RealTime IT News

Sender ID Finds Followers Ahead of Approval

UPDATED: As a new Sender ID specification for beating back spam wends its way through the Internet Engineering Task Force (IETF), some e-mail software vendors are not waiting around for its final approval before implementing the system.

They could be taking a gamble. Or they could be acting in confidence that the IETF will eventually bless a specification that will be used on e-mail systems throughout the world.

One of the contributors to the Sender ID specification, Microsoft , has patents pending on certain components of the Sender ID technology it has donated to the IETF's efforts. Microsoft has repeatedly said that -- even if it is granted a patent on the technology -- it would "make licenses available on reasonable and non-discriminatory terms."

But the issue has some in the open source world talking.

The drive in the business community to press ahead with Sender ID comes at a time when some in the open source community are claiming the licensing stipulations around Sender ID don't interoperate with the most popular open source license variant, the General Public License .

In a post to the IETF's MARID (MTA Authorization Records in DNS) discussion list the chairman of the Apache Software Foundation (ASF), Greg Stein, called Microsoft's Royalty-Free Sender ID license agreement a barrier to any ASF project.

"We believe the current license is generally incompatible with open source, contrary to the practice of open Internet standards, and specifically incompatible with the Apache License 2.0. Therefore, we will not implement or deploy Sender ID under the current license terms."

The finalized version of Sender ID, a combination of Microsoft's Caller ID for E-Mail specification and Meng Weng Wong's popular Sender Policy Framework (SPF), is expected to move on to the IETF's steering group after Friday (following the close of comments in this round) for further approval as a proposed standard within the IETF. From there, perhaps by the fall, the IETF is expected to bless the new proposed standard as a way to combat the ever-rising spam and phishing attempts that bedevil so many e-mail servers today.

That may explain why some companies are moving ahead with Sender ID deployments now to cut down on the number of phishing and spoofing attacks that are holding large companies hostage.

"It's getting to the point where they cannot even send legitimate e-mails out anymore," said Paul Judge, chief technology officer at CipherTrust, a secure messaging software vendor. "So, you think that you're one of the most powerful organizations in the world and you've been crippled so that you simply cannot send out e-mails to your customers; think of the damage phishers can do to disable a brand like that."

CipherTrust is one of several vendors that signed onto the Sender ID bandwagon. It said Tuesday it would support the specification in the next version of its IronMail e-mail authentication application, due out in October. Others moving to the Sender ID specification with application support include Symantec , VeriSign and IronPort.

Also adopting Sender ID is Sendmail, which makes a commercial version of the venerable open source Sendmail message transfer agent , a project that predates the other popular open source MTAs -- qmail, postfix and exim.

Officials from the vendor announced an open source plug-in module as part of their Messaging Integrity Pilot Program, in order to test and assess its implementation of Sender ID in the wild.

Dave Anderson, Sendmail's CEO, said the plug-in will be available under its Sendmail Open Source License, which lets users modify the original source code as long as the modifications are donated back to the open source community. If customers decide they would rather work the code how they see fit and not contribute the changes under the open source license, they can buy a license from Sendmail, Anderson said.

Anderson is also part of a group of companies not concerned that the Microsoft-sponsored specification could one day be awarded patents by the U.S. Patent & Trademark Office (USPTO). Right now, the technology is patent pending, which means no company is under obligation to sign a license to use Sender ID.

"If you read the Microsoft license it grants you some rights but you also accept some obligations," he said. "What you get [with the license] is the ability to use the software for free, and if you don't get a license what you get is the ability to use this software for free -- so we've decided there really is no reason for us to get a license."

Microsoft's FAQ sheet on the Sender ID license states that because the company is not aware of any issued patents on the technology, no license is required. And even if Microsoft should win its patent claim through the USPTO, "Microsoft has disclosed that if such claims are granted Microsoft will make licenses available on reasonable and non-discriminatory terms."

Plus, several individuals posting to the IETF's MARID (MTA Authorization Records in DNS) working group discussion claim Microsoft's claims for its patent are part of "prior art" and, as such, not eligible for patent.

Anderson said that while he doesn't want people to take his company's decision not to sign a license agreement as an indicator that other companies shouldn't, he said Sendmail's decision should allay some fears.

"Why would I want to get a license that has some additional constraints in it if it's already free? To me, that's a pretty simple business decision."

Also, plenty of software vendors in the e-mail sector are making plans to implement the Sender ID specification following a Sender ID summit, which Microsoft hosted Tuesday. The goal: to educate ISPs, Web site hosters and anti-spam/anti-phishing vendors on Sender ID deployments in their own organization.

Anderson said the summit was a success, with many ISPs making plans to incorporate Sender ID in the coming months. He expects 50 percent of the world's e-mail senders will have the specification in place by year's end.

Eben Moglen, a law professor at Columbia University and who provides free legal advice to the Free Software Foundation, is also taking issue with Microsoft's free licensing terms in a post to a MARID discussion list.

"The license posted by Microsoft is not compatible with GPL and is not a free software compatible license. There are several problems, of which the most severe is the requirement that anyone who wants to redistribute a covered implementation must execute a license with Microsoft," according to a post attributed to Moglen. "If you cannot give people code that they can redistribute without permission, you are not giving them free software. This would be the conclusion under all the meta-definitions of freedom: the [Open Source Definition], the [Free Software Definition], and the Debian [Free Standards Group]." (Moglen did not respond to requests for further comment.)

Microsoft's Sundwall said he doesn't understand why the open source community is balking at the license agreement, which is in many ways similar to the terms found in software companies like IBM , a company with tens of thousands of intellectual property (IP) patents that routinely donates code to the open source community.

"It's a very standard procedure; IBM and many others that have a foundation on IP submit specs to the IETF and other standard's bodies with IP claims all the time," he said. "It's a little baffling why this issue in particular has gotten so much attention because our intentions are 100 percent pure; we have a pretty good track record on spam and how we've made an effort to make no money to solve this for our customers and anyone else's customers as well.

"We have never and will never charge any money whatsoever for this patent," he said. "The patent, which has not been granted yet, was filed mostly as a defensive measure down the road should people come back at us and file an IP-based lawsuit."