Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Microsoft Spam

Microsoft Submits Email Caller ID to the IETF 173

NetWizard writes "Following on the heels of Yahoo submitting DomainKeys, Microsoft decided to submit their "Caller ID" anti-spam proposal as a draft to the IETF. This proposal tries to tie in IP addresses to the domain of the sender just like SPF does. To make things even more interesting, looks like SPF and MSFT's Caller-ID proposals are merging. On a related note, Yahoo submitted an IPR disclosure for DomainKeys to the IETF."
This discussion has been archived. No new comments can be posted.

Microsoft Submits Email Caller ID to the IETF

Comments Filter:
  • the origional (Score:3, Informative)

    by millahtime ( 710421 ) on Friday May 21, 2004 @04:31PM (#9220519) Homepage Journal
    Here is the origional [slashdot.org]
  • Why XML ? (Score:5, Interesting)

    by Space cowboy ( 13680 ) * on Friday May 21, 2004 @04:32PM (#9220535) Journal

    First off - I'm a great fan of XML - as a configuration specification format, it's great and I love it. I don't however think it's the solution to every problem - the BIND format is inherently non-XML, why not (if the proposal is to specify outgoing nameservers in the same way as we currently specify incoming nameservers) simply have an MO (Outbound :-) tag with virtually the same semantics as an MX tag (obviously a different payload, though, in the same way as MS propose) ?

    One of the reasons I love XML is that the configuration can later be extended without impacting on any parsers that only read version 1.0. Perhaps this *is* a good reason. Or perhaps it's a way of getting a standard out there that's easy to 'embrace and extend'. Paranoia? Perhaps.

    I do think it's a nice idea though, and it will stop a lot of spam - it will also make it far more valuable to 'own' the mailserver, with all of the implications thereof...

    Simon.
    • Didn't Microsoft file a patent on XML a few months ago? This could be microsoft's way of leveraging everybody onto Exchange servers.
      "Use Exchange or we'll claim patent infringment."
    • Re:Why XML ? (Score:3, Interesting)

      by nacturation ( 646836 )
      One of the reasons I love XML is that the configuration can later be extended without impacting on any parsers that only read version 1.0. Perhaps this *is* a good reason. Or perhaps it's a way of getting a standard out there that's easy to 'embrace and extend'. Paranoia? Perhaps.

      XML is great for extending *structured* data. I think you're right as far as DNS goes though... after all, coding for backwards compatibility in the current DNS format is as trivial as setting the server to ignore any unrecogniz
    • by MrChuck ( 14227 ) on Friday May 21, 2004 @05:13PM (#9220893)
      the BIND format is inherently non-XML

      which might be part of why there are SO FEW good managers for named (the binary via the config file) and DNS (the data within zones). There are things that WANT to do it, but they are few and far between.

      Me? I find that XML is often a hammer and oh, look at all the nails! This one is a nail.

      Mostly, you're right. It's GREAT for many config files. It's easy to parse, it's non-binary, the structure is self describing and it's EASY to present forms for managing something via web or curses or GUI.

      And that's a win.
      I'm tired of writing tools where each tool has to be intimate with the details of a config file and application. I'd rather be familiar with the DTD and use the "meta data" available. It doesn't make apps automatic, but it sure makes it easier to manage them.
      A stylesheet can easily convert managable XML data file into an inetd.conf file. (trivially easily).

      And perl/php/java can easily read in and write out XML files. My program just has to deal with the data structure that's been read in.

      Now, that said... XML is wordy and large.
      DNS (not BIND, DNS) struggles with large anyway. It's an ugly ugly hack/misuse to shove XML into several TXT records. Anyone remember trying to get PGP keys into DNS? We should it would be a great way to distribute them at least internally (where we controlled all the DNS servers). But TXT records won't HOLD a 1200 character blob.

      Doh!

      Again, we're looking for an LDAP type solution or at least in need of some infrastructure tools beyond DNS's hostfile replacement capabilities.

    • SPF (Sender Permited From) is conceptually very similar to the MO mail outbound idea you're proposing. The syntax isn't very MX-like though. But as to having it XML - please no! I can't ever imagine having DNS info stored in XML, it's just bloated featuritis at its worst. It will mean having to upgrade MTAs and nameservers, and all the config rewriting, for no real immediate benefit.

      See spf.pobox.com [pobox.com] for more info on the SPF spec. God knows what it will look like after the changes they're working on wit
  • by JessLeah ( 625838 ) * on Friday May 21, 2004 @04:36PM (#9220569)
    Either in terms of money or market share?

    They would not be doing it if it did not help them in one or both of those areas (and directly as opposed to indirectly, if at all possible)

    Microsoft is not a charity. Even when they do give money to charity, they have reasons that have nothing to do with simple kindness.
    • by spectecjr ( 31235 ) on Friday May 21, 2004 @04:46PM (#9220690) Homepage
      Either in terms of money or market share?

      They would not be doing it if it did not help them in one or both of those areas (and directly as opposed to indirectly, if at all possible)

      Microsoft is not a charity. Even when they do give money to charity, they have reasons that have nothing to do with simple kindness.


      You're wrong. Sometimes they do things just because.

      However, in this instance, they have MSN, Hotmail and Outlook. It'd be nice to have all of those services and apps spam free - it'd make their customers (who are complaining loudly about spam to them) happy.
    • oh, I don't now, maybe is savings from not paying for spamer's bandwidth?
    • by sjb21043 ( 685282 ) on Friday May 21, 2004 @04:53PM (#9220750)
      Lots of industry folks (MSFT, Dell, etc) have been reporting lately that a significant portion of their service calls come from either spam or spyware.

      Cutting service costs will definitely help the bottom line.
    • If they solve the spam problem, what a huge PR boost for a company often accused to be overly agressive (Mike Rowe?). With Longhorn ever farther off, and SP2 for XP just meat thrown to ravenous dogs, they could use some positive press.
    • 1. being able to filter out the bulk of incoming spam saves bandwidth, which costs money
      2. potentially, they could offer this as a paid service
      3. less abuse emails to wade through, meaning less support costs
      4. Exchange Server upgrades to support this

      etc. etc. The list goes on. Spam costs *everybody* money. Filtering it costs money. The ones that slip through cost money. Any way to reduce the amount of spam will directly add to Microsoft's bottom line even if you remove all revenue-generating aspects.
    • by Archfeld ( 6757 ) * <treboreel@live.com> on Friday May 21, 2004 @05:10PM (#9220874) Journal
      every one else can't as well. I 'trust' an entity will an obvious reason for their behavior, ie profit, much more than I trust a so called altruistic entity, fanatics are SCARY.

      Not to say that there is not cause for concern or need for extreme watchfullness but a stable net profits everyone, reducing spam to a manageable level in which a bulk nugget might even catch the light is profitable to everyone concerned, even the legit bulk mailers. I think the answer is to build an authenticated mail infrastucture at the tier-1 peering level, working with the DNS managers, and system and provide link points to the existing system...You could receive authenticated mail from a validated sender, marked as such, and continue to receive un-authenticated mail should you choose to. Gradually legitimate sources will migrate to the authenticated side, if it is worth snot that is, and the 'evil' spammers will be left dishing traffic that can be ignored or dealt with as user/provider see's fit. Much like they have done with news feeds today. The key issue I think if a wild user land style net is to survive, is to both let and force the businessess to assume much of the burden of the infrastructure and deal with the costs behind the scene. IE the big banks and VISA to make and provide a financial network, and allow vendors to establish a presence at their expense. Their motives are crystal clear, they are federally regulated on the use and disclosure of information, and they have a relatively good track record on security. I'd trust a bank or a casino to manage security and money long before I'd trust the government or another private interest. The thought of the UN managing somthing like that scares me silly, they'd decide it was in our best interest and for humanity as a whole to be 'gattica' marked or somthing equally pernicious. Oh well Cheers all and TGIF :)


      Salute to the Flames, MY HATS OFF AND HEART STILL WITH THE SHARKS, way to go guys, next season !!!
      5 year season ticket holder and true believer

    • and to agree with you, and negate with the other response...
      Microsoft gives out money or helps poor schools/communities for these reasons:
      Stock pump
      pushing the product out further
      tax writeoff
      license renewal 5 years down the road.

      either way they win, and the people they "help" pay up or are mere pawns and arent helped too much at all.
  • Similarities (Score:2, Insightful)

    by swordboy ( 472941 )
    I know that I'm just being stupid here but some history:

    When callerID was invented, the phone companies were making money on two fronts: first, they charged consumers for the service (which eventually became free) and they charged telemarketters for an "Unknown" callerID listing. Money on two fronts.

    It doesn't surprise me that Microsoft is behind this latest version of callerID for email. I'm sure that there's money in it for them somewhere.

    Just kidding.
  • by eric76 ( 679787 ) on Friday May 21, 2004 @04:37PM (#9220584)
    What we really need is a solution that is completely non-proprietary. A solution that no one company has any ability to control.

    Can you imagine what the network would be like today if Microsoft (or anyone else for that matter) had patents that allowed them absolute control over any of the common protocols (telnet, ftp, http, smtp, pop3, imap, ... )?
    • by hpa ( 7948 ) on Friday May 21, 2004 @04:41PM (#9220621) Homepage
      Well, that's where the IETF comes in. Most Internet standards (or other standards for that matter) have been proposed by companies; that doesn't make them bad.

      Note that the IPR filed by Yahoo is the clean kind: it says "we might have a patent on this, go ahead and use it for free as long as you don't sue us."

      This pretty much translates to "keep some S.O.B. from trying to running this past the patent office's feeble checking and suing everyone."
    • "What we really need is a solution that is completely non-proprietary. A solution that no one company has any ability to control."

      Call me cynical, but won't that mean 3 or 4 competing standards that nobody ever really relies on? There is such a thing as 'too much choice'.
    • The problem is that somebody could then patent it. So, then, you say "Well, Yahoo should patent it, and put the patent in the public domain." That's nice, but if you read the patent grant, it says that if you use DomainKeys, and somebody thinks you're infringing their patent, and they sue you, *Yahoo* (deep corporate pockets) can sue them for infringing Yahoo's patent license.

      The trouble with the patent office is that they have completely lost the concept of unpatentable subject matter.
      -russ
  • by Smallpond ( 221300 ) on Friday May 21, 2004 @04:39PM (#9220609) Homepage Journal
    Microsoft expects that when certain folks start needing new features
    that are not expressible in v=spf1, they can publish their records
    in XML and all the clients out there will be able to read those
    records.


    "certain folks" like Outlook developers, maybe?

  • by KalvinB ( 205500 ) on Friday May 21, 2004 @04:42PM (#9220632) Homepage
    Spammers are just going to use a DNS server to tie the domain to the IP.

    If I find an open relay in China I simply register a domain, use a DNS server (plenty of those around) to point the domain at the open relay and then fire away. This supposed "verification" is just going to check the domain and the domain is going to report that the IP is "legitimate."

    For awhile I had linux.icarusindie.com pointing to the IP of MS's web-site and windows.icarusindie.com pointing to linux.org's IP.

    MS's site fixes the url when you click a link on their site while linux.org kept my URL in the browser no matter where I went on the site.

    Ben
    • by Smallpond ( 221300 ) on Friday May 21, 2004 @04:45PM (#9220666) Homepage Journal

      That's fine. The goal of SPF is so you can't send mail claiming to be from paypal.com, or citibank.com. It isn't the end of all spam.
      • So would signing your email with GPG, but I don't see very many radical anti-spammers suggesting that. Because, you know, that's a simple solution that (a) can be gradually phased in, (b) doesn't require chaninging DNS, and (c) gives the end points of the network (the users) the power to decide what they want to do. No, much better to make the internals of the network smarter, because that's really more in line with the ideals of the Internet.

        But as I've always said: "Spammers are evil -- they make email
    • Spammers are just going to use a DNS server to tie the domain to the IP.

      The registrars are going to love that, since domain blacklists will quickly list any new domain they register and use to spam.

      Even at volume domain name pricing, it's going to add considerable expense and difficulty for spammers to constantly buy new domain names names... or reuse ones already on blacklists.

      Of course, whitelists will also probably develop in response to widespread adoption of domain name authentication.

  • by Anonymous Coward on Friday May 21, 2004 @04:48PM (#9220700)
    Both implementations have problems.

    With Microsoft's, it's just a matter of spoofing IP addresses also.

    Yahoo's idea is better, but it's worthless unless EVERYONE is using it. As long as there's one server out there not using it that you wish to receive e-mail from, you'll need to allow legacy e-mail, and thus spam through.
    • >> yahoo...legacy email...

      So I have my handy SpamAssassin give a healthy non-spam bonus to mail with the yahoo-version auth. The next spamassassin rev will do this by default for SPF.

      Forget about having a single solution, focus on having a working system overall.
    • DomainKeys is horrible. Not only do I have to do an extra DNS lookup on every mail message to get a key, I also have to do a cryptographic test. It adds no authentication better than SPF, since a spammer can generate cryptographic keys as easily as any other mail sender.

      • Not only do I have to do an extra DNS lookup on every mail message to get a key

        Yes, because DNS requests are so expensive.

        How many DNS lookups alone occur when you load the /. page?

        I think you know enough to understand that DomainKeys uses DNS but not enough to understood that these lookups are inexpensive. A little knowledge is a dnagerous thing indeed.

    • With Microsoft's, it's just a matter of spoofing IP addresses also.



      While technically possible, it is not practical. Spoofing TCP connections is tricky work not suitable for general use. In reality, it just doesn't happen much. Spoofing UDP and ICMP is common, but not TCP.

      -matthew

    • Sigh, no. First, it's worthwhile to Yahoo, because so many people forge Yahoo email. Because Yahoo will be an early adoptor, anybody who is blocking Yahoo but would really rather not need merely check the signature on Yahoo email, and refuse it if it's unsigned. Second, it will be worthwhile to Paypal, because you'll be able to trust email From: service@paypal.com because it'll be cryptographically signed. Third, even before everyone is sending signed email, you'll be able to hold unsigned email to a h
  • by Rick and Roll ( 672077 ) on Friday May 21, 2004 @04:49PM (#9220712)
    All of the posts I see so far are ones complaining about Microsoft having control over it. This is an IETF standard they're proposing. Microsoft has not sued over Mono. As far as I can see, they're not going to.

    Did it ever occur to you that Microsoft may be pushing for this because because they have some outstanding computer scientists working for them that want a name for themselves? Merging with SPF sounds like a great idea. The proposals will be inter-twined, and neither company will have absolute control over it. It will make Microsoft look good. That's all.

    And even if Microsoft doesn't merge with SPF, would this be a bad thing? Some of you with tin-foil hats might think so. But I think to say Microsoft will make the servers reject e-mail from non-Microsoft servers is a little extreme. What will happen is there will either be a standard that everyone can use, or there will be more than one thing and servers will have to implement all of them, in it's e-mail verification process.

    It seems like a lot of people who post here are from Red Hat.

    By the way, I don't support mass adoption of C#, I would like to see the OSS community make their own bytecode environment that is comparable to Java. I do think Mono is a fine platform for developing OSS/Free software, though.

    • by taustin ( 171655 ) on Friday May 21, 2004 @05:05PM (#9220845) Homepage Journal
      All of the posts I see so far are ones complaining about Microsoft having control over it

      Here's a compalint that has nothing to do with who proposes what:

      This suffers from the same flaw as SPF. The records in question are controlled by the spammer, so it will do nothing to reduce spam. If anything, it will increase it. Spammers already cycle through dozens, even hundreds of domain names per month. All they need to do is add the necessary SPF/Caller ID domain records - which will be completely automated in their automated "sign up for hundreds of domain names at a time" scripting, and their spam will get whitelisted by anybody who swallows what is being spoon fed them by Microsoft or the people behind SPF.
      • by pyrotic ( 169450 ) on Friday May 21, 2004 @05:50PM (#9221150) Homepage
        Usually DNS records take 24 hours for changes to propogate across the whole of the net. Some blacklists pickup spammers in the same kind of timeframe. So as a spammer, you'll have a very small window of opportunity from the moment your DNS records are valid to the moment you're on a distributed blacklist.

        A lot of spam we see comes at work from people with no reverse IP address. I would dearly love to block all mail from sources without a proper DNS setup, but there are too many legit correspondents out there.

        Greylisting [greylisting.org]is one solution we're looking at, where you give a temporary failure to incoming mail. Wait for a while, see if someone is still trying to send you that mail. If they are, chances are at least they're not a zombie ADSL PC.

        If only the original authors of SMTP could have seen the mess we're in now.
        • Usually DNS records take 24 hours for changes to propogate across the whole of the net.

          Unless the spammer sets the TTL to, say, five minutes. You can override that, but there are hazards to doing so.

          So as a spammer, you'll have a very small window of opportunity from the moment your DNS records are valid to the moment you're on a distributed blacklist.

          About the same window of opportunity that they have with disposable dial-up accounts, which have been a standard spammer trick for years. At worst, they
          • I'm trying to understand why email I sent today to Compuware was rejected. It seemed to indicate that it didn't like that fact that the IP it communicated through resolved to a different domain than the IP it receives email on and identifies itself as.

            I understand requiring that an IP resolve to a domain; but why do email servers reject it when this domain is different than the mail server?

            This is a legitimate setup where an email server can connect through a proxied connection like any other internall

        • > If only the original authors of SMTP could > have seen the mess we're in now.

          So ask Al Gore what he was thinking.. didn't he write the SMTP protocol right after the internet?
          /joke
        • Starting at the back: If only the original authors of SMTP could have seen the mess we're in now: I don't know who they are, but suspect that they can.

          My problem with this 'caller-id' stuff is completely different, and it is rather ironic that Microsoft is behind the proposal. An increasing amount of spam nowadays is coming from owned infected bots running Win2k or XP and on high-speed links. Ok, what happens if an owned bot sends off 10000 or more mails using a legitimate email address. If the email p
      • You misunderstand the purpose of SPF. It is not much of a solution in and of itself. It only garentees that email came from the domain it claims. The solitary benifits of this are small like you claim. However, once you have a garenteed method of tracking email back to a domain, you suddenly create the possibility for all sorts of measures.

        Suppose spammers did set up SPF. If they follow the spam laws it is trivial to filter all their mail at the server. If they aren't, it is trivial to prove that they are
        • Suppose spammers did set up SPF.

          Suppose spammers set up and SPF record for 0.0.0.0/0.

          If they follow the spam laws it is trivial to filter all their mail at the server. If they aren't, it is trivial to prove that they are breaking the law

          Suppose the spammer is using a DCHP IP address. Suppose the spammer is sending their spam through the corporate mail server at a major ISP (who let them, in a pink contract). Suppose the spammer is using trojaned machines in Europe and China, and other parts of the wor
          • Suppose spammers set up and SPF record for 0.0.0.0/0

            No effect. Though I suspect you're trying to say "what if the spammers spoof the ip of a valid email server", which is an issue but not a large one due to the way sequence numbers are generated these days.

            Suppose the spammer is using a DCHP IP address.

            Also no effect. The spammer must send "mail" from an IP that is associated with the SPF record for the domain they are claiming to send mail from. In other words, this prevents spammers from sending
        • Actually I think SPF will be FAR more valuable for curbing email born virus's then it will for curbing spam. As others have pointed out spammers can already register domains by the hundreds. The only kinds of spammers it will curb are the ones who use zombies to do their dirty work.
      • Say it with me:

        "SPF/Caller ID is not a 100% a spam prevention mechanism."

        _ALL_ these two services do is verify that the E-mail in question is actually coming from the domain it claims it is. No more mails coming from a Chinese open relay that claim to be from Yahoo, and hence, no false bounces back to innocent sources.

        If a spammer fires up a domain, publishes SPF records, and begins spamming away, you can pretty assuredly block that domain from your mail servers without worrying about stomping on anyone
      • It will do something to stop spam. Some spammers use other people's email addresses - I know, I've received batches of bounces on occasions. Some spam is from bounced MSFT Outlook email worms used forged froms taken from the victim's addressbook or inbox, which will also fail at the very beginning with this approach.
    • Are you kidding me? How can you be so naive? They're obviously trying to incorporate DRM into email. Do I have any evidence or basis for this claim? Well no, but then again do I really need any?

      My guess is that if they get their way every time someone sends an email a penny will go right into Bill Gate's bank account. This will coincide with a baby seal being clubbed. Jeez, what's next? Corner the tin foil hat market? Then I'll really be up a creek without a paddle.

      Face it, everytime microsoft doe
    • The fact that Microsoft hasn't sued over Mono is irrelevant. The fact that they legally can sue anyone over it, and have not, taken legal steps to remove their right to sue is.

      The fact that Mono hasn't yet captured enough minds to justify the expense yet might be the likely cause they haven't sued, for that matter.

      Think of this scenario:

      You are medium-sized ISP example.com, you want to grow big, and offer a spam solution based on Microsoft's offering. The standard doesn't interoperate with the IETF'
    • Deja Vu (Score:3, Insightful)

      > Microsoft has not sued over Mono. As far as I can see, they're not going to.

      I read that before. Back when FSF was urging everyone to avoid LZW compression (used by "compress" and "gif"), because it was patented by Unisys. FSF even introduced their own patent free "gzip" utility, and zlib library to be used in other apllications (unusually for FSF, even proprietary ones).

      There were also people harrasing the FSF for that, claiming they were fanatics creating unnecessarty disruptions (compress was th
    • Microsoft has not sued over Mono. As far as I can see, they're not going to.

      Why don't you think so? Suppose that Microsoft did want to kill Mono- if that were the case, they still wouldn't have sued yet.

      The optimum procedure to sue a competitor for patent infringement is to wait as long as possible. That way the opposition wastes the maximum amount of investment on projects that you can legally stop them from deploying.

      The chief example of this is the Polaroid-Kodak patent lawsuit. Polaroid waited u
    • Your post seems very naive. You trust M$ not to "embrace and extend" (hijack) email, once they dominate a standard they've developed as part of their new wave of DRM software. I don't trust them; I have no reason to, because they've destroyed that kind of trust in every way during our cotemporaneous 25 years in the computer industry. They'll start manipulating Mono when it suits them - just "not suing" is manipulation, as they retain control over a platform that's capturing lots of developers who otherwise
  • by Anonymous Coward on Friday May 21, 2004 @04:55PM (#9220779)
    Microsoft cares about spam for a reason: Microsoft owns Hotmail. Any technology that helps get rid of spam increases the value and usefulness of e-mail overall. And if everyone uses e-mail more, then that includes Hotmail users. (If Hotmail can take advantage of some of these technologies before its competitors, then that doesn't hurt either.)

    This isn't the only thing Microsoft is doing to combat spam. They have a number of PhD's working on the problem at MSR. For the web page of just one of them, see the following:

    http://research.microsoft.com/~joshuago/

    So relax! Microsoft realizes that improving the computing experience of their users is in their best interest. Fighting spam is just one way to do that.
    • ...and patenting those methods and licensing them in a way that is incompatible with the GPL is another way Microsoft wants to enhance computer users' experience: by making them move to Windows + Outlook!
  • by Mustang Matt ( 133426 ) on Friday May 21, 2004 @04:59PM (#9220811)
    I say let them do whatever they want.

    If nothing else it will encourage us to come up with our own standard that's open and better.
  • PATENTS? (Score:4, Insightful)

    by IGnatius T Foobar ( 4328 ) on Friday May 21, 2004 @05:01PM (#9220817) Homepage Journal
    Doesn't Microsoft hold a patent on their 'Caller ID for email' specification? Are they dedicating the patent as part of their submission of this spec to the IETF?

    Or is this Microsoft's attempt to not-so-subtly obtain a lock-in on email?

    This question must be VERY CLEARLY answered before anyone moves forward.
  • What I mean is - what it will cost me to upgrade to Exchange XX so that I can use these new features on my mail server at work? For my linux mail servers, no prob - I'll just upgrade to the latest version of sendmail when it supports these new spam fighting features. But, I have a feeling if my company were to purchase Exchange 2k3 right now, we'd just have to buy the next version that has all this built in. Damn closed, non-free software.
  • by mengwong ( 444067 ) on Friday May 21, 2004 @06:01PM (#9221221)
    This message is intended for organizations that do a lot of forwarding, like acm.org and ieee.org, as well as the vanity domain providers.

    During the development of SPF, we have tried very hard to accommodate your perceived concerns, because the biggest problem with SPF-against-2821, as many people have noted, is that it breaks forwarding. But your perceived concerns might not be your actual concerns.

    It would be really great if the people who might be hurt by what we're planning could get involved in the discussions, so we could ask you whether we guessed right, and if there are better ways to reduce your pain.

    So, if the postmaster at acm.org happens to be reading this, or if anyone reading this knows the postmaster@acm.org, please ask them to subscribe-spf-discuss@v2.listbox.com

    Postmasters at other places like acm.org too.

    Thanks,
    meng
    from Redmond
    • I want to know how SPF/Caller ID (systems with severe side effects) can be seriously proposed without any reasonable attempt to deal with the throwaway domain problem. The SPF folks have some vague hand-waving about trust networks theoretically being a fix, but if we allow a trust network infrastructure, we can provide much better systems (such as signed-by-the-user email) that would eliminate security problems, not have many of the nasty side effects that the Caller ID/SPF proposals do (like the inability
  • This is a step in the right direction (and maybe we should be practical and take what we can get), but...

    Spammers can still use zombied PC's or throwaway ISP accounts to send out their spam, and they'll look good enough to pass the "caller-id" test.

    I've thought about this problem some (although I'm not an email expert), and I believe that what is also needed is a way to throttle the email output of individual users (so that joeblow@yahoo.com can't send out thousands of emails a day). This would necessa

    • Spammers can still use zombied PC's or throwaway ISP accounts to send out their spam, and they'll look good enough to pass the "caller-id" test.

      What the problem is about is more that SMTP doesn't allow some kind of verification of the source. With these proposals the source verification is added.

      In your first case, that's a matter of host security, not SMTP security. In your second case, that's just plain evil of them but nothing SMTP can do about it.

      Edwin
  • by jgardn ( 539054 ) <jgardn@alumni.washington.edu> on Friday May 21, 2004 @07:30PM (#9221822) Homepage Journal
    According to recent posts by Meng Weng Wong (author of SPF) to the spf-discuss list, the "new SPF" will incorporate features of Caller ID.

    In general:

    * The RFC 2822 FROM header will be duplicated in the RFC 2821 header. Mail servers will say:

    MAIL FROM: <original@original.com> RFROM: <me@me.com>

    * SPF rules (which were basically the same as Caller ID's) can specified in either text or XML.

    * A new DNS record type for SPF will be used rather than TXT.

    But don't take my word for it. Go read the posts here:

    http://archives.listbox.com/spf-discuss%40v2.lis tb ox.com/200405/0198.html
  • I read throught this briefly and have one question. What do they mean by 2821 and 2822 checking? Validating the email against RFC's?

    From the sounds of the article, that alone would accomodate most of the trapping that they need to do. If that's true, then why don't we just reconfigure the mail servers to be fully RFC compliant in their expectations and if you're email isn't going to be fully RFC compliant then you get bounced?

    Why don't we just have the mail senders do what they are expected to do for s
  • Add the ability to block a whole domain name in the Junk Email feature in Outlook 2003.
    It has the ability to add a whole domain as Safe Senders but nothing for adding a domain as Rejected.
    However it is decent as it is right now

If you aren't rich you should always look useful. -- Louis-Ferdinand Celine

Working...