Spammers love Sender-ID
p2pnet.net News:- Sender-ID is supposed to make life difficult for spammers by revealing who they are.
“The idea of authenticating email senders has been under discussion for several years, but it has only recently got close to becoming a standard,” says Bill Thompson. “The current version combines two approaches to the problem, one called Sender Policy Framework and the other called Caller ID for Email.
“The fuss is about Caller ID, which was contributed to the standard by Microsoft. The company has said that anyone who wants to use Sender-ID must take out a license to use it, because it incorporates Microsoft’s intellectual property.
In other words, Microsoft is being Microsoft.
Greedy.
But spammers, the very people Sender ID is designed to thwart, might be more than willing to shell out for a license.
MX Logic, an email security company, has found junk emailers are trying to make their messages appear ‘real’ by adopting Sender Policy Framework (SPF), meant to help stop spam.
“In its preliminary study, MX Logic found that some spammers have embraced SPF in the hope that their unsolicited email messages will be viewed as more legitimate because the messages have an SPF email authentication record associated with them,” says MX here, going on:
“In a sample of more than 400,000 unique spam email messages that passed through the MX Logic Threat Center from Aug. 29 through Sept. 3, 16 percent had published SPF records.
“SPF helps prevent domain ’spoofing’ in email and makes it easier to identify fraudulent email scams and ‘phishing’ attacks by authenticating the origin of an email. Email domain owners identify their ‘legitimate’ sending mail servers by publishing an SPF record in the domain name system (DNS). This enables email servers to validate the source of incoming email against the associated SPF record to determine if the email sender’s domain is legitimate and not ’spoofed’.”
For authentication to be effective against spam, the industry will need to come to agreement not only on the authentication standard to be used – such as SPF or Sender ID – but also on accreditation and reputation services that can vouch for the domain’s SPF record as well as email sending history, says Scott Chasin, CTO, MX Logic.
This would allow a clearinghouse of information on good email senders to be developed, “rather than relying on techniques to identify bad email senders,” he say.
A “guilty until proven innocent approach” to email filtering would help minimize the need for email content inspection and create a “first class” category of legitimate email which could, “flow through email filters without interruption”.
MX Logic says it’s monitored compliance with the US CAN-SPAM Act since it went into effect on at the beginning of this year.
“Since then, monthly compliance has ranged from a high of 3 percent from January through April to July’s low of 0.54 percent,” says the company. “While CAN-SPAM compliance increased to 2 percent during August, the amount of spam also increased. Of all email traffic through the MX Logic Threat Center during the month, 92 percent was spam – up from 84 percent in July.”
But, “I wouldn’t read too much into last month’s increase in CAN-SPAM compliance,” says Chasin. “Compliance with the law has always been negligible and the August data doesn’t refute this trend. Two percent compliance is a minor uptick – not a meaningful surge.”
September 10th, 2004 at 6:54 pm
“But spammers, the very people Sender ID is designed to thwart, might be more than willing to shell out for a license.”
Actually, MS has stated they will never charge a dime for the license…it’s really about incompatibility with the GPL, any software incorp’ing Sender-ID would be incompatible with the GPL therefore rendering the software pretty much useless to the FOSS philosophy, in essence ‘ghettoizing’ open source software using the GPL.
However, the only major player to ‘agree’ to incorp’ing Sender-ID is Sendmail, others like Apache, Debian, Qmail have said they will not and cannot use Sender-ID with the current licensing scheme.
Really, it’s an attack on the GPL…MS trying to backdoor FOSS after it’s first attempts using SCO and Toucqeville are failing/failed. I’ve said before on Groklaw, SCO won’t be the only attempt, but just the first one, the methods of attack will change but the goal will remain the same…anti-competitive behavior and marginalizing the GPL.
(Posted by Jon for TT)
September 10th, 2004 at 8:48 pm
I do not know what MS has added to SPF that’s supposed to be so great.
Why not just use the Sender Policy Framework,
which is, as I understand it, free?
Would it really be so difficult to drop MS from the standard?
More importantly, what exactly is MS laying claims to exactly?
A public document wich discusses a public standard made
with the contributions of lots of people that have nothing to do with MS?
How can they own that?
The whole patenting of ideas as inventions is completely ridiculous.
September 11th, 2004 at 6:01 pm
Well of course. You’ve got MS, greed, money, licensing, etc. on one side along with buzzphrases to make their crap sound ultra professional.
On the flipside.. you’ve got freeware developers, you’ve got free, open-source mail server packages and/or filtering software. Much of this free filtering, email verification, etc. software doesn’t use corporate-sounding names, doesn’t charge for it and isn’t capable of being used in a way to defeat what it was designed for in the first place.
You either pay for expensive sounding crap. or you go with the free (and/or open-source) but more reliable alternatives.
Is it just me, or does it seem that free software resulting from collaborative (like p2p!!) community projects… turns out to be so much better than products where the focus is on marketing and maximum profit??
|||