Anti-spam email "caller ID" gets Microsoft backing

An ongoing effort to consolidate anti-spam authentication schemes took a big step forward with the merging of Sender Policy Framework and Microsoft's Caller ID for Email.

Microsoft said it has agreed to combine its Caller ID efforts with the SPF, a specification crafted by Pobox.com CTO Meng Wong.

Wong called Microsoft's embracement of SPF a crucial win for the technology, which has already gained the backing of AOL, EarthLink and Google.

"Microsoft was the last remaining obstacle," Wong said. "Almost everyone else was already onboard. Nobody wants to be squashed by Microsoft, so I'm glad they came around to our point of view on their own."

SPF, which formerly stood for "Sender Permitted From," and Caller ID attack a fundamental weakness in the omnipresent Simple Mail Transfer Protocol: Email recipients have no way of determining whether senders are who they say they are.

That's an especially vexing problem for internet service providers like Microsoft and its MSN division, Yahoo!, AOL and others, which would like to stop fraudulently addressed, or "spoofed," email long before it gets delivered to subscribers' in-boxes - before it's sent, if possible.

Technical proposals abound for fixing the authentication problem. A recent crop focuses on the idea that ISPs could publish the range of internet protocol (IP) addresses associated with their email domains. That way, a recipient's service provider could check the sender's stated domain against the published IP address. If there's no match, the recipient's ISP can safely assume that the message is spam - or at least fraudulently addressed.

Email authentication helps prevent another email scourge, "phishing," which happens when online con artists convince people to hand over user names, passwords and credit card numbers by posing as a legitimate business. That con is made easier, because SMTP lets email senders claim to be anyone.

Efforts to merge several similar authentication schemes have been under way since last autumn and the combined SPF and Caller ID, which has yet to be named, will use XML to let ISPs post IP addresses in the Domain Name System, the giant database that translates alphanumeric domain names like "silicon.com" into numerical IP addresses for web servers.

SPF and Caller ID let service providers publish their numerical IP addresses for outgoing mail servers, as well as web servers, in a machine-readable format in the DNS.

Microsoft called the merged specification an important boost for the worldwide anti-spam effort.

Microsoft spokesman Sean Sundwall said: "The convergence of the two proposals is a very positive milestone in the war on spam and brings together the best of both SPF and Caller ID. We anticipate this proposal will be something the whole industry can rally around to eliminate domain spoofing and bring much-needed relief to email users around the world."

Microsoft and Wong plan to publish their combined proposal and submit it to the Internet Engineering Task Force, a key standards body, next month. Microsoft promised that the combo would be compatible with existing versions of SPF.

AOL, which in December began testing SPF, hailed Microsoft's collaboration with Wong. AOL spokesman Nicholas Graham said: "We welcome Microsoft to the position we have long held concerning the attributes of SPF. And on the need for a joint standard that is about more than one technical standard, one technology or one company. We were the first ISP to agree to test and implement SPF, back in December, and we think this convergence is the right approach at the right time."

Paul Festa writes for CNET News.com