Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Releases 'Caller-ID For Email' Specs

Posted by simoniker on from the avon-calling dept.

gfilion writes "Microsoft has released a draft specification for Caller-ID for email, 'to address the widespread problem of domain spoofing' - the concept is similar to SPF, but is using XML. There's already an Caller-ID to SPF converter in the works. A few weeks ago, Microsoft discussed compatibility between the projects with Meng Weng Wong (SPF's project leader), but most SPF users are against using XML, so nothing has come of it thus far." We recently covered a brief article mentioning Microsoft's anti-spam work, though this is a clearer indication of their intentions. Update: 02/26 21:36 GMT by T : NewsForge is carrying a brief article with FSF counsel Eben Moglen's take on the draft; Moglen says it is "encumbered with unclear and unnecessary patent license claims."

12 of 430 comments (clear)

  1. XML... in its place. by SoTuA · · Score: 5, Insightful

    While I acknowledge that XML is great for some things, why is it that it gets used for almost everything nowadays? Damn buzzword-dominated market...

    Ok, I'll be quiet now :)

    1. Re:XML... in its place. by trix_e · · Score: 5, Insightful

      because its become what it was intended to become. A 'data format' that everyone (thereabouts) understands. More than just everyone, but most everything understands how to parse it (everything from a 'modern day systems' standpoint, not a 'my toaster' standpoint... though wait a few years...).

      While I agree that there are no absolutes, why not go with the path of least resistance when it doesn't really matter? XML has become the path of least resistance *at a macro level*. it's universally accepted these days, so unless there's a compelling reason *not* to use it... use it.

      The reason I say at a macro level, is that yes, on an individual project using XML may be a bit harder -- though most development platforms these days have trivialized the difficulty of implementation.

      --
      No man is an island, but Gary is a city in Indiana.
    2. Re:XML... in its place. by trix_e · · Score: 5, Insightful

      that's why I used 'data format' in quotes...

      agreed, if you want to be picky it's not a format by itself, but XML as a framework for structuring data (to include DTDs, XSLTs, etc.).

      The term 'XML' is used generically these days as reference to a particular way of structuring data as contrasted to other ways.

      --
      No man is an island, but Gary is a city in Indiana.
  2. Imagine when Hotmail gets this by ObviousGuy · · Score: 5, Insightful

    Microsoft is one big player in the email world through their Hotmail service. They probably serve more spam to more places than any other single mail service. As such it makes sense that they would want to be at the forefront of spam-elimination technologies. They ought to be applauded for their initiative here, as well as their cooperation with SPF and Sendmail.

    However, it disconcerts me that they are also applying for a patent in this area instead of engaging the community through a consortium-like committee that could share the technology across the board unencumbered by licensing fees. The specter of Hotmail becoming a proprietary mail system requiring foreign mail servers to run Microsoft-licensed "Caller-ID" to interact with Hotmail is a very legitimate concern.

    --
    I have been pwned because my /. password was too easy to guess.
  3. Re:two things by geminidomino · · Score: 5, Insightful
    True, I see how this may help stop some spam, but it also means (if I understood the article correctly) that everyone can find out where I mail from... and in some instances that could be a problem too.
    It's the classic claim that "If you're not doing anything wrong, you've got nothing to hide" anti-privacy excuse.
  4. Zombie Boxen hastens Trusted Computing? by G4from128k · · Score: 5, Insightful

    Caller-ID for email will help prevent spoofing, but will only increase spammers use of zombies. I wonder if increased exploitation of Microsoft OS weaknesses (to create spammer platforms) will have a long-term detrimental effect on Windows or whether it will hasten adoption of Trusted Computing? I wonder if Microsoft wants ISPs to become so sick of zombie boxen that the ISPs will prohibit all but a few chosen OS options (read the lastest version of Windows) for connection to their networks.

    For a very well-entrenched provider, making everyone sick of you old product is a good way to force them to buy your new product.

    --
    Two wrongs don't make a right, but three lefts do.
  5. thanks by flaez · · Score: 5, Insightful

    if it will mean I have to pay fees to Microsoft to get my domain signed, I'd rather continue filtering out spoofed-bounces, thank you.

    Interesting how instead of supporting a perfectly sound project that has been going for a year, everybody seems to have to come up with their own little *patented* scheme.

  6. Danger! Read the fine print! by Eponymous+Cowboy · · Score: 5, Insightful
    Look what happens if you add support for "Caller ID for Email" to your software:
    Microsoft and its Affiliates hereby grant you ("Licensee") a ... license ... to make, use, sell, offer to sell, import, and otherwise distribute Licensed Implementations, provided, Licensee ... grants Microsoft and all other Specification Licensees, a reciprocal fully paid, royalty-free, non-exclusive, worldwide, nontransferable, non-sublicenseable, license under Necessary Claims of Licensee to make, use, sell, offer to sell, import, and otherwise distribute Licensed Implementations.

    (From Microsoft's license.)

    So by building support for "Caller ID for Email" into your software, you suddenly give Microsoft an unlimited license to use and sell it. And, in fact, not only Microsoft, but everyone else who writes software that supports "Caller ID for Email."

    There is a word for this: Insane.

    No thanks. I'll stick with SPF--especially since the two are essentially identical, just a slightly different parsing format.

    --
    It's hard for thee to kick against the pricks.
  7. Why we shouldn't use XML here... by doofusclam · · Score: 5, Insightful

    ... because the performance is crap. This is true on my pc (with any parser you care to name - i've tried it) so what it'd be like on a mail server handling x thousand messages a minute I have no idea.

    XML is great, but only when the underlying data is sufficiently variable within a pre-defined schema and where throughput is not an issue. It's not necessary here.

    sean.

  8. Re:two things by Hard_Code · · Score: 5, Insightful

    So don't comply and risk getting your mail dropped. You can have your privacy, but you can't FORCE others to read mail from suspicious and unknown sources. Your call. There are plenty of non-email alternatives to be anonymous. Post in a random newsgroup from a web cafe. Or use a secure IM protocol, or secure IRC.

    --

    It's 10 PM. Do you know if you're un-American?
  9. Re:two things by walt-sjc · · Score: 5, Insightful

    It doesn't even take a free account.

    The major problem with ALL these systems is critical mass.

    Corporations are not going to be blocking mail based on a lack of SPF, Caller-ID, or anything. Too many companies are going to be slow to implement, or apathetic about it. No larger business is going to block mail and potentially lose contact with potential customers, or existing clients.

    90% of the current crop of spam would stop if all ISP's would block outbound port 25 from dynamic IP clients by default (unblock if the client agrees to keep their system patched and secure and face penalties if found spamming.)

    For the most part, open relays have been closed due to RBL like activity, as enough sites use RBL's to make life very difficult for admins that leave their systems open. So spammers have moved to dynamic's, which there is a virtually unlimited supply due to the piss poor security of Windows and clueless users. RBL's are helping with that too, but it's hard to keep up. Again, many corporations won't use RBL's due to problems noted above.

    While I have not read the detail on MS's solution, SPF has the "roving user", "mail forwading" problem that there is no solution for that has been discussed to death. Anyone know if MS's solution has the same problem?

  10. Re:two things by Eivind · · Score: 5, Insightful
    Well, the nice thing about SPF is that it works, and has benefits even if not everyone uses it.

    For example, it allows me to tell SpamAssassin that IF a domain has SPF-records, and the email doesn't come from one of the ips that send mail for that domain, then in the spam-bucket it goes.

    Thus, for example, all the spam that claims to be from hotmail is gone.

    Secondly, I can, by publishing spf-records on my own domain eliminate the problem of spam bouncing back to me because it *claims* to be sent from me.

    Third, once a sufficient part of the people I communicate with email from domains that *have* spf-records, I'm free to, for example, implement a challenge-response system for email coming from other domains. Yes, this will mean people using those domains gets some challenges based on spam that only *claimed* to be from their domain, but actually isn't. That migth serve as a good incentive to get them to also publish spf-records. It's not as if it's a huge deal to stick 2-3 extra records in your dns-info.