RealTime IT News

IETF Prepares To Forward Sender ID

The Internet Engineering Task Force (IETF) is set to nominate Sender ID -- a consolidated e-mail address anti-spoofing technology -- as an Internet standard during its working group meeting Wednesday.

Sender ID is the consolidation of Microsoft's Caller ID for E-mail and Meng Weng Wong's Sender Policy Framework (SPF).

SPF is essentially a list of computers or servers (every Internet-connected machine has its own IP address) that are verified to send e-mail from a particular IP address. For example, if AOL verified that only one server, with an IP address of 123.456.7.8, was authorized to send @aol.com e-mails, any other IP address using @aol.com would be rejected. Caller ID, Microsoft's technology, demands essentially the same thing but formats its DNS records in an XML format, rather than SPF's plaintext.

The power of the specification depends on its adoption: The more DNS administrators who publish their valid IP addresses and send from them, the less spammers are able to spoof e-mail address headers to get past e-mail filters.

Despite several other standards championed by other groups, the MTA Authorization Records in DNS (MARID) will focus only on Sender ID, resolving any lingering technical or legal issues before passing it up to the Internet Engineering Steering Group (IESG). The IESG will look for any security issues before passing along the proposed standard to the IETF for a "last call" before its release as a proposed standard.

Andrew Newton, co-chair of the IETF's MARID working group, said Sender ID is on the fast track because of interest within the IETF, and any comments from the IESG over potential security issues should be released within a month. He said the working group decided to focus on the technology because of the interest in getting an anti-spam standard out soon. According to the MARID Web site, August is the self-imposed deadline for sending a proposed standard to the IESG.

It's a letdown for those in the anti-spam community who had hoped the working group would look at another proposed specification, the Client SMTP Validation (CSV) scheme. CSV is similar to Sender ID technology, in which the receiving SMTP server "grades" the sending SMTP client e-mail by accessing a database of valid IP addresses. Too low a grade will bounce the e-mail back to the sender with an explanation.

"The problem is, we have a short timeline for meeting that first milestone of having something as a proposed standard," Newton said. "So, if we discussed both at the same time, we would probably end up in a very confused state."

Newton said the CSV specification compliments Sender ID and will be discussed after Sender ID is standardized; he didn't know when that would be.

Most of the talk surrounding Sender ID, specifically the SPF portion, is positive. Scott Perry, software engineering director for anti-spam vendor Computerized Horizons, maker of the Declude product line, said that once enough domain owners are using Sender ID, Microsoft's proposal creates an extra obstacle for spammers to deal with before they can blast out an e-mail marketing campaign.

"Once critical mass is reached, and there are enough domains that are publishing the SPF records, enough people using the Sender ID, it's going to force spammers to go out and buy their own domain names," he said.

Once spammers are forced to buy their own domain names, it will be much easier to track down originators of the spam. That's the hope, anyway.

In reality, e-mail authentication via SPF records will cut off one avenue but leave other options. Finding out who is sending the spam and having that person arrested, for instance, will not become any easier.

WHOIS records remain a barrier to investigators trying to track down the owners of individual domains conducing illegal activities. In many cases, the owner and contact information is false, and, since many of the registrars who sign up new domain name owners use an automated process, it's difficult to find the owner after the fact. In March, the Internet Corporation for Assigned Names and Numbers (ICANN) reported 16,045 Internet domain names had incorrect contact information, though it's hard to determine whether the errors were intentional or not.

The ease of getting a new domain name, or ditching one and getting another, will lead to the next wave of spamming techniques: disposable domains, said Suresh Ramasubramanian, coordinator for the Asia-Pacific Coalition Against Unsolicited Commercial E-mail (CAUCE.

"Domain names are cheap enough and easy enough to attain that they're practically disposable," he said. "In the long run, if SPF catches on, throwaway domains will become much more popular."

Rumors indicate Microsoft could hold up adoption of its own anti-spam technology proposal at Wednesday's meeting, internetnews.com has learned, a delay that could set the process back as long as a month.

A source close to the events, who asked to remain anonymous, said he learned of the development from Microsoft officials directly involved in the process while attending the Conference on E-mail and Anti-Spam in Mountain View, Calif., last week.

"They anticipate that due to internal political wrangling, it's probably going to be another month before that RFC is agreed on," he said. "There's no guarantee one way or the other, but from what I'm hearing, there is a doubt that it will be passed on [at Wednesday's meeting]."

It's clear not everyone is enthused about Microsoft's inclusion of Caller ID with SPF. SPF, used by about 50,000 domain owners throughout the world, does not have any conditions attached to its use. Caller ID, however, includes a Microsoft patent-license agreement for software developers that some find cumbersome and unnecessary. (The license doesn't affect organizations that use the specification to publish their Sender ID records.)

Critics such as boycott-e-mail-caller-id.org and the Free Software Foundation complain that Microsoft's spec is encumbered with unclear and unnecessary patent claims.

It's possible the licensing agreement is nothing more than a protective measure for Microsoft, rather than the result of a desire to put a stranglehold on the Sender ID specification. According to the license agreement, Microsoft reserves the right to terminate the Caller ID license if a company sues Microsoft or its affiliates for patent infringement over claims relating to any aspects of the specification.

The company already has been burned for using technology and getting sued later. It's in the throes of a patent battle with Eolas, which owns a patent covering Microsoft's ActiveX technology and was awarded $521 million from Microsoft. The case is currently in the U.S. District Court system.

Microsoft officials could not be reached at press time for comment, though a spokesperson said there wasn't anything to indicate a delay would result from Microsoft's deliberations

Newton said the there were only a couple of minor, technical issues that need to be discussed at Wednesday's meeting. He doesn't expect them to delay the nomination of Sender ID as a proposed standard to the IESG.