Microsoft, AOL Resurrect Sender ID

AOL is back in the Microsoft Sender ID
for E-Mail camp after the Redmond, Wash., software giant announced it had
made two significant changes to its specification and filed them with the
Internet Engineering Task Force (IETF) Monday.

Ryan Hamlin, Microsoft’s general manager of anti-spam technology and
strategy group, said the company has amended one of its patent applications
to distinguish Sender ID for E-Mail authentication from Sender Policy
Framework (SPF) authentication records, the information that determines
whether an e-mail is truly coming from the domain it claims to.

Microsoft has two patents wending their way through the patent process at
the U.S. Patent & Trademark Office (USPTO). While one of them is rather
benign to the e-mail industry — as it applies only to Caller ID for E-Mail
— the second one was regarded
as so broad in scope as to describe any anti-spam technology used today.

“There was some initial confusion that the current patent application we had
in place covered SPF and with which people had some concerns about moving
forward with using SPF,” he said. “We’ve now amended that to make sure that
there is no unintentional inclusion of the SPF record type or mailfrom check
within that patent application; those are the two major checks.”

He also said the company has revamped its Sender ID for E-Mail framework to
make it backward-compatible with the original SPF technology, sometimes
called SPF-Classic.

Until last month, AOL was Microsoft’s biggest ally in the company’s efforts
to push its e-mail authentication technology through the IETF as an Internet
standard for preventing spoofed e-mail addresses.

Citing lack of support from the open source community and incompatibility
with its own e-mail authentication technology, AOL withdrew its support
for Sender ID for E-Mail in September, which likely
triggered the breakdown
last month of the IETF working group trying to forward the technology.

But, as they say, that was then and this is now. AOL’s use of SPF-Classic,
which authenticates an e-mail based on SMTP envelope
information (officially called 2821 Verification), was incompatible with
Microsoft’s Sender ID for E-Mail authentication, which relies on e-mail
header information (officially called 2822 Verification) to determine
whether an e-mail is truly coming from the domain it claims to.

So why did AOL support Sender ID for E-Mail in the first place? Originally,
SPF was a standalone technology authored by Meng Weng Wong last year, which
uses 2821 Verification. It was popular in the industry and quickly gained a
following of about 20,000 domains, of which AOL was but one
participant. Then Microsoft announced in June that it was merging its
fledgling Caller ID for E-Mail with Wong’s SPF, only it was replacing SPF’s
2821 Verification with its own patent-pending 2822 Verification.

The open source community was not happy about the change. Microsoft added a
license agreement stipulation to the use of Sender ID for E-Mail worldwide,
specifically when Caller ID for E-Mail and 2822 Verification are used in
conjunction. Critics said the sub-licensing and transferal clauses
precluded its adoption under the General Public License (GPL) and vowed to
avoid Sender ID for E-Mail, stalling
talks.

Nicholas Graham, an AOL spokesperson, said their withdrawal last month from Sender ID for E-Mail was part of a process, and today’s announcement is not a flip-flop.

“What happened in September and where we are today is a very natural and
expected progression of events; this is where we hoped we would be with
Microsoft,” he said. “Back then, it wasn’t a case of throwing in the towel
on Sender ID altogether. We just simply had to withdraw from the specific
version at that time; we knew that we would always work collaboratively with
Microsoft to get us where we are today.”

Both sides realize the importance in moving forward with an e-mail
authentication scheme. While the overall number of spam messages has been
reduced on its Hotmail service, Hamlin said the amount of malicious spam —
phishing attacks, for example — has increased. Of the incoming spam, 80
percent come from spoofed e-mail domains.

AOL and Microsoft, with their alliance back on firm footing, are moving
forward with their plans to get the rest of the world to publish SPF records
with their e-mails. Hamlin said they haven’t started rejecting e-mail
domains without these records, but they will in the future.

Carl Hutzler, AOL director of anti-spam operations, said AOL’s e-mail service will one day take the same measures to
stop the flow of spoofed domains hitting his customer’s inboxes, but not in
the near future. The first phases, he said, will involve giving e-mails
with attendant SPF records preferential treatment. Also, they will soon
honor requests if a company requests that any e-mails not coming from their
servers, but with their name on it, be rejected. He mentions Citibank as an
example, a company that’s been a popular target of phishing attacks, to get
their customer’s personal information.

Clarifies attribution in prior version.

News Around the Web