Sender-ID Back From The Dead

NW writes "Microsoft's Sender-ID standard has been left for the dead since the rejection earlier this fall by the IETF. According to a Reuters story, it has been revised and will be resubmitted to the IETF. Along the way, Microsoft managed to pick up AOL's endorsement of Sender-ID. My humble analysis appears here."

AOL Endorses it, huh?

[mg2]

Being that AOL's marketing strategy is based somewhat on spam (the cds you get in the mail, the "Sign up for AOL" icons that appear on your desktop), doesn't that kind of hurt the legitimacy of that endorsement? I dunno, if the guys offering me home loans and viagra said this was good technology, I might think twice.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:AOL Endorses it, huh?

[theCoder]

"Friendly mailer"? That's a laugh.

AOL (and their properties) is the single worst email provider on the planet. They routinely drop email and often bounce legitimate email. They may claim they prevent 10 million quadrillion spams or something, but I'd guess that a good percentage (though not a majority or anything) are legitmate emails falling victim to their "policies".

They use their large size to bully people around, like they did to you. If some small ISP was bouncing your mails for the same reason, would you have begged to get off their bounce list? AOL blocks mail from large swaths of IP space because they "might" be sending spam. Heck, I have RoadRunner (which is an AOL property), and I can't even send mail to other RoadRunner users because as a RoadRunner user I'm probably sending spam!

I've had AOL bounce emails because I PGP signed them, which IMO is the best form of "sender-ID" there is (and anyone serious about getting rid of spam would support this, but very few actually do, probably because it would mean taking responsibility for the problem). But according to AOL, it's probably spam, so it got bounced! (in this case, it was a user setting to bounce mail with attachments, but shame on AOL for not realizing what a PGP signature was and allowing/endorsing it)

AOL's policies are not conducive to a good Internet neighbor. AOL and their arrogant policies have always been bad for the Internet. Anything that AOL endorses automatically raises my suspicion. Nevermind the fact that as the OP stated, AOL popularized the idea of spam with their mass mailings and selling of email addresses (way back in the day before they realized what a bad idea that was).

If you really want your personal email account to be like AOL, just setup a procmail filter that deletes/bounces half your mail.

Re:AOL Endorses it, huh?

[nvrrobx]

Heck, I have RoadRunner (which is an AOL property), and I can't even send mail to other RoadRunner users because as a RoadRunner user I'm probably sending spam!

I was a RoadRunner customer for two years (until two months ago) and I regularly email other RoadRunner customers (my mother, for example). Next?

(in this case, it was a user setting to bounce mail with attachments, but shame on AOL for not realizing what a PGP signature was and allowing/endorsing it)

An attachment is an attachment is an attachm

Re:

[account_deleted]

Comment removed based on user account deletion

Re:AOL Endorses it, huh?

[Malc]

From a mailer's perspective, I think the biggest complaint about AOL would be that it's almost easier for recipients to indicate a message is spam than it is to delete it. On the plus side, AOL have implemented a feedback loop mechanism. This way people who think something is spam can be quickly purged from a list and everybody remains happier.

Re:AOL Endorses it, huh?

[feloneous cat]

18 million users means you care a heck a lot more about the impact of spam than pretty much any other network in the world.

Not exactly how you intuit that!

In fact, I suspect EVERY ISP will argue that they care a lot about spam. I know my local ISP cares (it sez so on their web-site!). I know that Cox Cable does (sez so on their website), yet when I tracked down spam FROM THEIR NETWORK and sent it to them what was the sound I heard?

Silence.

Yeah, they care. Very little.

Licensing changes?

[Fnkmaster]

Humble analysis aside, does anybody have any real information on whether there are licensing changes? If not, this end-run-around attempt should be reacted to with extreme prejudice. Kill these fuckers. Seriously. Or at least killfile them. Blackhole email from AOL if they subscribe to and back Microsoft's standard. A large scale campaign for a few days, and they will change their mind again real fast.

If we have learned nothing from watching AOL feast on Netscape's corpse it's that there are LOTS of execs at AOL with radically different ideas about ways to do things, and they change their mind on a weekly basis. Exert a modest bit of pressure and they can be made to bend over like the fitty cent whores they are.

Re:Licensing changes?

[Anonymous Coward]

...there are LOTS of execs at AOL with radically different ideas...

Yeah, just watch those stupid commercials they have about how their customers can "help them make the Internet better", like the one with the stupid lady who stands up on the executives table while they are having a meeting. As if they are "the Internet". I know there was a time when they were one of the only big ISPs on the block, and they brainwashed their customers into thinking that they were infact, the Internet. But those days are

Re:Licensing changes?

[andywebz]

I wish those days were long gone. And those "we are the internet" ads do piss me off. However, my fiance's father IS one of those people. He comes to our house and asks how to "log on". He can't fathom that just opening the web browser gives him access to the internet. Where is AOL? Prodigy? (Yes, he was a die hard prodigian) How are you already logged on? Is he an exception to the rule, or indicative of the masses?

Re:Licensing changes?

[dtfinch]

Blackhole email from AOL

I doubt it'll affect anything. They already blackhole so much of their incoming email, it's near impossible to talk to most AOL users except through AIM. AOL is their own little world.

Re:Licensing changes?

[metlin]

AOL is their own little world.

And... that is bad how?!?!

Do you really want them little tiny-tot AOLers coming at you?

It seems you've been leading two lives, Mr. Finch. In one life, you're a nice Slashdotter, with excellent Karma who even M2Ms reguarly. In another life, you're an AOL user. You use AIM, chat with 14 y.o. with teenage girls and help your landlord find his pr0n.

One of these lives has a future, one of them does not. ;-)

What do I think???

[adam31]

Oh yeah, when I want to know my opinion the first thing I do is see what AOL thinks.

...right after holding my wetted finger to the slashdot wind, of course.

Re:What do I think???

[Zork the Almighty]

.. so you can do the opposite ? Seems like good advice for me. Notice how the popularily of Firefox exploded right around the time that AOL adopted IE for their browser.

AOL is the 90 Chimp

[jm92956n]

AOL is certainly not a highly respected corporation, especially in the tech-world. They've agreed to ally themselves with Microsoft for this particular issue, but until some other notable corporations or organizations (particlarly Yahoo!, Google, and Apache) accept sender-ID as a "standard," there's no way it will make any difference in the fight against spam.

Re:AOL is the 90 Chimp

[ipfwadm]

AOL is certainly not a highly respected corporation, especially in the tech-world. They've agreed to ally themselves with Microsoft for this particular issue, but until some other notable corporations or organizations (particlarly Yahoo!, Google, and Apache) accept sender-ID as a "standard," there's no way it will make any difference in the fight against spam.

Perhaps their endorsement doesn't mean a whole lot in terms of driving sender-id forward, but given the sheer number of @aol.com mailboxes, their

Re:AOL is the 90 Chimp

[jonwil]

What reason would Apache have to do anything with Sender-ID?
Sendmail perhaps but not apache...

SpamAssassin

[Deorus]

> What reason would Apache have to do anything with Sender-ID?

Perhaps because of SpamAssassin [apache.org]?

Quoting ASF:

Flexible: SpamAssassin encapsulates its logic in a well-designed, abstract API so it can be integrated anywhere in the email stream. The Mail::SpamAssassin classes can be used on a wide variety of email systems including procmail, sendmail, Postfix, qmail, and many others.

Since SpamAssassin is not limited to only one MTA and its purpose is to filter spam, the Apache Software Foundation need

Re:AOL is the 90 pound Chimp

[jm92956n]

From what I've seen, AOL has a large amount of respect in the Anti-Spam community.

Let me first expand on my original statement. Wall Street does not look highly upon AOL: they dramatically overpaid for Netscape, a division that is, for all intensive purposes, dead; they were involved in one of the most under-reported merger scams of the past decade (Time Warner, a long-profitable company was, many believe, duped); and their growth prospects are extremely limited. They've proved their inability to display original content, and the slow atrophy of their user-base has begun.

The user community, too, has a seemingly endless list of complains--those who remember their growth problems (myself included), the constant busy-signals, buggy and bloated software, high prices, and extremely poor technical support--they place the blame soley with AOL, regardless of who is at fault.

But you argue that the anti-spam community respects AOL? I would disagree. True, they've pursued legal action against several high-profile spammers, but I would normally expect far more from a company with legal abilities such as theirs. They've acted in their own interest, and not in the interest of their users (not surprising, of course, as their obligation is to the shareholder, and not the consumer).

AOL could have, and indeed should have done more; they, however, have remained largely apathetic.

Re:AOL is the 90 pound Chimp

[Gondola]

I'm not sure how someone who uses the phrase "for all intensive purposes" could be moderated insightful. It's "for all intents and purposes."

Re:AOL is the 90 pound Chimp

[fatphil]

Yeah, the "moderators" should of noticed that. If they had, probably they all of the sudden would have changed their minds about moderating. I have a deep-seeded hatred for such errors, they make me loose my mind. However, moderators do have free reign.

However, attacking the intended payload due to presentation issues (inability use a pat phrase correctly) is a classic Logical Fallacy. Some people spend so little time with authoratitive written material that the correct forms may never have been seen, and

Re:AOL is the 90 pound Chimp

[Darren Winsper]

And yet you used the phrase "should of."

Re:AOL is the 90 pound Chimp

[Des Herriott]

Not to mention "they all of the sudden" and "loose my mind" (why, was it too tight?)

Re:AOL is the 90 pound Chimp

[xigxag]

1) Inappropriate scare quotes around "moderators."
2) Should of -> should have
3) All of the sudden -> all of a sudden
4) Deep-seeded -> deep-seated
5) Loose -> lose
6) Free reign -> Free rein
7) Authoratitive -> authoritative (probably a typo)

Do you think, maybe, this was supposed to be funny?

Re:AOL is the 90 pound Chimp

[putaro]

Pedantic authoritative written material:

should of noticed

should have noticed (notice that this is grammatical and makes sense. "Should of noticed" makes no sense and is a result of listening to people who do not enunciate)

authoratitive written material
authoritative written material

Re:AOL is the 90 pound Chimp

[pjt33]

I have a deep-seeded hatred for such errors, they make me

loose my mind.

Where's the +0 Ironic mod when you want it?

Re:AOL is the 90 pound Chimp

[Fulcrum of Evil]

have a deep-seeded hatred for such errors, they make me loose my mind.

Um, 'Deep seated' and 'lose'. Grammer flames must include an error - it's the law.

Re:AOL is the 90 pound Chimp

[cbiltcliffe]

Well, he could have meant the Netscape division doesn't have an intense purpose within AOL anymore.
It's just a lame advertising division, with no intensive purpose. :)

Ok, ok...I'm stretching, there. His grammar sucks. Really.

Re:AOL is the 90 Chimp

[gujo-odori]

I've been in the anti-spam community for years, currently professionally so, and my respect for AOL is both recent and shallow. As a force against spammers, they're a Johnny-come-lately, and I remember well the days not so long ago when the only spam AOL cared about was inbound spam, but outbound spam was a complete non-issue to them. Inside of AOL was one of the safest places for a spammer to be, once upon a time.

There was a spam ring operating *inside* of AOL in the late 1990s that routinely joe-jobbed the ISP I was working for at the time. Entreaties to AOL fell on deaf ears. This joe-job went on for about a year, almost non-stop. They seem to have chosen us because we were very effective at blocking their spew and our 550s weren't always polite :-)

I believed then, and believe now, that the only way a spam ring could operate so brazenly for so long and in the face of all complaints, was if it was an inside job: a spam ring being run by AOL employees, possibly without the knowledge of AOL management, but almost certainly with the complicity of the AOL abuse department; it could even have been them doing it.

I freely admit that I cannot prove any of this and it is all conjecture based upon circumstantial evidence, but lest you start sniggering about tinfoil hats, let me tell you the final chapter in this saga.

After about a year of this almost constant joe-jobbing, my then-employer was bought by a much larger ISP and hosting company, one with enough guns/money/lawyers to make even AOL pay attention. We, the beleaguered engineering department of this smallish ISP, where I was at the time the especially beleaguered postmaster, took our plight to our new parent company's abuse department, who said they would try to help. After not getting much farther than we did, they put us in touch with our new parent company's legal department, who didn't say they would try to help. They said they *would* help.

And lo and behold, not long after the legal department got involved, the spam just stopped. Not just the job-jobbing, but also the large amount of spam directed at our customers from the same spam ring. It went from thousands of direct messages (for an ISP with less than 50,000 customers that was a lot) and thousands more joe-job bounces every day to nothing. Zero. Not a single mail from that ring ever reared its ugly head on our network again during the further three years I worked there.

How could such a thing happen, after constant whining from AOL that they were powerless to prevent it (that was before they started ignoring us entirely)? I can think of only one plausible way, with two scenarios. In both, it's an inside job.

Variation one: after our new legal department took up our cause, that got AOL's attention to a sufficient degree that an actual investigation was opened, the perps were caught, and they were all fired. The trouble with this scenario is, if they were fired, why did they not joe-job us even harder in retaliation for losing their jobs?

Scenario 2: after our new legal department took up the cause, words were spoken to the proper people and it was made clear that they had to leave us alone and find some other victim because we were no longer some piss-ant regional ISP in a niche market, but now part of a big, strong company that could and would sue them if they didn't back off.

Needless to say, I find one of these scenarios far more likely than the other, and I find my respect for AOL still a bit thin, even though they have gone after some spammers and successfully sued them. Their new embrace of the still patent-encumbered Sender-ID doesn't exactly raise them in my estimation.

Re:AOL is the 90 Chimp

[ahodgson]

Of the large ISP's, AOL has done probably the best job of solving their outbound spam problem. Compared to sewers like MCI, SBC or Savvis, they look and act like utter angels.

AOL support for this is huge.

[Maul]

With AOL using this standard, Microsoft gets a huge chunk of marketshare for it.

Microsoft has one goal in all of this: To lock Open Source out of a standard, and then launch FUD campaigns about how Open Source refuses to support Sender-ID (because MS will charge an insane fee for licenses, but MS won't mention this) and thus helps spammers.

Re:AOL support for this is huge.

[swillden]

because MS will charge an insane fee for licenses, but MS won't mention this

MS won't charge an insane fee. They won't charge any fee, and they'll use that as part of their argument that the open source community is a bunch of whiners with not-invented-here syndrome.

What they will do license their patent under no-fee terms that nevertheless exclude any Free Software from using it. Packages under BSD-like license, and commerical packages, will be fine but anything similar to the GPL will be incompatible with the MS patent license.

Basically, they're testing a new variation on the tried and true "Embrace-Extend-Extinguish" formula, only the incompatibilities are legal, not technical.

Or not... mabye with their renewed attempt to get Sender ID adopted they'll provide kindlier license terms? I'm not holding my breath.

Re:AOL support for this is huge.

[scruffy]

A no-fee patent in exchange for BSD licensing sounds like a fair compromise to me. Is this actually the case or are you speculating?

Re:AOL support for this is huge.

[swillden]

A no-fee patent in exchange for BSD licensing sounds like a fair compromise to me.

It does? Sounds like a terrible deal to me, given that there are other options -- including the already-implemented SPF -- that don't require any patents at all.

Is this actually the case or are you speculating?

Assuming MS is offering the same licensing terms they were before, it's really the case. See Larry Rosen's analysis is included in the Apache Foundations position [apache.org].

Re:AOL support for this is huge.

[ahodgson]

Their current license prohibits redistribution of any source code implementing SenderID, regardless of license. BSD vs. GPL this is not.

Re:AOL support for this is huge.

[Fulcrum of Evil]

What they will do license their patent under no-fee terms that nevertheless exclude any Free Software from using it. Packages under BSD-like license, and commerical packages, will be fine but anything similar to the GPL will be incompatible with the MS patent license.

Big whoop. Build a module that implements their patented juju and runs as a daemon, write another module that talks to the first module via some sort of IPC, and release the first module under BSD. We still have the problem of patent-encumbe

Re:Not that some skepticism isn't justified...

[_Sprocket_]

And so Microsoft has a golden oportunity. They can help reduce costly spam incoming to their networks (corporate, hotmail, msn, etc.). They can help reduce one of the most popular vectors for malware that has a negative effect on adoption of their software. AND they can pull off a major warm-and-fuzzy PR move to counter the expanding cadre of IT types who have come to distrust, if not lothe them.

What do they do? Play licensing shennanigans.

Sketpicism is very much justified.

Re:AOL support for this is huge.

[lawpoop]

Guys, don't worry, remember that MS can't fight open source. There are too many ways around them. No matter what license they use, or what fee they charge, you make make some kind of module or plugin under that license. If they do have a license that comes out and says you can't have it interoperate with open source, then it will be obvious that they aren't playing fair. They will be openly stating it themselves. They will have no room to blame open source.

Re:AOL support for this is huge.

[_Sprocket_]

Of course, Microsoft doesn't have a history of hiring assassins and experts in mass murder. They just now have awoken to the possibilities of participating in politics - though have no history of interest in actually running for office.

They do, however, have a history of "embrace and extend", FUD, user lock-in, and other such business tactics. Heck - there are even publicly-available memos on some of these subjects.

It would seem that there IS more support for the parent than your comment. Unless, of co

Re:AOL support for this is huge.

[_Sprocket_]

Proof that astroturfers have been taking Jedi lessons.

AT: This is not the business practice history you are looking for.

/.: Apparently the past 15 years of corporate history was just some crazy nutjob's black-helicopter theory.

AT: Microsoft is misunderstood.

/.: Ya know what - screw this OSS crap. We should be working on how to send Microsoft more money! They're so cuddly!

Re:AOL support for this is huge.

[Maul]

Sorry, I'll bite.

What do you call their current FUD campaign against Linux (the "Get the Facts" campaign) then, except as an attempt to dissuade people from using Linux and Open Source?

Are you trying to tell me that Microsoft would NOT like Linux and Open Source Software to disappear?

One of Microsoft's major business practices has classically been to lock people into their software through proprietary standards. A clever anti-spam standard would be a huge selling point towards using Microsoft's software

AOL's support is solid

[Dancin_Santa]

The reason they, and the rest of the IETF rejected the original Sender ID proposal was because it seemed to go out on its own track with no regard for other schemes that do similar work. To have incorporated and accepted Sender ID at that time would have meant that other ideas like SPF would have been left by the wayside and Microsoft's vision of email would be dominant.

That whole thing was rejected, thankfully.

Now, Microsoft seems to have actually taken a look at the concerns surrounding their original proposal and formulated a new Sender ID scheme that is inclusive of other existing schemes such as SPF. AOL put a lot of effort in developing this kind of technology and now Microsoft's proposal finally includes them too.

What it sounds like from the Yahoo article is that Microsoft's Sender ID is at best a superset of all authentication schemes and at worst a compatible, though competing, technology. Neither of those are bad things. I think AOL realizes this for what it is, Microsoft actually trying to do something useful to help the ailing email system.

The Sender ID scheme seems to allow for further developments that may or may not be based on Microsoft technology but still be fully compatible nonetheless.

Re:AOL's support is solid

[bcrowell]

Dancing Santa got a -1 Score for suggesting Microsoft is doing a good thing?
You must be new here ;-)

Re:AOL's support is solid

[dtfinch]

In Soviet Russia, a good thing is doing Microsoft for suggesting a score of -1 that gets new Dancing Santa here who must be You! (-;

Re:AOL's support is solid

[killjoe]

Yes because it's so hard to believe that MS would do any good thing. They have always made money by embracing and extending standards. They have said many times that that's their strategy. They don't have ONE product on the market that has not either broken a standard or extended one.

So when Dancing Santa says something that is so obviously not true he should be modded down.

Re:AOL's support is solid

[RdsArts]

And why, pray tell, is Microsoft trying to do something useful to help the ailing email system? Where's the profit in that?

In selling OSes. It's rather hard to sell a item that brings little more than annoyance, and when 99% of people do little more than browse or read email, spam can be a major deal breaker.

</advocate class="devil">

Yet the problem has not changed.

[dtfinch]

You can't make a standard anymore if you hold a patent and are unwilling to grant a free license. Submarine tactics are just too popular these days. Fool me once, shame on you. Fool me 20 times, shame on me. Nobody buys into this "don't worry, we're just defending ourselves" crap anymore. They all start out that way, but without a real license we can use, it's just an empty promise.

Unfortunately for Microsoft...

[shaneh0]

Unfortunately for Microsoft many IT decision makers refuse to even weigh the merits of this idea before discounting it.

SenderID is not perfect, but if a more 'neutral' company like Sun, Apple, Google, etc introduced it, it would have at least been given a fair shot.

Instead of saying "SenderID is bad because of XXX and, by the way, M$FT Blows" they would be saying "SenderID is bad because of XXX but here's how it could be made better"

Re:Unfortunately for Microsoft...

[westlake]

Unfortunately for Microsoft many IT decision makers refuse to even weigh the merits of this idea before discounting it.

Decison makers do not ignore a move by a company as rich and powerful as Microsoft, nor do they take at face value the neutrality of potential rivals like Google.

Re:Unfortunately for Microsoft...

[shaneh0]

Are you trying to say with a straight face that there isn't a large technical population that immediately discounts everything Microsoft does just because it's Microsoft that's doing it?

Of course they don't "ignore" it, but they don't evaluate it fairly because they see everything thru their "anti-microsoft" filter.

Of course, most IT professionals don't think this way but you wouldn't know that by reading Slashdot.

I don't know what world you live in where all "Decision makers" balance everything fa

Re:Unfortunately for Microsoft...

[SillyNickName4me]

> Are you trying to say with a straight face that there isn't a large technical population that immediately discounts everything Microsoft does just because it's Microsoft that's doing it?

I'd think that those are not the people taking decisions however.

Microsoft Deserves Scepticism

[twitter]

Instead of saying "SenderID is bad because of XXX and, by the way, M$FT Blows" they would be saying "SenderID is bad because of XXX but here's how it could be made better"

No, people say things more like, "companies, like Microsoft, Hashcash, and Goodwill Systems, are more interested in making money off of the volume than in solving the problem." [java.net] Microsoft has earned distrust again and again. It's not what they say, it's what they do that counts. People can see and remember how Microsoft performs. Th

Sender ID (PRA) is the wrong solution anyway

[linefeed0]

PRA appears to me to have been written because MUAs (as opposed to MTAs) do not consistently deal with envelope addresses, MAIL FROM, and the resulting Return-Path header. It adds complexity to the outgoing MUA to make sure that the PRA is the same as the envelope from. The incoming MUA will have to follow the PRA algorithm to figure out who's responsible for the mail, rather than just make the Return-Path accessible for spam filtering. The overall feeling is that the designers assumed people couldn't understand how to deal with the return path, so they replaced it with something more complicated and broken.

Standards require implementors to implement

[dwheeler]

It's nonsense to think that something should be a standard if the implementors can't implement it. If the patent issues have been removed (say by dropping the absurd requirements, or by the patent office rejecting the patent), then great. But it's not reasonable to try to use a standards body to prevent alternative implementations. The whole purpose of a standards body is to define standard interfaces that everyone can implement. Since there are many important open source software implementations of these interfaces (in this case for MTAs), then the standards need to be implementable by open source software. If not, then the IETF should just send it right back; nothing important has changed. The problem is legal, not technical, and it requires a change in legal situation.

If only AOL would use SPF or S-ID!

[WoodstockJeff]

For many months now, I've published SPF records for all domains under my management. And every day, we get AOL trying to bounce messages allegedly from non-existant addresses within those domains... If AOL were really using SPF to reject spoofed mail as it arrives at their gateways as they've said they were going to [aol.com], they'd have never accepted the spoofed messages, and I'd knock about 3% off my server load...

Re:If only AOL would use SPF or S-ID!

[mattdm]

They really can't do this until something like SRS [pobox.com] is widely adopted. Otherwise, hard-enforced SPF breaks forwarding. (Soft-enforcing -- a warning message, which could be disabled by someone who knows they're forwarding their messages through a non-SRS-aware server -- is an interim step.)

Here's what bothered me...

[Mike deVice]

From Netwizard's Blog:

The FTC and NIST are holding a joint summit on email authentication in two weeks in Washington, DC (during the same week as IETF's 61st conference). They hinted earlier this year that if the industry does not come up with a standard for authentication, the feds might impose one.

Could the FTC actually do this? I wasn't aware that they had any authority over internet standards. The internet isn't some corporation, or the sole property of any business, even if some companies wish it were.

killing open source through hassles

[geg81]

This is what Microsoft says:

It s important to note that the license is only relevant to those organizations (ISP, large enterprises)who will be checking e-mails using the PRA check alternative of the Sender ID Framework need to secure a license.

Think about the consequences of that. Even if Microsoft follows through on its promise to make the license available "for free" to anybody, it means that if you buy a Microsoft mailer or a mailer from a sublicensee, you can just install it and run it. If you install an "open source" mailer, however, your legal department needs to execute a licensing agreement with Microsoft's legal department. The costs and delays resulting from that alone make the "open source" mailer uncompetitive, no matter how much better it may be than Microsoft's products.

That is why the official open source definition does not allow such patents: if software implements such a patented invention and requires a licensing agreement with Microsoft, that software simply is not "open source", even if it it is distributed under the text of an open source license--the existence of the patent and licensing requirement makes it not open source.

it maybe a good solution

[Exter-C]

It maybe a good solution but isnt the whole point of email that its globally compatible with open standards. Yes that may have been the failings of smtp/standard email delivery with the massive increase in spam. But realistically having a patent based email system inhibits the majority of email on the internet.

I personally dont know of any ISPs that use exchange as thier ISPs platform. the only large scale internet exchange setup that I know of is hotmail...

So in microsoft and aol trying to adopt this sys

Maybe It Isn't...

[EXTomar]

"Sender-ID" is like a digital signature which is fine and dandy except when you read to much into it. Knowing an email comes from a particular server doesn't indicate whether or not it is spam just like signing "malware.exe" with a signature doesn't mean it is okay to run.

Signatures only verify it comes "blessed" from a source. If the source is bogus then it doesn't matter if it is signed or not. Putting too much faith in "Sender-ID" opens a whole lot of problems. For instance "Sender-ID" from "spamste

Sender-ID back from the dead ...

[ggvaidya]

... just in time for halloween! :D

noddy explanation

[smallguy78]

Can anyone explain to a non-sys admin how sender-id will work, or a link to a noddy explanation

SenderID was never dead

[wayne]

About a month ago, I posted the following message to the MARID list:

http://www.imc.org/ietf-mxcomp/mail-archive/msg051 35.html [imc.org]

The war, of course, is not over. The IETF (Ted, and maybe the former co-chairs?), Meng, and MS (Harry, Jim, Bob, et al) appear to have learned nothing from what has happened. They have done an end-run around the working group last call by closing down the working group, but they are still pushing ahead with the PRA under the current license. Apparently, they think that when the "individual" I-Ds are submitted to the IESG and there is an IETF-wide last-call, things will go better. I don't see it.

One definition of insanity is doing the same thing again and again and expecting different results. Under this definition, Ted, Meng, Harry, Jim, et al, are acting quite insane.

I see four choices:

1) Forget about getting a de-jure standard.

2) Drop the PRA.

3) Change the PRA license to be compatible with F/OSS MTAs.

4) Find one or more widely accepted alternative to the PRA that covers the 2822.From: identity so that people can reasonably choose between the PRA and the alternatives.

Ted, Meng, Harry, Jim et al: PLEASE! Wake up and smell the coffee! We need a anti-forgery system that protects the 2822.From: identity, we don't need another two-week blowup when the IESG last-call happens.

It appears that my predictions are coming true. Meng, MS and the IETF shut down the MARID WG so that they could more easily push the patent encumbered SenderID through. They no longer have to deal with a WG last call.

Expect more steps to happen after IETF-61 when the individual drafts will be "reviewed".

Re:What is a standard?

[TiggsPanther]

From what I can tell, it looks like MS want their idea to be the standard, yet they also want their idea to be one that you have to pay for a license to use.
Basically having what everyone uses and getting paid for it. Plus if, as it seems, the license is incompatible with F/OSS MTAs then suddenly any non-commercial offering has a damn hard time competing with "what everyone else uses".

It's like MP3 or ISO-MPEG4. Both are, I believe, published standards. Both also require a license to use. Which is why so

from senderid faq

[smallguy78]

Q2: Doesn't having a patent on Sender ID complicate the process of getting it adopted as an IETF standard? A: No. It should not. There are dozens and dozens of patent rights that have been disclosed to the IETF that may cover IETF standards. See http://www.ietf.org/ipr.html for a complete list. We are not aware of any of these patents complicating the standards process especially where the patent owner has provided an assurance that it would make licenses available on a royalty-free basis with other reasonable and non-discriminatory terms and conditions as Microsoft has done here.

This is getting dumb

[SamMichaels]

Why are we still going back and forth over this? MS tried to take another idea, tweak it, and make it their own.

SPF, while not perfect, is already used in production servers (AOL anybody?) and with the advent of SRS, works pretty well.

My meaningless, insignificant, 2 domain email system:

mojo:/usr/exim# cat exim_mainlog.0 | grep SPF | wc -l
97

Most are AOL, earthlink or netzero. Funny how I don't see SPF records for microsoft, hotmail, etc.

but there _is_ no point.

[nblender]

What's the point of knowing that a piece of incoming mail is coming from a mail server that is registered to come from the domain it is reportedly coming from? Since 90% of spam is being sent by zombie PC's these days; the virus writers will just go to the extra effort of sending spam out the zombie PC through the owners' ISP mail server, and to your inbox. Voila; instant spam from a legitimate mail server. Oh but I'm wrong, you're going to tell me; because the user needs to authenticate with the mail server for every piece of mail he sends. Well, show me someone who types in their SASL password _every_single_time_they_send_a_mail. So now the virus writers just have to exploit bugs in the MUA (probably by passing a draft message to the "send_mail" function in some DLL; that will dutifully pull the stored password out of the MUA configuration, and send the mail. Even if you force someone to type in their password for every piece of mail, there are keyloggers that will happily sit there and wait for the password to appear, and then communicate that to the waiting spam-engine..

This isn't that hard to do. sender-id, spf, etc, does nothing. We already know most semi-legitimate spammers are publishing SPF records on their throwaway domains which takes care of the other 10% of spam...

Fix this properly. Declare it within the law to assassinate anyone who sends a piece of spam. Then merely wait.

Re:but there _is_ no point.

[ergo98]

This isn't that hard to do. sender-id, spf, etc, does nothing.

These most certainly aren't total solutions, but they are gradual steps in the right direction (and really SMTP has always been the most absurdly abusable protocol. It's time to harden it a bit). ...virus writers will just go to the extra effort of sending spam out the zombie PC through the owners' ISP mail server, and to your inbox...

When a company like AOL or GMail commits to schemes like SenderID, SPF, or DomainKeys, they are effectively de

Re:but there _is_ no point.

[Fulcrum of Evil]

Since 90% of spam is being sent by zombie PC's these days;

The really big spamhauses have dedicated facilities, TYVM. Makes you wonder exactly why they are so hot for SPF.

Re:but there _is_ no point.

[jerdenn]

Most ISP's throttle the SMTP connection severely when >100 messages are sent at any given time. So, sending through the ISP's mail server isn't usually a viable option for spammers.

"resubmitting" means nothing to IETF

[keithmoore]

Vendors are always issuing press releases that they're "submitting" or "resubmitting" something to IETF. As far as IETF is concerned, this means exactly nothing. Anybody can submit an internet-draft on any topic related to Internet protocols, and it has exactly the same effect as if Microsoft does so. Just because you submit a draft doesn't mean that anybody is going to look at it. In this case, there isn't even an open working group to consider the topic. So the significance of Microsoft resubmitting a SenderID draft to IETF is minimal at best.

Not just AOL

[stimey]

There's a dozen other companties that support microsoft.
You can see a list here [microsoft.com]
Funny thing to see AOL is not in that list.

Well, it does show their true colors

[rspress]

The idea of Sender ID is a good one and it should have been a chance for Microsoft to give back to the community at large by making this a free, open standard. Of course most of the malformed email spam is sent from Microsoft based operating systems so I guess MS should make money on both side of the issue.

The fact that Microsoft is pushing this is one of the reasons it will never work. No one will trust Microsoft not to abuse their own system. If some company were taking on Microsoft all they would have t

Re:First Post

[bcrowell]

Sender ID rocks, if its implemented properly.
SenderID is Microsoft's name for its patent-encumbered variation on SPF.

Too bad spammers will just start registering domains and using them semi-legitimately.
The real point of SPF and Sender ID is to make it hard for spammers to forge their "from" addresses, so that blacklists and whitelists can be more effective. Adoption or lack of adoption by spammers doesn't really have much impact on the success of SPF.

Re:First Post

[rastachops]

DomainKeys [yahoo.com] is a much better proposal, using DNS to publish public keys and then signing a hash of the message with the servers private key before sending. The client then looks up the public key via DNS and can verify the senders domain.

It was covered on Slashdot a little while ago, under the heading that GMail has started to use DomainKeys. Link. [slashdot.org]

Re:First Post

[pjt33]

Sender-ID may do that: SPF addresses the authenticity of the MAIL FROM SMTP command rather than the headers.

Re:First Post

[infra-red]

<Sarcasm>Your so right. Lets put off deploying something that might be able to make a dent until we have the ultimate uber solution that solves all the worlds problems and will get me a date.</Sarcasm>

One thing this could do would be to stop the flow of spam/worms from broadband customers. That right there would have a huge impact on everyone.

The problem that kills simple things like blacklists from working is that most mail comes forged, if you can kill the forged mail, blacklists become

Re:First Post

[eric76]

Sender ID handles nothing that DomainKeys cannot handle better.

One thing this could do would be to stop the flow of spam/worms from broadband customers.

To slow down the spread of viruses/worms, the service providers need to: 1) Block all outward SMTP connections that do not originate from their own mail servers. 2) Scan outbound e-mail through their mail servers for viruses/worms.

The ISP where I work already does the first. We were also one of the early ISPs to close our open relays. We also make sure

Re:

[account_deleted]

Comment removed based on user account deletion

Re:First Post

[mattjb0010]

How, exactly? It can only ever be used to tag spam, since there are quite legitimate uses for sending emails with domain X with a non-domain X sending MTA -- since relaying is a bad thing and SMTP AUTH isn't an option for me as I can't connect directly to the proper MTA due to firewall restrictions. Since it can only be used for tagging, it doesn't mitigate the costs of receiving spam. It's far simpler and cheaper just to 550 reject spammy ISPs. SPEWS anyone?

Re:First Post

[blowdart]

It can only ever be used to tag spam

What utter tosh.

1. No-one is forcing you to publish SPF/SenderID records, so you can leave your domain unencumbered and SPF filters will never touch you
2. If you have non-domain X sending MTAs you can always add them to your SPF record anyway
3. You can always open that firewall to allow SMTP AUTH
4. Relaying is not, in theory, a bad thing. Open news servers are not, in theory, a bad thing, gun ownership in theory is not a bad thing. But there are always those who will happily abuse facilities.

Just because you can't use SNTP AUTH because of a firewall don't try to dictate how everyone else should use SPF.

Re:First Post

[kwerle]

You forgot [at least] one:

5. You can just add an SPF record for your IP address and you're set.

And a falsehood:
SPF doesn't tag spam, and has nothing to do with it. It just makes it impossible to fake a sender address from a domain with proper SPF records.

Re:First Post

[mattjb0010]

SPF doesn't tag spam, and has nothing to do with it. It just makes it impossible to fake a sender address from a domain with proper SPF records

Come back when you know how SMTP works. I can set any domain in the from address when I connect to your SMTP server. You have three options: use the SPF records of that domain to block or tag the email, or do nothing.

Re:First Post

[SillyNickName4me]

> Come back when you know how SMTP works. I can set any domain in the from address when I connect to your SMTP server. You have three options: use the SPF records of that domain to block or tag the email, or do nothing.

So, you can block mail that comes from a 'not authorized to send' smtp server, you can tag it (for exampel for usage by a spam filter later on) or do nothing..

In none of those cases you tag spam, in 2 of those cases you deal with the forged sender issue, and in the 3rd you do nothing.

Wh

Re:First Post

[dossen]

And if my server checks the SPF record of the domain in your 'MAIL FROM' against your IP before allowing your SMTP transaction to proceed, how exactly will you be able to fake a message from a SPF-enabled domain? Either the envelope-from is valid or your mail is dropped before you even sent it (provided the SPF-record of the domain is in order). If you set your From: header to be different from your envelope-from, that could be checked at a later time (e.g. procmail or some spam-filter). But the purpose of

Re:First Post

[takeya]

I have a question about this:

what about people like me who use my domain address for sending mail? I send my mail via horde at the domain, via Yahoo! Mail interface, via Opera M2 with my email (not return) address set to my domain address and even sometimes at mail2web.

Yahoo would use Yahoo SMTP servers, Opera would use my ISPs and only Horde would use the real mail.domain.com IMAP server. If they unblocked ISP STMP servers for this sort of thing... wouldn't that just defeat the purpose? Because they're u

Re:First Post

[AuMatar]

And if you don't have control of your DNS server? The vast majority of people don't. If my ISP blocks everything but their server and I want to put my work address on an email, do you think I can really get my employer in an 80K employee company to add my ISPs mail server?

Re:First Post

[mattjb0010]

I don't get any say over the policies, so none of your "solutions" work. If you want to use SPF to block, that's fine, I'm just pointing out there are cases where legitimate email can only originate at non-SPF Ok'd MTAs. I wouldn't block using SPF, I'd tag, except tagging doesn't stop the costs of spam.

Re:First Post

[blowdart]

Maybe I didn't explain it very well then. If I can use the example of my local setup.

If you connect to me I do a bunch of dnsBL checks. If you pass those then I'll do an SPF lookup. If, in your case, you don't have an SPF record then the mail goes though (to spam assassin). If you fail an SPF check because you're "spoofing" a from address for a domain which has valid SPF lookups then you get rejected.

Your cases where your MTA has no SPF has no effect, the mail gets passed through because you did not fail. I'm not blocking on a "must pass", that would be insane. So why is blocking like this bad in your eyes? You seem to think that people only tag, wrong. People reject on *fails*. A domain which does not have an SPF record is not a fail.

Re:First Post

[blowdart]

You seem to be assuming that everyone who has a legitimate reason to spoof "from" addresses also has control of the firewall and DNS entry, or the ability to influence SenderID policy. This is very rarely the case.

No I'm not. If you don't have control over the firewall or DNS then you don't have the ability to produce an SPF entry anyway.

I am assuming that if you have the technical ability to have an SPF entry then you also have the ability to setup SMTP AUTH, a VPN to your server or any other way to su

What does Sender ID add to SPF?

[Nit Picker]

Could someone please point me to a brief explanation of what Sender ID gives you that SPF doesn't. I thought they both just allowed you to verify that the "From" header line is consistent with the IP that the mail originates from.

Re:What does Sender ID add to SPF?

[Deorus]

Sender ID is just SPF on steroids. E.g.: SPF points out the systems which can be used to send E-mail from a given domain while sender ID adds an additional algorithm (the PRA) which verifies if a given E-mail forwarded by mailing lists, .forward files, or relays (to name a few examples) is legitumate. Mailing list hosts may not have permission to send E-mails from your host, but they can specifically tell who they are and that they are just forwarding agents, thus making themselves responsible for the message and leaving you (the receiver) with an option to block E-mail coming from a particular forwarding domain (e.g.: the mailing list's domain) or from a particular sender domain.

In other words: the sender ID allows you to do almost everything you always did with your MTA but adds some authentication to the process. SPF alone would limit you to a single host or network, or force you to clearly specify which addresses could forward messages from your domain, which is not practical if you are using your ISP's domain to communicate with the Linux Kernel Mailing List, for example. Sender ID addresses this limitation.

Re:What does Sender ID add to SPF?

[Deorus]

Ok, my previous post is rather confusing, so I'll try to rewrite it.

When you send a message from the authenticated host A to host B there may be forwarding agents (such as mailing lists, relays, etc.) routing your message, the message is not always direcly sent from host A to host B. With SPF you would be limited to that. You would have to mention (for example) all mailing lists in whom you are subscribed, which is not practical if you are not controlling the domain from where you send your messages. Sender ID addresses this limitation with PRA, an algorithm that computes the last responsible token, which may or may not be the sender MTA, thus allowing messages to be routed the same way they always have been.

For more information about the PRA algorithm, check this PDF [microsoft.com]. I am sorry for my last post. Should use the preview button more often. Please do NOT mod my last post up.

PRA side issue

[NigelJohnstone]

PRA is a side issue, it derives from the message header and so cannot be trusted since it could be faked.

Can I suggest this approach to handle relayed mail:

It doesn't matter if a message from A to B goes via C.

When you accept messages from 'C' and the header says its relayed mail, it is either:

1. A known blacklisted spammer relay.
2. An unknown relay in which case content filtering is used.
3. A relay that implements SPF itself and so messages from it can be treated as already having passed the SPF check.

Re:First Post

[hools1234]

Perhaps we could call it Microsoft ID instead? Why fluff it up with a name, call it as it is. The government gives us social security numbers so they can know who we and track us.. why not let Microsoft have the same power?... um.. because!!

Re:First Post

[hedge_death_shootout]

Perhaps we could call it Microsoft ID instead? Why fluff it up with a name, call it as it is. The government gives us social security numbers so they can know who we and track us.. why not let Microsoft have the same power?... um.. because!!

+4 Insightful?
I'd have thought this might make 'Funny' by the admittedly lenient comedic standards of this forum, but... insightful!?
Oh lordy!

Patents are the problem

[gilesjuk]

Nobody should have patents on core protocols and mechanisms of the Internet. It's just likely to end up becoming a cash cow.

Someone at Microsoft already stated they liked the idea of email stamps, paying a nominal charge per email.

Re:Uh oh...What's that sound?

[commodoresloat]

Over half of you don't even know what Sender ID is or how it works.

What are you talking about? Why is that relevant? Didn't you see "Microsoft" in the article summary? And, as if that wasn't a clear enough message what to think, it also said "AOL." Sender ID is bad bad bad. Not only won't it work, it represents the most insidious kind of fascism. An open source solution would obviously be better, and more liberating.

Slashdot.... Fuck yeah!

Matt Daemon.

Re:Uh oh...What's that sound?

[R.Caley]

Over half of you don't even know what Sender ID is or how it works.

This is actually irrelevent. The problem is not with the technical details but the legalities. So long as there is a patented technology included without a universal right to use for any purpose, the proposal stinks and needs to be kicked in the head.

Re:Tax dollars at work

[Oligonicella]

God. Can't you people with political axes to grind keep to forums discussing such. Are your brains so tiny that they cannot conceive that there are other discussions going on dealing with other issues?

Naw. That'd be too much to ask.