Slashdot Mirror
Microsoft Releases 'Caller-ID For Email' Specs
gfilion writes "Microsoft has released a draft specification for Caller-ID for email, 'to address the widespread problem of domain spoofing' - the concept is similar to SPF, but is using XML. There's already an Caller-ID to SPF converter in the works. A few weeks ago, Microsoft discussed compatibility between the projects with Meng Weng Wong (SPF's project leader), but most SPF users are against using XML, so nothing has come of it thus far." We recently covered a brief article mentioning Microsoft's anti-spam work, though this is a clearer indication of their intentions. Update: 02/26 21:36 GMT by T : NewsForge is carrying a brief article with FSF counsel Eben Moglen's take on the draft; Moglen says it is "encumbered with unclear and unnecessary patent license claims."
Whats to stop a spammer from signing up for a free email account with a false name, blast out a few thousand messages, drop the account (it'll be closed anyway by abuse), wipe hands and repeat?
I don't know about all free email services, but Hotmail does not allow this anymore. Accounts are limited in how many messages per day they can send out. This is why most spammers are still relying on open relays and zombie machines.
RTFA - Microsoft proposes a standard which any vendor can implement and provides a license for its use on the website describing the process. There sis nothing client specific about the implementation.
Parent is +5 interesting? Could anyone who moderated it up provide a reason other than they're bashing MS, that's +1 baby!
However, it disconcerts me that they are also applying for a patent in this area instead of engaging the community through a consortium-like committee that could share the technology across the board unencumbered by licensing fees.
It is called defensive patenting. There is nothing wrong with applying for a patent on this. We do not want another Eolas, where some other company that produces zero innovation gets a patent on it instead, and puts a strangehold on the industry. While not perfect, Microsoft has been pretty good about not going after other companies with frivolous lawsuits over patenting issues. Since the USPTO now seems to accept pretty much anything, companies have to apply for patents on whatever possible, so that they have something to use to defend themselves in the future.
Sort of. You don't REALLY need a DTD - you only need one if you are validating the XML. XML can still be used as a generic ad-hoc hierarchical data format... of course you'd only want to do so because by now XML parsers are pretty ubiquitous and it makes it as good a choice as P-lists, or any other ad-hoc format.
It's 10 PM. Do you know if you're un-American?
It shouldn't have taken so long, but they claim that it's coming.
I looked into SPF, briefly, and it doesn't seem to solve a problem I have...
I have various (virtual) users (~20-25) on my domains.
These users use both my SMTP server (when using squirrel mail, or (ssh-)tunnelling to the SMTP server, itself), as well as their local ISP's mail server (sympatico, videotron, etc)... My SMTP server doesn't relay from anywhere except localhost.
So, in order for SPF to work, I need to allow email from my domain, and these ISPs.
The ISPs are large, and when an email virus goes around, mail is undoubtedly sent "From" me (actually from/by outlook users with me in their address books), through these ISPs' SMTP servers, making SPF useless.
Am I just missing something?
S
True, I see how this may help stop some spam, but it also means (if I understood the article correctly) that everyone can find out where I mail from... and in some instances that could be a problem too.
I don't think so. What people can find out is what IP addresses are valid when sending email from a domain. Nothing more. All they are doing is a lookup on the connecting IP against the FROM: domain. Hell, that information is in your headers anyway. (Well unless you're using a remailer)
Actually, it doesn't say that. The important phrase is "Necessary Claims" and the word "reciprocal" gives a good hint too. This is just a defensive patent licence. It says that Microsoft won't sue you for breach of patent for implimenting the standard or dealing in implimentations and you promise the same to Microsoft and everyone else.
It is NOT a copyright licence to Microsoft to use and sell YOUR implimentation. It only affects you if you hold patents which Microsoft or someone else infringes by implementing this standard. It effectively sets implimentations of this standard in a "patent free zone".
One of the most effective ways I've ever seen to filter out mail is to just simply follow the RFC. When you get mail from a domain name, look up the ip address, when you get the ip address, reverse lookup the name. If forward and backward don't match, reject the mail.
Unfortunately, this rarely is implemented. Why? People can't seem to figure out how to set up their DNS zones. So whenever I've implemented it, we always get calls from people saying "my mail is getting bounced, error code 0-B". And we go and look, and it's some client trying to send mail from their in-house mail server legitimately, but they don't have it configured properly in DNS.
The volume that we get of people complaining about it is high enough that we can't leave it turned on, and I'm unwilling to do tech support on someone else's name server. So, even though it blocks about 1/3 of all the spam we get, it stays off.
~Will
sig?
Shouldn't widespread adoption of PGP be the best solution? For me any implementation of PGP sig IS a Caller ID, only it is not XML, but it could easily be wrapped.
... but is should be easy to hook it up anything.
IMHO MS is reinventing a wheel, or trying to own it.
So, if everybody should become aware of the sense of a PGP sig, maybe with a service like "pgp://pgpserver.domain.tld" the problem is on its way to its solution... It shouldn't be part of SMTP sendmail or
Maybe the idea that mail could potentially be completely private (read:encrypted) is not that appealing to everyone.
So, tell them you read it here first. (Or point me to a similar idea.)
--------
* Sigh *
Reread it.
If you implement the patented technology, you must allow MS to use and distribute YOUR IMLPEMENTATION if they want to.
I.e. Give them your code.
Er... in that respect, Microsoft are following the standards, because that's how it's done with the W3C's Document Object Model. If you have a problem with it, you have a problem with the DOM, not with Microsoft.
Again, that's your fault, not Microsofts. Either live with it, or split out the XML-generation code into a separate module. The world and his dog has long since learned to separate out logic code and database-access code so that it's possible to change DBMS by just rewriting the database-access module rather than the entire application - exactly the same thing applies with XML.