- CNET NETWORKS UK BUSINESS SITES:
- atlarge.com
- BNET UK
- silicon.com
- SmartPlanet.com
- ZDNet.co.uk
Will this be the fix we're waiting for?
Published: 29 June 2004 08:30 BST
Microsoft has merged two email authentication methods into a single proposed standard in an attempt to clamp down on the menace of phishing attacks and spam - but fears already exist that criminals will find a way around the fixes.
Microsoft announced last week that it has combined its Caller ID proposal with the Sender Policy Framework (SPF). It has submitted the merger - called Sender ID - to the internet Engineering Task Force (IETF) for approval.
A statement from Microsoft said: "Sender ID will verify that each email message originates from the internet domain it claims to come from based on the sender's server IP address."
"Eliminating domain spoofing will help legitimate senders protect their domain names and reputations, and help recipients more effectively identify and filter junk email."
Caller ID and SPF were both created to try to prevent domain spoofing. The spoofing takes advantage of a flaw in the Simple Mail Transfer Protocol (STMP) that makes it possible to label an email with a fake address. It's used by spammers to disguise the origin of their junk mail, and fraudsters to pretend their emails come from genuine financial institutions.
With Caller ID, announced in February 2004, Microsoft proposed that the IP addresses of outgoing mail servers should be added in XML to the domain name server (DNS). This would allow the recipients of email to see whether the IP addresses of the message they received tallies with the domain that it purports to have been sent from. If it doesn't, the mail could be treated as suspicious and dropped.
SPF, which preceded Microsoft's own efforts, took another approach, putting authentication at the start of the process of sending and receiving email -- the simple message transport protocol (SMTP). Like Caller ID, SPF also used the DNS to provide information about servers that send mail on behalf of a particular domain. With SPF, when a mail server gets an incoming message, it looks up the sender's domain to get the SPF record, and checks whether the sending server is in the permitted list. If not, the mail is rejected as a forgery.
Graeme Wearden writes for ZDNet UK
Leader: The drugs don't work
Leader: ISPs must be forced to stop spam Leader: The mixed blessing of paid-for email Leader: Is justice really being meted out to spammers? Leader: UK soft on spam Devil's Advocate: How to catch a spammer Ask the Lawyer: Trademark disputes and stopping spammers
Leader: When is spam not spam?Back to The Spam Report Special Report
Spammers switching on to YouTube?
Video spam and PowerPoint slides next on the menu, warns MessageLabs...
Spam surge emanating from the Far East
Made in China...
US court upholds anti-spam law
Junks convicted spammer's appeal...
Spammers dust off their botnet passports
Targeting pastures new...
Spammers now own email's dirty reputation
So say email reputation services firms... But they would say that wouldn't they?
Stories from around the web...
Beware: You have mail Times Online
The economies of spam Global Politician
Special report: Fighting spam and cyberscams CNET News.com
Spam ain't dead yet PC Magazine
Slaying Spam-Spewing Zombie PCs PC World
Make your voice heard
silicon.com and the Bathwick Group have created an opportunity for business and IT executives to share their experience with each other and thus enhance their knowledge of the IT marketplace.
Join our research panel, and you'll be asked to participate in short surveys - and then will be privy to the answers of all your colleagues, as we send you tailored versions of the results.
Extras include complementary passes to silicon.com events and survey prizes such as iPods. Plus, there are the obvious networking opportunities with your fellow panellists.
For more about the Research Panel and how to join, click here
Copyright ©1995-2008 CNET Networks, Inc. All rights reserved. Top of page
RSS Feeds