As the next step in implementing its Sender ID antispam technology, Microsoft has modified Hotmail so users will see a warning on all messages from unregistered domains. The move could reduce the amount of spam faced by Hotmail users, and eventually spur wider adoption of Sender ID (or supporting technology), making it more difficult for spammers to conduct their business. For now, however, lack of universal support for Sender ID could result in needless warnings, diluting their usefulness.

Not Universally Supported

Sender ID is designed to stop spoofing, a tactic often used by spammers in which the sender forges header information on an e-mail message to hide its true origin. Sender ID works by requiring the owners of mail servers to register the IP addresses of their e-mail servers as Sender Policy Framework (SPF) records in the Internet Domain Name System (DNS, which is used to resolve domain and computer names to the IP addresses needed to route data to its destinations). Then, a mail service provider can check incoming messages against the SPF records to determine if the headers are forged.

Sender ID is based on two previously proposed technologies: SPF, created by Meng Wong of pobox.com, and Microsoft's Caller ID. The Internet Engineering Task Force (IETF) has considered making Sender ID a standard, but the process stalled when open-source advocates objected to Microsoft's patents and licensing terms for certain aspects of Sender ID.

Meanwhile, Yahoo has developed its own e-mail sender authentication technology, DomainKeys, which relies on encrypted e-mail headers. DomainKeys has been implemented by Yahoo Mail and Google's Gmail service, and in June 2005, Cisco agreed to merge its own antispam proposal into DomainKeys. Technically, the two technologies are not competitors—a business or ISP could support both—but many companies have opted to wait until one of them becomes dominant.

As a result, only about 1 million out of the more than 70 million Internet domains worldwide have published SPF records. Nonetheless, because AOL and some other large ISPs support SPF (but not the full Sender ID specification), approximately 30% of all e-mail messages map to an SPF record, according to e-mail filtering company MessageLabs.

Hotmail Adds Warnings

Since Jan. 2005, Hotmail has been using Sender ID to identify spoofed messages, and considering this among other factors (such as keywords) to determine whether a message is spam. However, because so many senders lack SPF records, this technique has been only moderately effective.

In June, Hotmail upped the ante: it began displaying alerts on all messages from senders who lack an SPF registration—regardless of whether other factors indicate that the message might be spam. If users click on a link in the warning, they are taken to a page with more information about Sender ID and phishing.

This move increases the pressure on businesses and ISPs to create SPF records. Otherwise, any message sent to one of Hotmail's 190-million-plus accounts will contain a warning that could cause users to discard it.

If Hotmail's support for Sender ID leads to wider adoption of Sender ID and SPF, it could have an effect on spam across the Internet, not just on Hotmail. In particular, widespread adoption of these technologies could eliminate phishing attacks, in which a con artist attempts to gather users' personal information by posing as a legitimate business (like a bank or an online auction site). In addition, although spammers can create SPF records and send spam from legitimate domains, ISPs and users will be more easily able to block these messages if their true origin is not disguised.

Resources

Microsoft's Sender ID page is www.microsoft.com/mscorp/safety/technologies/senderid/default.mspx.

To create an SPF record, see www.anti-spamtools.org/SenderIDEmailPolicyTool/Default.aspx.

The standardization effort for Sender ID is discussed in "Antispam Standard Stumbles on Patent Issues" on page 35 of the Nov. 2004 Update.