Microsoft Releases 'Caller-ID For Email' Specs

gfilion writes "Microsoft has released a draft specification for Caller-ID for email, 'to address the widespread problem of domain spoofing' - the concept is similar to SPF, but is using XML. There's already an Caller-ID to SPF converter in the works. A few weeks ago, Microsoft discussed compatibility between the projects with Meng Weng Wong (SPF's project leader), but most SPF users are against using XML, so nothing has come of it thus far." We recently covered a brief article mentioning Microsoft's anti-spam work, though this is a clearer indication of their intentions. Update: 02/26 21:36 GMT by T : NewsForge is carrying a brief article with FSF counsel Eben Moglen's take on the draft; Moglen says it is "encumbered with unclear and unnecessary patent license claims."

XML... in its place.

[SoTuA]

While I acknowledge that XML is great for some things, why is it that it gets used for almost everything nowadays? Damn buzzword-dominated market...

Ok, I'll be quiet now :)

Re:XML... in its place.

[trix_e]

because its become what it was intended to become. A 'data format' that everyone (thereabouts) understands. More than just everyone, but most everything understands how to parse it (everything from a 'modern day systems' standpoint, not a 'my toaster' standpoint... though wait a few years...).

While I agree that there are no absolutes, why not go with the path of least resistance when it doesn't really matter? XML has become the path of least resistance *at a macro level*. it's universally accepted these days, so unless there's a compelling reason *not* to use it... use it.

The reason I say at a macro level, is that yes, on an individual project using XML may be a bit harder -- though most development platforms these days have trivialized the difficulty of implementation.

Re:XML... in its place.

[trix_e]

that's why I used 'data format' in quotes...

agreed, if you want to be picky it's not a format by itself, but XML as a framework for structuring data (to include DTDs, XSLTs, etc.).

The term 'XML' is used generically these days as reference to a particular way of structuring data as contrasted to other ways.

Re:XML... in its place.

[AndroidCat]

20 years ago, everyone used yacc/lex when they needed to parse something. They were handy tools and they were there. Now people need to parse a whole lot of stuff and the tools for XML are there.

XML is handy, and it's a lovely big hammer. Ooo, look at all the nails!

Re:XML... in its place.

[pomakis]

Sorry, I don't care what tools are available, parsing a comma delimited file when the records are reasonably simple in structure will always be easier. XML is really only usefull when the data resists structure.

I have to slightly disagree with you there. Even if you start with a simple structure that can be handled okay by a simple comma-delimited set of values, things tend to evolve. What will happen to your encoding when a decision is made to add a bit more structure to the data in the future, such as allowing some parameterization on the items, or allowing tuples of items, etc.? More importantly, what will happen to the existing codebase that has been hardcoded to parse the simple comma-separated list? Using XML for even simple structures allows for more structure to be added in the future while allowing existing applications to read through it. That's been my experience, anyways.

Imagine when Hotmail gets this

[ObviousGuy]

Microsoft is one big player in the email world through their Hotmail service. They probably serve more spam to more places than any other single mail service. As such it makes sense that they would want to be at the forefront of spam-elimination technologies. They ought to be applauded for their initiative here, as well as their cooperation with SPF and Sendmail.

However, it disconcerts me that they are also applying for a patent in this area instead of engaging the community through a consortium-like committee that could share the technology across the board unencumbered by licensing fees. The specter of Hotmail becoming a proprietary mail system requiring foreign mail servers to run Microsoft-licensed "Caller-ID" to interact with Hotmail is a very legitimate concern.

Re:Imagine when Hotmail gets this

[PhotoBoy]

This is a bloody pain in the neck. SPF was just starting to look like it might be adopted on a large scale basis an MS have to stick their proprietary oar in.

I don't want to have to make my mail servers compliant with this AND SPF, I also do not like the idea of sending XML packets to/from Hotmail (and other MS mail system) for every email allegedly from them.

Also I'd rather not use an MS solution since there are always security holes. How long till the spammers find a way around this and start sending out spam via a flaw in Hotmail?

Re:two things

[geminidomino]

True, I see how this may help stop some spam, but it also means (if I understood the article correctly) that everyone can find out where I mail from... and in some instances that could be a problem too.

It's the classic claim that "If you're not doing anything wrong, you've got nothing to hide" anti-privacy excuse.

Zombie Boxen hastens Trusted Computing?

[G4from128k]

Caller-ID for email will help prevent spoofing, but will only increase spammers use of zombies. I wonder if increased exploitation of Microsoft OS weaknesses (to create spammer platforms) will have a long-term detrimental effect on Windows or whether it will hasten adoption of Trusted Computing? I wonder if Microsoft wants ISPs to become so sick of zombie boxen that the ISPs will prohibit all but a few chosen OS options (read the lastest version of Windows) for connection to their networks.

For a very well-entrenched provider, making everyone sick of you old product is a good way to force them to buy your new product.

Re:Zombie Boxen hastens Trusted Computing?

[tiger99]

Sadly you are right. Almost all the trouble I get now is from zombies (not sure if I mean the PCs or their owners!). Of course most of it happens because the stupid morons are continuing to use Outlook, which is a singularly pathetic program apart from its major security holes.

As an aside, I set up a firewall, and the equivalent of Internet Connection Sharing (i.e. forwarding) on a Linux box the other day, IIRC it needed 4 lines of commands to iptables in one of the startup scripts, which being lazy I got out of a book. I went to grc.com for a test, and it was every bit as good as Zone Alarm, a product I use successfully on the inferior OS.

The point is that in an open OS, useful and essential things tend to be fully documented, visible, and easy to set up. I fear that in this case, Sir Bill's anti-spamming system will be obfuscated, needlessly difficult to configure, and will at the slightest provocation automatically default to doing it Sir Bill's way, even if that is not what you want. There is a precedent in every previous M$ application, the world's most unpopular Word processor being the prime example.....

It is of course another con trick to move us towards Longhorn, which on its own would get no acceptance whatsoever, because its drastically cut-down API set will break compatability with virtually everything. of course, if the Convicted Monopolist was competent, they would have had a much smaller, more manageable and properly documented API set in the first place, and we would not have nearly as many bugs, crashes or security holes.

It seems to me that someone needs start the RFC process right now, describing a properly working, non-proprietary system. Otherwise, the Convicted Monopolist will once again do as described in the Halloween Documents.....

thanks

[flaez]

if it will mean I have to pay fees to Microsoft to get my domain signed, I'd rather continue filtering out spoofed-bounces, thank you.

Interesting how instead of supporting a perfectly sound project that has been going for a year, everybody seems to have to come up with their own little *patented* scheme.

Re:thanks

[Masem]

For a lot of home residental (DSL) users, it's very hard to get the upstream ISP to implement reverse mapping on the DNS, since the ISP is the one in control of the IP number, not the end user. The end user can point domain names all they want to the IP, but reverse mapping will always come up with the ISP's naming scheme. This is a nice idea, but in practice, it's not going to work.

Mine you, you're talking about your block of residental DSL users that run their own mail server (commercial DSL users generally do get the reversing mapping through their ISP); they will most likely not be clients and may be a larger source of spam than other sources.

If Microsoft cared about SPAM...

[Knertified]

They would have allowed a user to disable a the javascript popup function in the browser. Instead we have to rely on bandaids like googles toolbar to block popups from websites.

Danger! Read the fine print!

[Eponymous+Cowboy]

Look what happens if you add support for "Caller ID for Email" to your software:

Microsoft and its Affiliates hereby grant you ("Licensee") a ... license ... to make, use, sell, offer to sell, import, and otherwise distribute Licensed Implementations, provided, Licensee ... grants Microsoft and all other Specification Licensees, a reciprocal fully paid, royalty-free, non-exclusive, worldwide, nontransferable, non-sublicenseable, license under Necessary Claims of Licensee to make, use, sell, offer to sell, import, and otherwise distribute Licensed Implementations.

(From Microsoft's license.)

So by building support for "Caller ID for Email" into your software, you suddenly give Microsoft an unlimited license to use and sell it. And, in fact, not only Microsoft, but everyone else who writes software that supports "Caller ID for Email."

There is a word for this: Insane.

No thanks. I'll stick with SPF--especially since the two are essentially identical, just a slightly different parsing format.

Re:Why not?

[kalidasa]

They already have systems that do this [challenge-response], you know. This doesn't require any changes to standards; but it does require that the sending user be clueful - and given how quickly Netsky.C spread, I think that's a hopeless cause.

In the US at least, caller-ID is not a challenge response system, it simply displays the originating phone number - and ONLY if you haven't requested that your number be hidden, and only if you live in an area that supports it.

So, what lessons can we carry from this fact to MS's suggestion of "caller ID" for email? 1. We'll still get emails that are unauthenticated, because it will take a long time for folks to upgrade MTAs to manage this - after all, there are still open relays - and 2. someone will figure out some way to sell a solution to get past the authentication system so blocked spam senders can still get through (can you say "sales@viagra.hotmail.com"???).

Why we shouldn't use XML here...

[doofusclam]

... because the performance is crap. This is true on my pc (with any parser you care to name - i've tried it) so what it'd be like on a mail server handling x thousand messages a minute I have no idea.

XML is great, but only when the underlying data is sufficiently variable within a pre-defined schema and where throughput is not an issue. It's not necessary here.

sean.

Re:Why we shouldn't use XML here...

[viktor]

Oh, pleeeeeze!

Is there no end to the Microsoft-bashing in this forum?

If Microsoft had done this using a home-made format, then everybody would be screaming death to them for inventing their own standard "just like they did with Word documents".

And when they do use a public format like XML? Then we all scream death to them because XML is so bloated etc. etc.

It's time to grow up.

PS. I will NOT make the mandatory "I really don't like them, but in this case..." argument, which seems to be the only standardized way of saying anything positive at all about Microsoft here.

Pure FUD

[leerpm]

No, it is not insane. It is called cross-licensing. They are saying if you want to use this technology, then you agree that you are not going to come back and sue Microsoft (or any other licensee too!) for patent violations relating to this implementation. This is a good thing!! They are protecting themselves.

So by building support for "Caller ID for Email" into your software, you suddenly give Microsoft an unlimited license to use and sell it. And, in fact, not only Microsoft, but everyone else who writes software that supports "Caller ID for Email."

Absolutely not. There is something called copyright law. Microsoft or any other company cannot just go and resell your software on their own terms. The license just means you cannot sue them for patent violations when they choose to build software that implements technology similar to yours in this area (provided you had obtained additional patents relating to this 'Caller-ID').

Re:MSXML experience

[Cereal+Box]

just to escape-out special characters requires instantiating a new "entity" element in the middle of the text string element.

Maybe that's the "right" way to do it, but I highly doubt that you cannot set the value of a text node to a string that contains an entity (i.e., "this is an ampersand: &"). That would be the more direct approach.

And I still haven't figured out how to make the thing give me a CRLF at the end of each element. No, XML doesn't require the whitespace, but it would have sure made it easier for my clients to read the file!

First, you could have them read the file with Wordpad or just about any text editor other than notepad. And BTW, why are you complaining about MSXML not generating CRLF? You DO realize CRLF is a Microsoft-ism and not "standard", right? So you're complaining about MSXML generating text files in a manner more in line with the way every other system does it. Baffling...

But the worst part is that I *succeeded* in using MSXML. Now, if I wanted to go back to just writing a text file (which I do!), I can't -- my code is tangled up in the objects to the point that it would take a complete rewrite.

I've got news for you -- every decent XML parser library requires you to manipulate the XML tree in an object-oriented manner! It's called the Document Object Model for a reason -- you're not manipulating raw text! You can go ahead and do that if you like, and we'll see how much "easier" that is for any project requiring more than the most basic use of XML.

Mods, get a clue. The way the MSXML library handles XML is not unique in some "Microsoft always makes crap" kind of way. Every decent XML library handles XML the same way.

Do you Microsoft

[tobybuk]

I say ignore them.

Microsoft has never been interested in helping the community but rather wants only to further its own dominance of the market. When did they start being philanthropic?

What's to say in a few years time when everyone is relying on this that they don't pull some stunt and start charging people? Do you know enough about the law to say they couldn't?

Anyway their record on enhancing email is not good. I knew the first time I saw the ability to embed HTML and * SCRIPTS * into email that the virus writers would have a field day. I mean, what complete arseholes to allow code to be executed when someone just *reads* and email. It beggars belief!

If they are serious they could assign their patents over to the FSF and then we'll consider it. I bet they won't.

Re:two things

[Hard_Code]

So don't comply and risk getting your mail dropped. You can have your privacy, but you can't FORCE others to read mail from suspicious and unknown sources. Your call. There are plenty of non-email alternatives to be anonymous. Post in a random newsgroup from a web cafe. Or use a secure IM protocol, or secure IRC.

What about 'localhost' servers with dynamic IPs?

[davids-world.com]

I use a locally running postfix SMTP server on my laptop to send pretty much all of my email. Microsoft's proposal doesn't address this: of course, my laptop gets various IPs. I cannot use the SMTP server provided by my organization, as they firewalled it... With the MS proposal, I will have to go for VPN or talk to my sysadmins about smtp-auth -- and lose my independence...

Has caller ID worked on phones?

[PhiltheeG]

Like caller ID worked for the phone system. About 90 percent of my calls were either "Unknown" or "Private Line", and some action was still requried on my part to respond to the ringing phone.

I don't have facts readily available to back this up but I'll assume somebody made money off caller-ID, as will Microsoft will attempt to do with their new "standards".

Re:two things

[walt-sjc]

It doesn't even take a free account.

The major problem with ALL these systems is critical mass.

Corporations are not going to be blocking mail based on a lack of SPF, Caller-ID, or anything. Too many companies are going to be slow to implement, or apathetic about it. No larger business is going to block mail and potentially lose contact with potential customers, or existing clients.

90% of the current crop of spam would stop if all ISP's would block outbound port 25 from dynamic IP clients by default (unblock if the client agrees to keep their system patched and secure and face penalties if found spamming.)

For the most part, open relays have been closed due to RBL like activity, as enough sites use RBL's to make life very difficult for admins that leave their systems open. So spammers have moved to dynamic's, which there is a virtually unlimited supply due to the piss poor security of Windows and clueless users. RBL's are helping with that too, but it's hard to keep up. Again, many corporations won't use RBL's due to problems noted above.

While I have not read the detail on MS's solution, SPF has the "roving user", "mail forwading" problem that there is no solution for that has been discussed to death. Anyone know if MS's solution has the same problem?

Re:two things

[Eivind]

Well, the nice thing about SPF is that it works, and has benefits even if not everyone uses it.

For example, it allows me to tell SpamAssassin that IF a domain has SPF-records, and the email doesn't come from one of the ips that send mail for that domain, then in the spam-bucket it goes.

Thus, for example, all the spam that claims to be from hotmail is gone.

Secondly, I can, by publishing spf-records on my own domain eliminate the problem of spam bouncing back to me because it *claims* to be sent from me.

Third, once a sufficient part of the people I communicate with email from domains that *have* spf-records, I'm free to, for example, implement a challenge-response system for email coming from other domains. Yes, this will mean people using those domains gets some challenges based on spam that only *claimed* to be from their domain, but actually isn't. That migth serve as a good incentive to get them to also publish spf-records. It's not as if it's a huge deal to stick 2-3 extra records in your dns-info.

Re:How about text?

[dangermouse]

I wish you would learn something about existing mail standards before you say something so stupid. Email is primarily a simple text format, my HTML/word document/virus packed mailbox not withstanding. I am not surprised M$ would want to further polute the standards but why would you?

I wish you would learn something about existing mail standards-- like their colossal drawbacks. SMTP is entirely "a simple text format", and that's one of its biggest problems. We have all kinds of lame hacks for mailing binaries around and handling attachments. Nearly everyone who writes a mail client writes a mail parser and a composer. Not just a formatter, or presentation-level stuff-- basic goddamn parsing and composition.

You don't seriously believe that any format that is newline-dot-newline-delimited is a good one, do you? SMTP is a relic, all the way down to the message format. I hope to god someone eventually succeeds in dislodging it.

Email standard proposal

[amightywind]

Colossal drawbacks to text? LOL! It is a feature. You could say the same for most internet services. There are no standard client API's for FTP or Telnet or most other services either. Has that stopped their widespread adoption? Has it made them any less useful? No.

I am not concerned at all of people like you who make the internet groan under the weight of 20MB excel files wrapped in proprietary XML formats. MIME has done enough damage. Maybe the Standard should be a Microsoft (C, TM) paperclip icon that does a dance while he speaks your message in one of a hundred supported languages.

Re:uh, yeah

[wfberg]

You said it! I'm sure we'll all regret using a standard format for hierarchically arranged tuples of name-value pairs. I only have to use this type of data in maybe 99% of my projects.

Nothing wrong with agreeing. Agreeing on a standard that's cruddy will bite you in the ass. There are many, many standards, and most of them are cruddy.

And "name-value pairs"? How do attributes figure into that? Well.. Cruddily, that's how!
Perhaps you're thinking of RDF (which has issues of it's own.. A lot..).

And the output files sure are difficult to understand if you've never seen any markup language before and don't have a file viewer that understands ASCII text.

XML allows for a lot more than ASCII.. Which is the reason a fully compliant XML parser is enormously bloated.

Instead why doesn't everyone just make up their own format that is uniquely tailored for the individual application? You can leave off the attribute names since the recipient of the data should just know what they are anyway. And you can use a binary encoding to really add efficiency to the process. And developers love the challenge of trying to figure out new data formats on top of interpreting the data itself.

Slippery slope? Or straw man? The latter. I never said no standard should be agreed upon. I would have preferred if it had not been something as complex and cruddy as XML. I even specifically gave S-expressions as an example that would be much simpler; you might note how that's not a binary format.

One day, ASN.1 was what XML is now (well, it still holds telecommunications and cryptography in its stranglehold). Do you propose we use ASN.1 because it's so well accepted and standardized and there are so many tools? Or do you recoil in shock at how bloated the featureset is, how convoluted the encoding, how shockingly incomprehensible the parsing process? XML is simpler than ASN.1, and XML is better than ASN.1 (except that ASN.1 has a cute way of compiling parsers from its syntax/schema language, which is a nice feature); but that does not mean XML is the best general purpose meta-syntactic language imaginable. It's not.