March 14th, 2005
Anti-spam standard still moving in slow motion
It has now been almost six months since the last time we heard about what progress (or lack thereof) the SenderID e-mail authentication specification was making on the anti-spam standards front. It’s been so long that I was beginning to wonder what’s up and if there’s any hope of ratifying a standard any time soon. Or are we just going to drown in the growing deluge of spam?
SenderID is a framework that supports multiple techniques for checking whether an e-mail was sent from the domain it says it’s from. Being able to perform such a check is widely regarded as a foundation-laying step in the fight against spam for two reasons. First, given that spammers often forge the credentials that go out with their e-mails in order to cover their tracks, being able to verify the authenticity of those credentials can greatly increase the accuracy of filtering as a way of dealing with spam. Second, once you’ve established with some confidence that whatever e-mail is left (after said filtering) is from who it says it’s from, you can apply other rules to how those messages get handled.
The last time there was any news on the SenderID front, it wasn’t good. Under the auspices of a working group called the MTA Authorization Records in DNS (MARID) group, the Internet Engineering Task Force (an Internet standards organization) held a series of discussions to deliberate the merits of various credential authentication techniques. But, after announcing that "the working group participants have had fundamental disagreements," the IETF disbanded the effort at the recommendation of the group’s co-chairs. At least some of the breakdown was attributed to Microsoft’s desire to maintain its intellectual property rights (IPR) to one of the credential-checking techniques. Although Microsoft currently doesn’t hold a patent to that technique — known as the Purported Responsible Address (or PRA) technique — it has applied for one. While others who were privy to the conversations agree that Microsoft’s patents were a sticking issue, they say that there were technical disagreements as well (not unusual for a standards discussion).
So, having heard nothing in a while, I decided to check in with Microsoft to see what if any progress there had been on the anti-spam standards front. Perhaps, for example, Microsoft might be reconsidering its IPR position. After pinging Microsoft for an update, I was able to line up a recorded audio interview with Harry Katz, a program manager in Microsoft’s Technology Care and Safety Division, and Craig Spiezle, the director of Industry and External affairs for the same group within Microsoft.
There was a bit of serendipity in the timing of my request. It just so happened that Microsoft was, on the same day, publicizing the results of the SenderID testing it had been conducting on HotMail — the company’s Internet e-mail offering that services more than 200 million users worldwide. In the interview, which is available as both an MP3 download and as podcast that you can have downloaded to your system and/or MP3 player automatically (see ZDNet’s podcasts: How to tune in), Katz and Spiezle break Sender ID down into its various parts, discuss the results of those tests (which they regarded as positive), talk about what progress, if any, is being made on the standards-setting front, and take questions regarding the patent issue. Here are some of the highlights:
Craig Spiezle on HotMail’s tests of SenderID: We’re showing success of results, improving e-mail deliverability, detecting spoofing attempts, protecting inboxes, and users brands and reputation. [In our observations], 20 percent of e-mail has a [Sender Policy Framework] record [associated with it]…95 percent of phishing attacks have spoofed headers and 81 percent of the spam that we identify has a falsified header.
Where the standards process is now: [Note: this is a summary, not a quote.] There are three candidate proposals for the IETF’s experimental Internet draft status. One is for the SenderID framework that’s co-authored by Microsoft’s Jim Lyon and Meng Wong (author of Sender Policy Framework), another for PRA that’s authored by Lyons, and a third,s co-authored by Meng Wong and Wayne Schlitt, that addresses the Mail-From checking technique.
Harry Katz on Microsoft’s intellectual property rights: I don’t know whether they’re issues or not. Microsoft has filed a patent application on the use of the PRA in conjunction with the overall SenderID framework and we published a license to that tech, a royalty free or RANDZ (no fee-based reasonable and non-discriminatory) license that exceeds IETF requirements.. At this point, we actually only have a patent application rather than a granted patent. To a certain extent, no one is required to have a license from us.
While things are moving very slowly on the standards front, SenderID is getting some significant traction on the e-mail security solutions front. According to Katz and Spiezle, numerous vendors–including Ironport, CipherTrust, SendMail, and Symantec–are beginning to incorporate SenderID-based authenticity checking into their e-mail security solutions. Microsoft also plans to announce support for the SenderID in a version of Exchange Server to be released later this year. Katz and Spiezle had plenty more to say. Now that I’ve interviewed them, I’m also not as convinced as I once was that Microsoft shouldn’t be allowed to maintain a patent on the PRA part of the SenderID framework. I’m not fully convinced it should be either. It’s a difficult issue. The company has deep pockets and is a constant target for patent litigation. Today, the patent system is what it is and as long as the patent system isn’t changing, practicing patents is one way to keep infringement suits at bay — the so-called "defensive use of patents". Of course, there’s always risk that Microsoft could make offensive use of the patent in some way. But by doing so, it would draw so much negative attention to itself that such a move would be sure to backfire in more ways than one.
Give the MP3 a listen and share your thoughts with ZDNet’s audience on how you feel things are going when it comes to setting anti-spam standards.
