To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://www.silicon.com/research/specialreports/thespamreport/0,39025001,39121737,00.htm

Microsoft double whammy hammers spam
Will this be the fix we're waiting for?

By Graeme Wearden

Published: Tuesday 29 June 2004

Microsoft has merged two email authentication methods into a single proposed standard in an attempt to clamp down on the menace of phishing attacks and spam - but fears already exist that criminals will find a way around the fixes.

Microsoft announced last week that it has combined its Caller ID proposal with the Sender Policy Framework (SPF). It has submitted the merger - called Sender ID - to the internet Engineering Task Force (IETF) for approval.

A statement from Microsoft said: "Sender ID will verify that each email message originates from the internet domain it claims to come from based on the sender's server IP address."

"Eliminating domain spoofing will help legitimate senders protect their domain names and reputations, and help recipients more effectively identify and filter junk email."

Caller ID and SPF were both created to try to prevent domain spoofing. The spoofing takes advantage of a flaw in the Simple Mail Transfer Protocol (STMP) that makes it possible to label an email with a fake address. It's used by spammers to disguise the origin of their junk mail, and fraudsters to pretend their emails come from genuine financial institutions.

With Caller ID, announced in February 2004, Microsoft proposed that the IP addresses of outgoing mail servers should be added in XML to the domain name server (DNS). This would allow the recipients of email to see whether the IP addresses of the message they received tallies with the domain that it purports to have been sent from. If it doesn't, the mail could be treated as suspicious and dropped.

SPF, which preceded Microsoft's own efforts, took another approach, putting authentication at the start of the process of sending and receiving email -- the simple message transport protocol (SMTP). Like Caller ID, SPF also used the DNS to provide information about servers that send mail on behalf of a particular domain. With SPF, when a mail server gets an incoming message, it looks up the sender's domain to get the SPF record, and checks whether the sending server is in the permitted list. If not, the mail is rejected as a forgery.

Graeme Wearden writes for ZDNet UK