Hotmail To Junk Non-Sender-ID Mail 651
William Robinson writes "If your e-mail does not have a Sender ID, Microsoft wants to junk your message. Somewhere after November, MSN and Hotmail will consider it as spam. Sender ID is a specification for verifying the authenticity of e-mail by ensuring the validity of the server from which the e-mail came. Some experts feel that 'Sender ID' is not an accepted standard and has many shortcomings. Some also feel that Microsoft is trying to strong-arm the industry into the adoption of an incomplete and not accepted standard."
Stop using Hotmail (Score:2, Insightful)
Re:Stop using Hotmail (Score:4, Insightful)
Re:Stop using Hotmail (Score:3, Funny)
Re:Stop using Hotmail (Score:3, Funny)
Re:Stop using Hotmail (Score:3, Interesting)
Re:Stop using Hotmail (Score:5, Interesting)
> You still have a trusted list that will redirect straight to the inbox.
According to the SenderID docs from Microsoft, your "trusted list" will NEVER BE CONSULTED -- the INBOUND SMTP SERVER will reject the message if there is no SPF record published, or if the originating mail server is not in the SPF record.
Ergo your filters never run - the message is never delivered to them because it is assumed that the message is spam.
Someone correct me if I'm wrong.
Re:Stop using Hotmail (Score:3, Insightful)
For once, this sounds like a solution I can live with. A lot better than AOL's recent decision to stop accepting mail from mail exchangers with no PTR record. Forward resolution is one thing, getting changes to x.x.x.in-addr.arpa zone
Having to forge one's own address (Score:3, Insightful)
It's not exactly difficult to add an SPF record for your mailserver
Unless your primary e-mail account is with a provider that offers POP3 and IMAP but not SMTP (e.g. spamcop.net), and you must forge your own address through your ISP's outgoing server. Or unless your primary e-mail account is with your ISP and your ISP hasn't implemented SPF. How should one handle that situation?
Re:Stop using Hotmail (Score:5, Insightful)
Re:Stop using Hotmail (Score:3, Insightful)
Re:Ambiguous praise (Score:2)
What exactly does this have to do with sender-id?
Neither SPF or sender-id will do *anything* towards stopping spam (or any useless email.)
Re: (Score:3, Insightful)
Comment removed (Score:5, Insightful)
Yes, but don't tar SPF with the same brush (Score:4, Insightful)
SPFv1 is an anti-forgery system that works. It does not claim do anything whatsoever to stop spam . But, preventing forgery is necessary before you CAN do anything to stop spam (think about it).
SenderID, AKA SPFv2(pra) is an attempt by Microsoft to seize control over an open standard (SPFv1) so that they can control who gets to send email and who doesn't. They claim it prevents forgery (but it doesn't) and that it does not break some forms of forwarding the way SPF does (they lie) and that it is open (actually, they've submarine-patented parts of it) and that it is an anti-spam measure (which it wouldn't be even if it worked).
Once someone really understands these two facts, all becomes clear. The 800-pound gorilla is beating its chest and waving its tiny pecker around, hoping you will be either be afraid enough to adopt MS-controlled SenderID, or outraged enough to not adopt open, useful SPFv1.
For more information you might want to read some SPF-discuss list threads [gossamer-threads.com].
Re:Ambiguous praise (Score:3, Insightful)
It is true that SPF will not stop spam on its own. As part of the whole puzzle, SPF is best used along with a reputation system if you want to stop spam.
There are some problems for legitimate senders and are confined to situations where there is unknown or uncontrollable forwarding going on. There are ways around these problems too (SRS et al...)
Another problem is that M$ is try
Re:Ambiguous praise (Score:4, Insightful)
Bullshit. It will do no such thing.
Most spam comes from trojaned machines (zombie networks), and there is *NOTHING* that will stop the trojan authors from simply having the zombie do a whois lookup and setting the return address to something that will bypass sender checks (even if it means sending through an upstream mail server.)
Result? The From: address will still be forged, legitimate forwarded email is stopped, nobody wins.
Look over your SPAM headers, and you'll see, most of the return-addresses do not match the machine that relayed the message.
Which will *WILL NOT CHANGE*, even with SPF.
And as someone else said, there is *nothing* to stop a spammer from spending $10 to register a domain, spamming for a week or two using Sender ID/SPF legitimately, then abandoning the domain if it gets blacklisted.
If you think this is an anti-spam measure, then you really don't have a clue as to how email operates, or how spammers operate, or both.
Re:Ambiguous praise (Score:3, Insightful)
Yes, everyone can crapflood hotmail through your server (for a short period of time), but the flood
Re:Ambiguous praise (Score:3, Insightful)
Lets run through it. I want to send spam from buymycrap.com e-mail addresses to hotmail users.
I have a buddy at buyhiscrap.com who has a mail server he'll let me use.
I add an spf record for my domain that says "yes, the buyhiscrap.com mail server is allowed to send mail for the buymycrap.com domain".
I start spamming hotmail.
Hotmail says "don't accept any e-mail from buymycrap.com e-mail addresses"
I can only send e-mail from spf-validated mail server
Re:Ambiguous praise (Score:5, Informative)
They tried to get a standard in place that could not be implemented with open source. There's restrictive liscensing and I think a patent as well. This is a move to benefit their Server bussiness to the detriment of Open Source Mail servers everywhere.
Since they wouldn't drop the resreictions against open source, the initiative was refused. So now they are going to use their marketing muscle to force it down our throughts as a defacto standard anyways.
Microsofts gesture could be characterized more as a middle finger than an olive branch.
Re:Ambiguous praise (Score:3, Interesting)
we need a "get in" based system and I t
Re:Nothing wrong with that (Score:5, Informative)
That's not how SenderID works. The emails that fail validation will be refused. They will not be forwarded to a user's spam folder.
Microsoft can push SenderId all that they want. All that they will accomplish is excluding their domains from useful communication. This will be rolled back in under 60 days, if it is implemented at all.
I can't think of any companies that are going to make considerable modifications to their email systems just to please Microsoft (or any other for that matter). Furthermore, the use of SenderId/SPF breaks some email delivery features (such as forwarding).
I think that it's great that a company like pobox.com is financing the implemntation of SPF on the OSS side, but I don't expect a wide-spread adoption given the administration costs. Also, I feel compelled to ask, is Microsoft truly doing this to combat spam or do they want to force people to upgrade to Exchange 2006? And SenderId itself will never become a standard protocol as long as M$ owns it. There is too much concern that they would try to lock out OSS from implementing a protocol that they own the rights to.
It's a valid cause but the implementation is flawed and doomed for failure.
Re:Nothing wrong with that (Score:3, Insightful)
What administration costs? It took about about 10 minutes for me to create and install a SPF record for my site.
As for supporting it on the other side, future releases of mail software will do so the next time I would have upgraded anyway.
I'm all for it. You would not believe the number of phishing emails, purporting to be from my site, that say, "Your account information is enclosed. Please open and read."
It may break s
And then... (Score:2)
Re:And then... (Score:2)
GMail and Yahoo could get a huge boost in their userbase from this *or* MSN could gain users as the spam level drops to near zero.
Thing is, do I really want to worry about my GMail storage capacity if more people leave Hotmail in droves?
Re:And then... (Score:2)
It could go both ways. People do this all the time with IM.
Re:And then... (Score:4, Insightful)
I tell the person in the first e-mail (from the Hotmail account) to make my GMail address a contact - therefore whitelisting it. I also usually send a GMail invite their way once they whitelist me.
One little problem: MSN Messenger (Score:5, Insightful)
Re:One little problem: MSN Messenger (Score:4, Informative)
It's called Gmail Notifier (Score:3, Informative)
Re:One little problem: MSN Messenger (Score:3, Funny)
Re:One little problem: MSN Messenger (Score:5, Interesting)
I think this is what happened: ICQ took a strangle-hold of Canada. Backwards Americans missed the boat. Then, Mirabilis/AOL ran ICQ down the tubes by bloating it into a monstrous, crufty piece of crap. As a reaction, users migrated to the IM program that was already residing on their computer (and, at the time, launched automatically when you opened OE).
GAIM is the solution (Score:3, Interesting)
That's why GAIM [sourceforge.net] is the answer. Everyone I've given it to loves it. GAIM is one of the most useful OSS apps available on Windows. It's handling of multiple IM protocols simultaneously easily trumps all other clients.
Well, what were you expecting? (Score:3, Insightful)
Who uses hotmail? (Score:2, Interesting)
Re:Who uses hotmail? (Score:5, Interesting)
There are a large number of people who haven't heard of Gmail. These are people who use the Internet to casually browse, and who check their email every other day. Hanging out in the geek community, its hard to believe people don't know their alternatives - but its true!
Many of these people view email as a very set-in-stone thing. Their friends and family all know their Hotmail address, and all their favourite news letters are delivered there. To them, its a huge pain in the arse to switch addresses. Its almost unthinkable.
Its these people that will happily put up with whatever Microsoft does to Hotmail, just so they don't have to bother with all this technical nonsense.
Hotmail has one good feature (Score:2)
It has the ability to white list. There's an option to send everything into the bulk folder except for mail coming from someone on your address book. Gmail and Yahoo are pretty good with sorting spam and I use them for personal mail. But for conferences and conventions, I use my hotmail address, and white list the few vendors I want to hear from, and all the others I scanned to get swag get routed right to the bulk folder. Great feature, definitely worth
Re:Who uses hotmail? (Score:2)
BTW, many of the "hotmail spam" is not "hotmail spam", it's just normal email with the "from" address faked. Also, hotmail has already been using spam filters for a long time.
Re:Who uses hotmail? (Score:3, Interesting)
Yes. A lot of ordinary users use it. Examining a database of customer addresses from people who have contacted technical support where I work, I see the following:
Those are all the ones that are above 1%.
I can't seem... (Score:3, Funny)
Brilliant Move Microsoft. I salute you! (Score:5, Funny)
Re:Brilliant Move Microsoft. I salute you! (Score:2)
Once I'm able to explain why they've suddenly stopped receiving most of their stuff over at Hotmail, it'll be a lot easier to use up those invites.
Re:Brilliant Move Microsoft. I salute you! (Score:3, Informative)
Unless, of course, hotmail doesn't like gmail's SPF records =)
Re:Brilliant Move Microsoft. I salute you! (Score:3, Interesting)
I've had the same Yahoo address since about 1998. It's followed me from ISP to ISP, and country to country. I got sick of constantly changing my email address, be it personal, work or academic, which was my main reason for sticking with Yahoo. On top of that, they forward all email to my personal domain account, and tag spam in the process. I only use the web interface when I'm on the road, although
Re:Brilliant Move Microsoft. I salute you! (Score:3, Funny)
They're not evil.
Re:Brilliant Move Microsoft. I salute you! (Score:3, Interesting)
Do you think Yahoo would have given you those two gigs if gmail hadn't done it first?
"Maybe you're just gullible and will jump at every piece of marketing foisted in your direction ;)"
And how much marketing has Google given gmail? Absolutely none.
Re:Brilliant Move Microsoft. I salute you! (Score:3, Informative)
And that's a reason to switch to Gmail? I think not.
"And how much marketing has Google given gmail? Absolutely none."
And what do you call this whole thing with invites? It's viral marketing. It's much more subtle than tradition approaches, and clearly sneaked past your marketing detector.
Re:Brilliant Move Microsoft. I salute you! (Score:3, Informative)
And if more people would use them, I'd get fewer bogus bounce messages. They're annoying, and it's not that hard to DDoS my mail server by sending out a few zillion messages with known bogus addresses and a forged from address through one's favorite botnet.
People that configure them to 'soft fail', now that's pretty worthless.
Re:Brilliant Move Microsoft. I salute you! (Score:4, Informative)
Anyone who makes statements like this truely doesn't understand the purpose of SPF.
Its "sender policy framework" - not "spam prevention framework."
SPF isn't designed to stop spam, why is that so hard to understand? Its just used to make sure that whatever domain an email was sent from, that the envelope sender matches. Thats it. End of discussion.
This doesn't stop spam, but it makes sure that no one can forge an address from your domain, unless it wasr eally sent from your domain.
If everyone respected it, your users wouldn't be getting any more phishing scams from "someuser@paypal.com" - or "attn@bankofamerica.com".
You're going to sit there and tell me that its "not useful" ? Get your head out of the sand.
Re:Brilliant Move Microsoft. I salute you! (Score:4, Interesting)
I have a domain, glitterandtwang.org, which is hosted by suffusions.net. Suffusions.net has an SMTP server, but it requires authentication (in the form of having checked your email in the last 15 minutes over POP) and so I use my ISP's SMTP server. So my email is from dexter@suffusions.net, but it's sent from adelphia.net... am I going to be shitlisted by everybody with SPF and Sender ID?
Re:Brilliant Move Microsoft. I salute you! (Score:4, Informative)
Re:Brilliant Move Microsoft. I salute you! (Score:3, Interesting)
This doesn't stop spam, but it makes sure that no one can forge an address from your domain, unless it was really sent from your domain.
So, if I want to send mail from my personal domain, won't SPF screw me? I'm on speakeasy and, while they certainly are decent at CS, I doubt they'll add spf records for my domain.
Re:Brilliant Move Microsoft. I salute you! (Score:3, Informative)
(Speakeasy will put reverse DNS on your IPs, if you have statics, which also helps immensely.)
EMAIL IS BROKEN TOO (Score:3, Insightful)
Re:Brilliant Move Microsoft. I salute you! (Score:3, Insightful)
Yes but (Score:5, Funny)
If we all buy Microsoft email servers it will be a standard, won't it.
I don't need Hotmail any more... (Score:2)
Only if other ISPs go along with it (Score:5, Insightful)
Re:Only if other ISPs go along with it (Score:3, Interesting)
Too bad nobody has balls to do that though. MS will own another vital infrastructure by throwing their weight around and shoving down everybodies throats. The rest of the industry will bend over and take it like usual.
It's kind of a abused spouse syndrome. They keep getting slapped around and they are too afraid to leave.
Re:Only if other ISPs go along with it (Score:3, Informative)
As an anti-spammer, I really hope that Hotmail has the cojones to follow through with this. It would be a huge wake-up call to lots of ISPs if millions of emails suddenly get rejected.
BTW, what's the correct SMTP error code to put on a
Big Surprise (Score:5, Interesting)
"We think Microsoft is trying to strong-arm the industry into the adoption of an incomplete and not accepted standard".
Gee, when's the last time this happened?
Personally, it will only be a matter of time until the spammers figure out a way to get around this. End result: a serious pain for everyone that accomplishes nothing.
Re:Big Surprise (Score:3, Insightful)
A way around what, exactly?
Sender-id is *not* an anti-spam measure. It will do absolutely nothing (as in _NOTHING_ ) to stop spam.
All it does is say "this email comes from a server that the owner of the domain says is OK."
How, exactly, does that stop a spammer from sending spam?
Re:Big Surprise (Score:2)
Do as I say, not as I do (Score:4, Interesting)
Good! (Score:2)
(or did they remove the invite system yet? hehe)
===
We all know what needs to be done about the spammers... *cocking shotgun*
strongarm what? (Score:2, Interesting)
Tom
Re:strongarm what? (Score:3, Interesting)
And Mailinator [mailinator.com] does a better job at throwaway addresses anyways.
Re:strongarm what? (Score:5, Interesting)
I have a g-mail account, it's pretty awesome and probably better then hotmail... but one feature that hotmail has over other web-based e-mails is easy integration with a fat-client e-mail system.
I've yet to see a web-based client that can handle my e-mail needs... Even MS's OWA isn't a replacement for outlook.
I know there will be a flurry of flames about using outlook, etc etc... but the bottom line is that nothing integrates better for my needs, my palm, my blackberry, my non-work hotmail, owa, etc.
My basic point is that there are at least some merrits to using hotmail.
Re:strongarm what? (Score:5, Informative)
this one could be a problem for casual users (Score:5, Interesting)
I've had my fun with e-mail spoofing, but now that e-mail is everywhere and used by almost everyone it's probably close to "time" for mechanisms and protocols that make e-mail more trustworthy and difficult to spoof (of course there are always going to be exceptions). But Microsoft contributes little by doing their own end run on the industry.
From the article:
This opens up a huge can of worms... I don't quite get why Microsoft doesn't learn from past mistake^H^H^H^H^H^H^Hefforts. The unwashed masses (read, typical computer users) already deal daily with mind numbing quirky computer behavior (or lack of). For example (and I know I'm beating a dead horse (checkmate!)), Microsoft's morphing menus with chevrons, Microsoft's dumping of random files in random directories to mold their vision of a magical world (how many have been burned by the unexpected "thumbs.db" file in their picture folders?), and bizarro network settings (ever wonder why seemingly every computer in a home network gets configured with bridging?) -- these are just a few examples of things that confuse and irritate typical users, but the ripple effect is into the "support" community (that's us).
Rolling out this semi-baked quasi-standard e-mail device could wreak havoc with the e-mail users. I'm hoping whatever they do it's configured by default to not reject non-ID'ed e-mails. Regardless, unless and until there's a stronger and more mature standard, this one's trouble.
Re:this one could be a problem for casual users (Score:3, Insightful)
On the plus side, I'm hoping that they will accept SPF-Classic, and that my ISP will list one, finally. I'm tired of getting mail bounced because my SPF inclusion of my
It's only fair (Score:5, Funny)
It's only fair cause we already tag mail from those domains as potential spam.
GMail? (Score:3, Interesting)
Anyway, G-Mail is already so superior to Hotmail, in both the interface and spam blocking, I can't imagine why people still use Hotmail.
Re:GMail? (Score:3, Funny)
Re:GMail? (Score:2)
Re:maybe it's because... (Score:2)
And it is a bit worrying as to what Google's long range plans are. As much as I like G-Mail and other Google services, I'm not sure I'd be willing to pay for it.
Damn if they don't, damn if they do... (Score:2, Interesting)
2. Microsoft fights SPAM. Slashdot equally outraged.
Conclusion: Microsoft is always evil no matter what they do.
I bet that if it was a story about Gmail then it would be a great idea, becasue Google never does evil.
Re:Damn if they don't, damn if they do... (Score:5, Informative)
2. Microsoft fights SPAM. Slashdot equally outraged.
Conclusion: Microsoft is always evil no matter what they do.
Nope, Microsoft isn't fighting SPAM - if they were they'd be cooperating with the "rest of the Internet", instead of promoting their own proprietary scheme - SenderID - that's so un-open as to provoke this comment [apache.org] from the Apache Software Foundation:
Various other disparate organisations have raised similar concerns, eventually resulting in the IETF ditching Microsoft's proposal.
Microsoft, at least in this case, weren't interested in a working solution; they were interested in a Microsoft-friendly, FLOSS-hostile solution. Which is daft, given the open-source nature of most Internet technologies.
Re:Damn if they don't, damn if they do... (Score:3, Insightful)
So? (Score:4, Insightful)
How is this any different?
Home workers (Score:5, Interesting)
Frankly, Sender-ID is a dead duck for many reasons but the biggest is simply that many legitimate emails come from random IPs while plenty of spam comes from infected "authorised" machines.
This is just another, on a thirty-year-long run, example of the fact that when it comes to IT, MS is clueless. Business methods and the law are their fortes.
TWW
Re:Home workers (Score:3, Informative)
Also, require SRS. Sender Recipient Signing is the shit. I used to get metric assloads of joe-job spam at 4 (out of 12) of the domains I own, and now the only joe-job bounces I get are delayed bounces that aren't really bounces at all. SRS proves that the "bounce" you're getting actually came from your server. It's great.
Rejecting mail (Hmm.... sound like Earthlink?) based
Re:Home workers (Score:4, Informative)
Re:Home workers (Score:4, Informative)
In this case, you have your employee connect to your mail server over ssl, usually port 589. Require SMTP auth. Require SSL
Been there, done that. I had to drop this because 90% of my employees use Outlook 2002. And SSL support is broken in Office XP. You need to install office service pack 3 or 4 to actually have it working. That of course is a 20+ MB download, which requires you to have a Office CD on you. My users usually have laptops, and they work in the field where they often only have dialup access. And we don't give them Office CD's - laptops get serviced in the office.
Needless to say, once we switched SSL on no one could send out emails anymore, we had to send every single person a copy of Office XP cd, and istruct them how to do the upgrade.
And that's just the tip of the icebearg. Most of my users use Norton Antivirus which by default scans outgoing emails. It does it by proxying them. So if you have outgoing email scanning enabled, you won't be able to send emails with Outlook with SSL enabled - it's as simple as that.
Consequently, we decided to drop the whole SSL idea. It was just to much hassle for our technologically challanged employees.
Re:Home workers (Score:3, Insightful)
Who will use hotmail? (Score:4, Insightful)
Not to mention you don't have to worry about them trashing your Non-Sender-ID emails.
Re:Who will use hotmail? (Score:3, Interesting)
Good for the gander... (Score:3, Insightful)
So Hotmail can't get mail from me anymore. Boo-frickin'-hoo. What next, AOL doing the same? Then perhaps Yahoo?
Sorry, but until a major provider that matters picks an anti-spam tech, they will accomplish nothing more than effectively depriving their customers from using email.
That's good news... for Gmail (Score:5, Funny)
Wikipedian? (Score:4, Insightful)
Let me guess, the story submitter is a Wikipedian? Let's try to avoid weasel terms [wikipedia.org]. Unlike Wikipedia, Slashdot has no neutrality obligation, but if you want to attack something then be clear about it. Don't be redundant either; if a web standard is not accepted by the W3C (the only real web standards authority), then it is not a standard. Let me show you:
Opponents believe the non-standard 'Sender ID' is flawed, and that Microsoft is trying to force the industry to adopting an incomplete protocol.
See? It's shorter, unequivocal while maintaining all previous meaning. Weasel words do not sanitize an opinion in any way.
-- User:Xmnemonic [wikipedia.org]
Re:Wikipedian? (Score:3, Informative)
This isn't a Web standard, it's an Internet standard (or, rather, non-standard). The correct standards body would be the IETF, not the W3C.
surprise, surprise (Score:2)
Some also feel that Microsoft is trying to strong-arm the industry into the adoption of an incomplete and not accepted standard.
You mean Hotmail?
(Of course, that statement in general is an excellent short description of Microsoft's strategy to maintain dominance. Maybe add to it "that is proprietarily controlled by Microsoft" at the end, since that's what they'd really prefer. When you're the monopolist or near-monopolist, industry standards that are open are very inconvenient for you.)
-Rob
I am afraid that... (Score:2)
This will get the ball off their court, as they will get regular users thinking that this is a good thing and we should contact the other company to tell them to implement it, thereby slowly penetrating the market with the bull they call an innov
Blimey (Score:2)
I've got 50 gmail invites for hotmail users! (Score:2, Informative)
Thank you Microsoft (Score:3, Insightful)
Well that cinches it... now I can block Hotmail permanently, since they are refusing to deliver mail from my legitimate MX.
There are lots of alternatives to using Hotmail... Gmail, Yahoo mail, and others. Use them instead.
99% of the mail coming from Hotmail is spam anyway, so this gives me more reason to stop the spam coming from Hotmail to my users. I'm protecting my users by blocking Hotmail.
I for one am tired of Microsoft claiming to embrace standards by strangling off the air from the lungs of the real standards bodies. When Sender-ID is a widespread industry standard (i.e. in every MTA without patching), THEN I'll begin working with Microsoft to stop spam.
I will not be strong-armed by Microsoft, ever, especially where it affects MY server and MY users and MY mail. Period.
Until their OS stops being a malware replication engine, their services stop harboring spammers by the millions, and their patches actually FIX problems instead of CAUSING them, they can go pound sand.
Don't underestimate MSN (Score:3, Interesting)
And to use MSN you need a hotmail account.
Google still has a lot of public awareness ground to cover IMO... when I give out my gmail address, some people ask me "so you work for the government?"
SPF spec author says: SenderID is crap (Score:5, Informative)
While both SPF and SenderID break on many forwarded emails, SenderID breaks on many mailing lists also. Moreover, one of the most promising solutions to the SPF forwarding problem (a specialized DNS server, as outlined in section 9.3.1.2 in the SPF spec) breaks when SenderID uses it.
So, SenderID is a patented system that is incompatible with many of the F/OSS mail servers that currently dominate the internet, it doesn't work as well as other technologies, it damages the use of SPF, and outside of MS, it is being used by almost no one.
If this was just a matter of hotmail and MSN hurting themselves, then I wouldn't have any problems with it. However, this appears to be a case of Microsoft working hard to hurt the entire internet email environment.
Re:SPF spec author says: SenderID is crap (Score:4, Interesting)
I like the concept of using cryptographic methods to protect the mail headers and body. I think that is the most promising approach. That said, crypto solutions like DomainKeys is not without problems.
Crypto solutions breaks on way too many mailing lists and more than a few email forwarders because content is often added (ads on the bottom) or changed (spam/virus filtering), and this breaks the crypto signatures.
Also, there is also a real problem with replaying a message. You just can't distinguish a Yahoo customer sending a message to a large mailing list, and a spammer who signs up with Yahoo, sends a message to themselves, and then redistributes that correctly signed email to their list of 50 million victims.
There are various ways to try and solve to both of these problems, but none of the solutions are very clean and probably not very effective.
I think that if there was a nice, clean solution to the forged email problem, it would have been discovered many years ago.
I think the crypto solutions, and things like SPF (or DMP, or RMX, or any of the other LMAP-type solutions) can help each other out. SPF primarily fails on forwarded email, while the crypto solutions primarily fail on mailing lists. If all email uses both, it can help automate the detection of forwarders and mailing lists, and then you can know which system to use for each email.
DomainKeys is not the only crypto solution, there is also IIM, and META-signatures. I actually like the latter two better because I think they handle the problems with mailing lists better. Yahoo and Cisco have announced that they are merging DK and IIM into a single spec, but they haven't released the spec yet, and the details will be very important.
Domainkeys, like SenderID, has two other problems that could cause problems for the F/OSS world of email. First off, Yahoo has patents on DomainKeys and their license isn't (currently) compatible with many F/OSS software. I suspect that Y! will be much more willing to make changes to their license than MS was, but who knows. Secondly, like SenderID, it turns out that DomainKeys is already trademarked by someone else and this could cause lots of legal fun for the parties involved.
No USE Hotmail (Score:3, Funny)
Look, I don't mind M$ doing stupid things like this. How big of a share does Hotmail have? Probably not much. The more people have problems with it the more they'll stay away. Even better! I live for the day M$ is reduced to an applications company. Where Windows no longer exists. Where THEY are dependent upon licenses from vendors. Total destruction would be nice but I can live with "just another player."
I'm convinced M$ is inherently evil. Like murder, molestation, Satan, Eminem. The world would be much better off without it.
Re:Not a big deal. (Score:2)
Your e-mails will be trashed, why bother stopping sending them ? Continue as you did before.