IETF Prepares To Forward Sender ID

The Internet Engineering Task Force (IETF) is set to nominate Sender ID — a
consolidated e-mail address anti-spoofing technology — as an Internet
standard during its working group meeting Wednesday.

Sender ID is the consolidation
of Microsoft’s Caller ID for E-mail and Meng Weng Wong’s Sender Policy
Framework (SPF).

SPF is essentially a list of computers or servers (every Internet-connected
machine has its own IP address) that are verified to send e-mail from a
particular IP address. For example, if AOL verified that only one server,
with an IP address of 123.456.7.8, was authorized to send @aol.com e-mails,
any other IP address using @aol.com would be rejected. Caller ID,
Microsoft’s technology, demands essentially the same thing but formats its
DNS records in an XML format, rather than SPF’s plaintext.

The power of the specification depends on its adoption: The more DNS
administrators who publish their valid IP addresses and
send from them, the less spammers are able to spoof
e-mail address headers to get past e-mail filters.

Despite several other standards championed by other groups, the MTA
Authorization Records in DNS (MARID) will focus only on Sender ID, resolving
any lingering technical or legal issues before passing it up to the Internet
Engineering Steering Group (IESG). The IESG will look for any security issues
before passing along the proposed standard to the IETF for a “last call”
before its release as a proposed standard.

Andrew Newton, co-chair of the IETF’s MARID working group, said Sender ID is
on the fast track because of interest within the IETF, and any comments from
the IESG over potential security issues should be released within a month.
He said the working group decided to focus on the technology
because of the interest in getting an anti-spam standard out soon. According to
the MARID Web site, August is the self-imposed deadline for
sending a proposed standard to the IESG.

It’s a letdown for those in the anti-spam community who had hoped the working
group would look at another proposed specification, the Client SMTP
Validation (CSV) scheme. CSV is similar to Sender ID technology, in which
the receiving SMTP server “grades” the sending SMTP client
e-mail by accessing a database of valid IP addresses. Too low a grade
will bounce the e-mail back to the sender with an explanation.

“The problem is, we have a short timeline for meeting that first milestone of
having something as a proposed standard,” Newton said. “So, if we discussed both at the same
time, we would probably end up in a very confused state.”

Newton said the CSV specification compliments Sender ID and will be
discussed after Sender ID is standardized; he didn’t know when that would
be.

Most of the talk surrounding Sender ID, specifically the SPF portion, is positive. Scott Perry, software engineering director for
anti-spam vendor Computerized Horizons, maker of the Declude product line,
said that once enough
domain owners are using Sender ID, Microsoft’s proposal creates an extra obstacle for spammers to deal
with before they can blast out an e-mail marketing campaign.

“Once critical mass is reached, and there are enough domains that are
publishing the SPF records, enough people using the Sender ID, it’s going to
force spammers to go out and buy their own domain names,” he said.

Once spammers are forced to buy their own domain names, it will be much
easier to track down originators of the spam. That’s the hope, anyway.


In reality, e-mail authentication via SPF records will cut off one avenue but
leave other options. Finding out who is sending the spam and having that person
arrested, for instance, will not become any easier.

WHOIS records remain a barrier to investigators trying to track
down the owners of individual domains conducing illegal activities. In many
cases, the owner and contact information is false, and, since many of the
registrars who sign up new domain name owners use an automated
process, it’s difficult to find the owner after the fact. In March, the
Internet Corporation for Assigned Names and Numbers (ICANN) reported
16,045 Internet domain names had incorrect contact information, though it’s
hard to determine whether the errors were intentional or not.

The ease of getting a new domain name, or ditching one and getting another,
will lead to the next wave of spamming techniques: disposable domains, said
Suresh Ramasubramanian, coordinator for the Asia-Pacific Coalition Against
Unsolicited Commercial E-mail (CAUCE.

“Domain names are cheap enough and easy enough to attain that they’re
practically disposable,” he said. “In the long run, if SPF catches on,
throwaway domains will become much more popular.”

Rumors indicate Microsoft could hold up adoption of its own anti-spam
technology proposal at Wednesday’s meeting, internetnews.com has
learned, a delay that could set the process back as long as a month.

A source close to the events, who asked to remain anonymous, said he learned
of the development from Microsoft officials directly involved in the process
while attending the Conference on E-mail and Anti-Spam in Mountain View,
Calif., last week.

“They anticipate that due to internal political wrangling, it’s probably
going to be another month before that RFC is agreed on,” he said. “There’s no
guarantee one way or the other, but from what I’m hearing, there is a doubt
that it will be passed on [at Wednesday’s meeting].”

It’s clear not everyone is enthused about Microsoft’s inclusion of Caller ID
with SPF. SPF, used by about 50,000 domain owners throughout the world,
does not have any conditions attached to its use. Caller ID, however,
includes a Microsoft patent-license agreement for software developers that some find
cumbersome and unnecessary. (The license doesn’t affect organizations that
use the specification to publish their Sender ID records.)

Critics such as boycott-e-mail-caller-id.org and the Free Software Foundation complain that Microsoft’s spec is encumbered with unclear and unnecessary patent claims.

It’s possible the licensing agreement is nothing more than a protective
measure for Microsoft, rather than the result of a desire to put a stranglehold on the Sender ID
specification. According to the license
agreement, Microsoft reserves the right to terminate the Caller ID license if a company sues Microsoft or its affiliates for patent infringement over claims relating to any aspects of the specification.

The company already has been burned for using
technology and getting sued later. It’s in the throes of a
patent battle with Eolas, which owns a patent covering Microsoft’s ActiveX technology
and was awarded $521 million from Microsoft. The case is currently in the U.S. District Court system.

Microsoft officials could not be reached at press time for comment, though a
spokesperson said there wasn’t anything to indicate a delay would result
from Microsoft’s deliberations

Newton said the there were only a couple of minor, technical issues that
need to be discussed at Wednesday’s meeting. He doesn’t expect them to delay
the nomination of Sender ID as a proposed standard to the IESG.

News Around the Web