RealTime IT News

Microsoft, AOL Resurrect Sender ID

AOL is back in the Microsoft Sender ID for E-Mail camp after the Redmond, Wash., software giant announced it had made two significant changes to its specification and filed them with the Internet Engineering Task Force (IETF) Monday.

Ryan Hamlin, Microsoft's general manager of anti-spam technology and strategy group, said the company has amended one of its patent applications to distinguish Sender ID for E-Mail authentication from Sender Policy Framework (SPF) authentication records, the information that determines whether an e-mail is truly coming from the domain it claims to.

Microsoft has two patents wending their way through the patent process at the U.S. Patent & Trademark Office (USPTO). While one of them is rather benign to the e-mail industry -- as it applies only to Caller ID for E-Mail -- the second one was regarded as so broad in scope as to describe any anti-spam technology used today.

"There was some initial confusion that the current patent application we had in place covered SPF and with which people had some concerns about moving forward with using SPF," he said. "We've now amended that to make sure that there is no unintentional inclusion of the SPF record type or mailfrom check within that patent application; those are the two major checks."

He also said the company has revamped its Sender ID for E-Mail framework to make it backward-compatible with the original SPF technology, sometimes called SPF-Classic.

Until last month, AOL was Microsoft's biggest ally in the company's efforts to push its e-mail authentication technology through the IETF as an Internet standard for preventing spoofed e-mail addresses.

Citing lack of support from the open source community and incompatibility with its own e-mail authentication technology, AOL withdrew its support for Sender ID for E-Mail in September, which likely triggered the breakdown last month of the IETF working group trying to forward the technology.

But, as they say, that was then and this is now. AOL's use of SPF-Classic, which authenticates an e-mail based on SMTP envelope information (officially called 2821 Verification), was incompatible with Microsoft's Sender ID for E-Mail authentication, which relies on e-mail header information (officially called 2822 Verification) to determine whether an e-mail is truly coming from the domain it claims to.

So why did AOL support Sender ID for E-Mail in the first place? Originally, SPF was a standalone technology authored by Meng Weng Wong last year, which uses 2821 Verification. It was popular in the industry and quickly gained a following of about 20,000 domains, of which AOL was but one participant. Then Microsoft announced in June that it was merging its fledgling Caller ID for E-Mail with Wong's SPF, only it was replacing SPF's 2821 Verification with its own patent-pending 2822 Verification.

The open source community was not happy about the change. Microsoft added a license agreement stipulation to the use of Sender ID for E-Mail worldwide, specifically when Caller ID for E-Mail and 2822 Verification are used in conjunction. Critics said the sub-licensing and transferal clauses precluded its adoption under the General Public License (GPL) and vowed to avoid Sender ID for E-Mail, stalling talks.

Nicholas Graham, an AOL spokesperson, said their withdrawal last month from Sender ID for E-Mail was part of a process, and today's announcement is not a flip-flop.

"What happened in September and where we are today is a very natural and expected progression of events; this is where we hoped we would be with Microsoft," he said. "Back then, it wasn't a case of throwing in the towel on Sender ID altogether. We just simply had to withdraw from the specific version at that time; we knew that we would always work collaboratively with Microsoft to get us where we are today."

Both sides realize the importance in moving forward with an e-mail authentication scheme. While the overall number of spam messages has been reduced on its Hotmail service, Hamlin said the amount of malicious spam -- phishing attacks, for example -- has increased. Of the incoming spam, 80 percent come from spoofed e-mail domains.

AOL and Microsoft, with their alliance back on firm footing, are moving forward with their plans to get the rest of the world to publish SPF records with their e-mails. Hamlin said they haven't started rejecting e-mail domains without these records, but they will in the future.

Carl Hutzler, AOL director of anti-spam operations, said AOL's e-mail service will one day take the same measures to stop the flow of spoofed domains hitting his customer's inboxes, but not in the near future. The first phases, he said, will involve giving e-mails with attendant SPF records preferential treatment. Also, they will soon honor requests if a company requests that any e-mails not coming from their servers, but with their name on it, be rejected. He mentions Citibank as an example, a company that's been a popular target of phishing attacks, to get their customer's personal information.

Clarifies attribution in prior version.