Internet and e-mail policy and practice
including Notes on Internet E-mail


2005
Months
Jun

Click the comments link on any story to see comments or add your own.


Subscribe to this blog


RSS feed


Home :: Email


18 Jun 2005

Microsoft's Hotmail demands Sender-ID, backlash to follow Email

Sender-ID is Microsoft's entry in the anti-spam technology sweepstakes. It's a scheme developed during last year's MARID fiasco in which their earlier Caller ID propsal and Meng Weng Wong's SPF were merged, sort of. Microsoft's patent claims and the details of the patent license they offered so severely distracted MARID that the merits or lack thereof of Sender-ID didn't get much attention.

Now, Microsoft's Hotmail, which also handles the mail for MSN users, says that they will shortly be checking Sender-ID on all mail to Hotmail and will show a yellow warning box on all mail that doesn't pass. What should senders do? Ironically, for most senders, the best answer is nothing.

As I noted last fall, Sender-ID works best for senders who send all their mail from a fixed place, that is, bulk mailers. This category includes both ESPs (email service providers) and spammers.

Sender-ID, like SPF, does path validation. A mail sending domain publishes an SPF record listing the places where its mail should come from, and if a message from that domain comes from a place listed in the SPF record, it passes. Spammers have shown that they're quite able to publish SPF records to validate their mail just as well as anyone else, and Ciphertrust reported a few months ago that a majority of the mail they saw that passed SPF was spam.

Sender-ID, as defined during MARID, could either use the original SPF record format, now known as v1, or a new slightly more flexible format known as v2. Both due to the patent license and technical issues with Sender-ID, SPF development has gone along on its own using v1 records, and the vast majority of published SPF records are v1. Nonetheless, Hotmail says that they will only check v2 records, and if a domain has no record, they'll treat that as a Sender-ID failure and display the yellow warning box. Clearly, this plan has a lot more to do with Microsoft's corporate politics than it does with protecting their users from spam. ESPs will doubtless publish v2 records, as will spammers. But for all the other domains that don't have v2 records, what should they do?

One approach is to say "OK, they want a record, we'll give them a record.'" For domains that aren't ESPs, it's difficult to impossible to come up with an accurate list of the places that could legitimately send mail, once you consider mail forwarders, roaming users, and a laundry list of slightly unusual but perfectly legitimate mail sending approaches. (Sender-ID shares this problem with SPF.) Fortunately, it's no trouble at all to publish a v2 record that says that all mail from anywhere is authorized, thereby making the yellow box go away:

taugh.com. IN TXT "spf2.0/pra +all"

For that moment, that's what we're doing with our domains as an experiment.

But a friend of ours pointed out that if all the ESPs and spammers publish v2 records, and most other places don't, mail without the the yellow box will all be bulk mail, and Hotmail users will quickly decide that no box means not spam. So our advice is to ignore Microsoft's blandishments, do nothing, and wear your mail's yellow box with pride.


posted at: 22:23 :: permanent link to this entry :: 5 comments
posted at: 22:23 :: permanent link to this entry :: 5 comments

comments...        (Jump to the end to add your own comment)


Both Hotmail and Microsoft only have spf1 records, so I can't imagine they are really requiring v2. "v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.com include:spf-c.hotmail.com include:spf-d.hotmail.com ~all" "v=spf1 mx redirect=_spf.microsoft.com"

That said, they are pretty well known for making last minute changes, so perhaps there is a plan to add records this week.

None of the yahoo domains have a Sender ID record published -- thus, all email from the US's largest email service provider will have the big yellow box. Yahoo will be in great company. MSN groups apparently hasn't gotten the memo yet: $ host -t TXT groups.msn.com $

And the SID check: X-SID-PRA: MSN Groups X-SID-Result: TempError

I can't quite tell how msn alerts works, but they also have an empty record.

I can't wait to see screenshots of clearly forged mail passing the check, and very legit forwarded bank statements with the yellow box.

(by miles libbey 19 Jun 2005 13:07)


source?
Could you please give a reference to the source of this information? I am particularly interested in the part about only checking SPFv2 records. That runs counter to everything I've heard from MS for the past year.

(by wayne 19 Jun 2005 18:41)


source of v2 only
It was from an acquaintance who works for Hotmail. I was as surprised as you, but he was quite specific.

(by John L 19 Jun 2005 21:25)



Is this checking mail FROM a hotmail account TO a hotmail account? Or is it mail from the world at large to Hotmal accounts?

(by johnp 20 Jun 2005 03:24)


MSFT's Ultimatum on Sender ID
MSFT has decided to force the issue of authentication by requiring Sender ID....

(by PrivacyClue--Ray Everett-Church on Privacy, Politics & Culture 25 Jun 2005 03:26)


Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

 
Name:
Email: you@wherever (required, for confirmation)
Title: (optional)
Comments:
Show my Email address
Save my Name and Email for next time

Topics


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

CAUCE
Criminal Abuse of Domain Names: Bulk Registration and Contact Information Access
One hour ago

A keen grasp of the obvious
My high security debit card
306 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse



© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.