your direction ;)

Re:Stop using Hotmail

[Slipped_Disk]

As I understand it, you're wrong:
> You still have a trusted list that will redirect straight to the inbox.

According to the SenderID docs from Microsoft, your "trusted list" will NEVER BE CONSULTED -- the INBOUND SMTP SERVER will reject the message if there is no SPF record published, or if the originating mail server is not in the SPF record.

Ergo your filters never run - the message is never delivered to them because it is assumed that the message is spam.

Someone correct me if I'm wrong.

Re:Brilliant Move Microsoft. I salute you!

[cmefford]

"Anyone who makes statements like this truely doesn't understand the purpose of SPF." Did I say spf was designed to stop spam? uhh, nope. SPF breaks things, and fixes nothing. A primer on some broken things; http://homepages.tesco.net/~J.deBoynePollard/FGA/s mtp-spf-is-harmful.html [tesco.net] As to me not understanding, that's an assumption on your part. I spent a lot of time in the marid working group. I thought this was a very interesting concept. I paid attention, I participated. I, as in *I* decided, that for my users, it held no value. I am certainly not at all alone in this point of view.

Re:One little problem: MSN Messenger

[Pxtl]

Because ICQ is a crufty old monster. Most of the people I know who use ICQ haven't used the official client in years - the official ICQ client is the fugliest piece of software I've ever seen. I use Miranda for both MSN and ICQ, but most of my friends have migrated from ICQ to MSN.

I think this is what happened: ICQ took a strangle-hold of Canada. Backwards Americans missed the boat. Then, Mirabilis/AOL ran ICQ down the tubes by bloating it into a monstrous, crufty piece of crap. As a reaction, users migrated to the IM program that was already residing on their computer (and, at the time, launched automatically when you opened OE).

Re:Home workers

[greed]

I'm not sure if this is going to be sarcasm or flamebait... but I'm saying it anyway. It's rhetorical, I'm not really asking the OP to answer.

Tell us again how that set-up lowers your TCO? Is it because you can't actually provide certain services to your users, and consequently you don't have any costs associated with them?

I have this rule: You want my money, you've got to do better than the free stuff. Pine can do SSL and SMTP Auth, I believe. My Palm can do SSL and SMTP auth. What makes Office so special? In a similar vein, how about Oracle providing an SQL interface with commandline editing like PostgreSQL does? And I don't mean in some sort of add-on, I mean it should be right there from the start. sqlplus is awful.

Re:One little problem: MSN Messenger

[mpontes]

Every man, woman, 13 years old girls and their dogs use MSN Messenger in Europe: that's exactly what makes the people I know stick with Hotmail. Many of them find it easier to get an Hotmail email to log on MSN than to sign-up for a Passport account and bind it to their existant email.

Why? I have no idea. I'm guessing it's Microsoft way of throwing "Sign-up for Hotmail!" signs when you're filling up your info in MSN Messenger.

Personally, I hate Hotmail. Yahoo! and GMail upgrade all their users' space at the same time. As for Hotmail, it still has my account at *2 megs*, the same limit it had since *1998*, when I signed up for it. I wrote an email to Support asking if they were planning on upgrading my account and they just advertised Hotmail Plus!, the paid version.
(joke)My guess is that they still have my account stored in an old Solaris box and they can't find where it is.(/joke) I haven't used my Hotmail account for a long time now, but I keep it around just in case some distant family member who got my email 5 years ago tries to contact me -- yes, it happens more often than I expected.

Re:Only if other ISPs go along with it

[killjoe]

The thing to do would be for everybody who does not want an MS dominated email infrastructure to reject all email from servers that publish SPF records.

Too bad nobody has balls to do that though. MS will own another vital infrastructure by throwing their weight around and shoving down everybodies throats. The rest of the industry will bend over and take it like usual.

It's kind of a abused spouse syndrome. They keep getting slapped around and they are too afraid to leave.

Re:Home workers

[Szaman2]

Tell us again how that set-up lowers your TCO?

Well.. TCO is not a real quantifiable metric - it is just a marketing ploy used to somehow convince people that the expensive proprietary software is somehow cheaper than the free software.

I would love to drop MS Office but we are so hopelessly locked in it's not even funny. Out clients use Word+Excell only templates, we use proprietary worpaper software which requires Excell and Access... And our users fear change. Several people threw tantrum fits just because we recently switched Dialup providers for the field employees and the had to *gasp* download and install new dialer software.

Switching them to another email client would essentlially mean that no work would get done for weeks while we spent 3+ hours on the phone with each field employee listening to their angry moans, and training them to use new software... Sigh...

I tell you - TCO is bullshit. Very often using MS products makes you spend more money than you otherwise would.

Re:Do as I say, not as I do

[Anonymous Coward]

Your assertion that Hotmail will only be using SPF v2 records to do the filtering is patently false.

The following comes from http://spf.pobox.com/senderid.html [pobox.com]

spf.pobox.com is responsible for the SPF concept, and was a partner with MS in developing Sender-ID. I quote:
--begin quoting---
spf2.0 records

I just published my SPF record. Do I need to publish an spf2.0 record?

Answer: probably not. By default, Sender ID will read v=spf1 records for checks against both identities. If a sender needs to distinguish one identity scope from another, it is welcome to publish spf2.0 records, which can be made specific to either the PRA or the MAIL-FROM. The vast majority of publishers are not expected to need to do this. Hotmail.com, for example, only publishes a v=spf1 record. So you probably don't need to either. You probably only need to worry about spf2.0 records if you're an ESP or have a contract with an ESP.

As of 20041110, this matter is still open to debate and is being actively discussed.
--end quoting---

Not a huge fans of Sender-ID either, but the assertion that an SPF2 record is required here ain't true.

Re:Brilliant Move Microsoft. I salute you!

[lawpoop]

"They also provide 2GB of disk space, which I doubt I'll ever need."

Do you think Yahoo would have given you those two gigs if gmail hadn't done it first?

"Maybe you're just gullible and will jump at every piece of marketing foisted in your direction ;)"

And how much marketing has Google given gmail? Absolutely none.

Re:Brilliant Move Microsoft. I salute you!

[thdexter]

Hmm.

I have a domain, glitterandtwang.org, which is hosted by suffusions.net. Suffusions.net has an SMTP server, but it requires authentication (in the form of having checked your email in the last 15 minutes over POP) and so I use my ISP's SMTP server. So my email is from dexter@suffusions.net, but it's sent from adelphia.net... am I going to be shitlisted by everybody with SPF and Sender ID?

Re:Brilliant Move Microsoft. I salute you!

[Fulcrum of Evil]

This doesn't stop spam, but it makes sure that no one can forge an address from your domain, unless it was really sent from your domain.

So, if I want to send mail from my personal domain, won't SPF screw me? I'm on speakeasy and, while they certainly are decent at CS, I doubt they'll add spf records for my domain.

Re:SPF spec author says: SenderID is crap

[wayne]

Now what's your option on DomainKeys?

I like the concept of using cryptographic methods to protect the mail headers and body. I think that is the most promising approach. That said, crypto solutions like DomainKeys is not without problems.

Crypto solutions breaks on way too many mailing lists and more than a few email forwarders because content is often added (ads on the bottom) or changed (spam/virus filtering), and this breaks the crypto signatures.

Also, there is also a real problem with replaying a message. You just can't distinguish a Yahoo customer sending a message to a large mailing list, and a spammer who signs up with Yahoo, sends a message to themselves, and then redistributes that correctly signed email to their list of 50 million victims.

There are various ways to try and solve to both of these problems, but none of the solutions are very clean and probably not very effective.

I think that if there was a nice, clean solution to the forged email problem, it would have been discovered many years ago.

I think the crypto solutions, and things like SPF (or DMP, or RMX, or any of the other LMAP-type solutions) can help each other out. SPF primarily fails on forwarded email, while the crypto solutions primarily fail on mailing lists. If all email uses both, it can help automate the detection of forwarders and mailing lists, and then you can know which system to use for each email.

DomainKeys is not the only crypto solution, there is also IIM, and META-signatures. I actually like the latter two better because I think they handle the problems with mailing lists better. Yahoo and Cisco have announced that they are merging DK and IIM into a single spec, but they haven't released the spec yet, and the details will be very important.

Domainkeys, like SenderID, has two other problems that could cause problems for the F/OSS world of email. First off, Yahoo has patents on DomainKeys and their license isn't (currently) compatible with many F/OSS software. I suspect that Y! will be much more willing to make changes to their license than MS was, but who knows. Secondly, like SenderID, it turns out that DomainKeys is already trademarked by someone else and this could cause lots of legal fun for the parties involved.

SPF already screwed me over

[Anonymous Coward]

I hate SPF. Ever since Yahoo implemented SPF, I can no longer list my yahoo email address as my "from" address when using a client email application, such as Outlook or Thunderbird.

I can't send email through Yahoo's SMTP server because the guys over at Cox Cable block outgoing SMTP traffic which all ISPs do.

SPF completely ignores the realities of today's internet connected world, and it's preventing me from using my email in the way that I want to.

GAIM is the solution

[benjamindees]

Each of the established IMs have millions or tens of millions of subscribers

That's why GAIM [sourceforge.net] is the answer. Everyone I've given it to loves it. GAIM is one of the most useful OSS apps available on Windows. It's handling of multiple IM protocols simultaneously easily trumps all other clients.

Re:Ambiguous praise

[mabhatter654]

The problem is that most of the bill paying IT managers are all still in love with whatever MS puts out. Coming from a medium sized company, our email servers are blocking 10,000 spams a day...not even addressed to valid user names. Add to that another several thousand that look "almost" legitimate... too close to call without actually looking... i.e. blocking by some kind of filter, attachment, images, HTML, etc. it's gotten so bad it ties up a full admin all day!

we need a "get in" based system and I think MS is trying to get some accountability on the ISP side.. of course the purpose of email is to contact people you don't know... that's what this wrecks. We need a new protocol like customized Jabber or some kind of pre-authorized opt-in agreement between companines. So I can pre authorize to your companies servers, then send away. of couse the OTHER big thing is SOX requiring all sorts of tracking and documentation.. SOX alone is enough to kill email as we know it... we need something between email, IM, slashdot, and blogs. Due to SOX "private" email will be dead at most companies anyway... so a more forum based alternative may be better.

Again, MS holds the current customers, but oss holds the long term lead. if we can get enough admins to switch over... we've got to gun for an incompatible exchange replacement and do it better.. if MS is calling it, then let's break it better..and faster... there's no way they could keep up.