Microsoft Releases 'Caller-ID For Email' Specs

← Back to Stories (view on slashdot.org)

Microsoft Releases 'Caller-ID For Email' Specs

Posted by simoniker on Thursday February 26, 2004 @12:51AM from the avon-calling dept.

gfilion writes "Microsoft has released a draft specification for Caller-ID for email, 'to address the widespread problem of domain spoofing' - the concept is similar to SPF, but is using XML. There's already an Caller-ID to SPF converter in the works. A few weeks ago, Microsoft discussed compatibility between the projects with Meng Weng Wong (SPF's project leader), but most SPF users are against using XML, so nothing has come of it thus far." We recently covered a brief article mentioning Microsoft's anti-spam work, though this is a clearer indication of their intentions. Update: 02/26 21:36 GMT by T : NewsForge is carrying a brief article with FSF counsel Eben Moglen's take on the draft; Moglen says it is "encumbered with unclear and unnecessary patent license claims."

28 of 430 comments (clear)

XML... in its place. by SoTuA · 2004-02-26 00:53 · Score: 5, Insightful

While I acknowledge that XML is great for some things, why is it that it gets used for almost everything nowadays? Damn buzzword-dominated market...
Ok, I'll be quiet now :)
1. Re:XML... in its place. by trix_e · 2004-02-26 01:00 · Score: 5, Insightful
  
  because its become what it was intended to become. A 'data format' that everyone (thereabouts) understands. More than just everyone, but most everything understands how to parse it (everything from a 'modern day systems' standpoint, not a 'my toaster' standpoint... though wait a few years...).
  
  While I agree that there are no absolutes, why not go with the path of least resistance when it doesn't really matter? XML has become the path of least resistance *at a macro level*. it's universally accepted these days, so unless there's a compelling reason *not* to use it... use it.
  
  The reason I say at a macro level, is that yes, on an individual project using XML may be a bit harder -- though most development platforms these days have trivialized the difficulty of implementation.
  
  --
  No man is an island, but Gary is a city in Indiana.
2. Re:XML... in its place. by trix_e · 2004-02-26 01:06 · Score: 5, Insightful
  
  that's why I used 'data format' in quotes...
  
  agreed, if you want to be picky it's not a format by itself, but XML as a framework for structuring data (to include DTDs, XSLTs, etc.).
  
  The term 'XML' is used generically these days as reference to a particular way of structuring data as contrasted to other ways.
  
  --
  No man is an island, but Gary is a city in Indiana.
3. Re:XML... in its place. by Hard_Code · 2004-02-26 01:13 · Score: 5, Informative
  
  Sort of. You don't REALLY need a DTD - you only need one if you are validating the XML. XML can still be used as a generic ad-hoc hierarchical data format... of course you'd only want to do so because by now XML parsers are pretty ubiquitous and it makes it as good a choice as P-lists, or any other ad-hoc format.
  
  --
  
  It's 10 PM. Do you know if you're un-American?
4. Re:XML... in its place. by wfberg · 2004-02-26 01:37 · Score: 5, Interesting
  
  Sort of. You don't REALLY need a DTD - you only need one if you are validating the XML. XML can still be used as a generic ad-hoc hierarchical data format... of course you'd only want to do so because by now XML parsers are pretty ubiquitous and it makes it as good a choice as P-lists, or any other ad-hoc format.
  
  Assuming you don't have a DTD, you don't have a specification of what's in the files syntactically, let alone semantically. Maybe you can reverse engineer most of this (the tag "name" is likely to contain a name, etc.) but there will always be freakish exceptions and ambiguities that even DTDs and XML-Schemas don't address.
  
  And the overhead of using XML is enormous.. All those possible encodings, character sets, namespaces, etc. S-expressions are really much, much nicer is you just want to parse without a formal syntax specification. And they've been around "forever".
  
  Most irksome though, are so-called "XML databases".. Argh! I suppose the people who think that's a good idea also love "CSV databases" or "XLS databases"..
  
  --
  SCO employee? Check out the bounty
two things by WegianWarrior · 2004-02-26 00:58 · Score: 5, Interesting

Whats to stop a spammer from signing up for a free email account with a false name, blast out a few thousand messages, drop the account (it'll be closed anyway by abuse), wipe hands and repeat?

True, I see how this may help stop some spam, but it also means (if I understood the article correctly) that everyone can find out where I mail from... and in some instances that could be a problem too.

--
Everything in the world is controlled by a small, evil group to which, unfortunately, no one you know belongs.
1. Re:two things by geminidomino · 2004-02-26 01:00 · Score: 5, Insightful
  
  True, I see how this may help stop some spam, but it also means (if I understood the article correctly) that everyone can find out where I mail from... and in some instances that could be a problem too.
  It's the classic claim that "If you're not doing anything wrong, you've got nothing to hide" anti-privacy excuse.
2. Re:two things by blowdart · 2004-02-26 01:28 · Score: 5, Informative
  
  True, I see how this may help stop some spam, but it also means (if I understood the article correctly) that everyone can find out where I mail from... and in some instances that could be a problem too.
  I don't think so. What people can find out is what IP addresses are valid when sending email from a domain. Nothing more. All they are doing is a lookup on the connecting IP against the FROM: domain. Hell, that information is in your headers anyway. (Well unless you're using a remailer)
3. Re:two things by Hard_Code · 2004-02-26 01:36 · Score: 5, Insightful
  
  So don't comply and risk getting your mail dropped. You can have your privacy, but you can't FORCE others to read mail from suspicious and unknown sources. Your call. There are plenty of non-email alternatives to be anonymous. Post in a random newsgroup from a web cafe. Or use a secure IM protocol, or secure IRC.
  
  --
  
  It's 10 PM. Do you know if you're un-American?
4. Re:two things by walt-sjc · 2004-02-26 02:03 · Score: 5, Insightful
  
  It doesn't even take a free account.
  
  The major problem with ALL these systems is critical mass.
  
  Corporations are not going to be blocking mail based on a lack of SPF, Caller-ID, or anything. Too many companies are going to be slow to implement, or apathetic about it. No larger business is going to block mail and potentially lose contact with potential customers, or existing clients.
  
  90% of the current crop of spam would stop if all ISP's would block outbound port 25 from dynamic IP clients by default (unblock if the client agrees to keep their system patched and secure and face penalties if found spamming.)
  
  For the most part, open relays have been closed due to RBL like activity, as enough sites use RBL's to make life very difficult for admins that leave their systems open. So spammers have moved to dynamic's, which there is a virtually unlimited supply due to the piss poor security of Windows and clueless users. RBL's are helping with that too, but it's hard to keep up. Again, many corporations won't use RBL's due to problems noted above.
  
  While I have not read the detail on MS's solution, SPF has the "roving user", "mail forwading" problem that there is no solution for that has been discussed to death. Anyone know if MS's solution has the same problem?
5. Re:two things by Eivind · 2004-02-26 03:46 · Score: 5, Insightful
  
  Well, the nice thing about SPF is that it works, and has benefits even if not everyone uses it.
  For example, it allows me to tell SpamAssassin that IF a domain has SPF-records, and the email doesn't come from one of the ips that send mail for that domain, then in the spam-bucket it goes.
  Thus, for example, all the spam that claims to be from hotmail is gone.
  Secondly, I can, by publishing spf-records on my own domain eliminate the problem of spam bouncing back to me because it *claims* to be sent from me.
  Third, once a sufficient part of the people I communicate with email from domains that *have* spf-records, I'm free to, for example, implement a challenge-response system for email coming from other domains. Yes, this will mean people using those domains gets some challenges based on spam that only *claimed* to be from their domain, but actually isn't. That migth serve as a good incentive to get them to also publish spf-records. It's not as if it's a huge deal to stick 2-3 extra records in your dns-info.
Imagine when Hotmail gets this by ObviousGuy · 2004-02-26 00:58 · Score: 5, Insightful

Microsoft is one big player in the email world through their Hotmail service. They probably serve more spam to more places than any other single mail service. As such it makes sense that they would want to be at the forefront of spam-elimination technologies. They ought to be applauded for their initiative here, as well as their cooperation with SPF and Sendmail.

However, it disconcerts me that they are also applying for a patent in this area instead of engaging the community through a consortium-like committee that could share the technology across the board unencumbered by licensing fees. The specter of Hotmail becoming a proprietary mail system requiring foreign mail servers to run Microsoft-licensed "Caller-ID" to interact with Hotmail is a very legitimate concern.

--
I have been pwned because my /. password was too easy to guess.
1. Re:Imagine when Hotmail gets this by leerpm · 2004-02-26 01:11 · Score: 5, Informative
  
  However, it disconcerts me that they are also applying for a patent in this area instead of engaging the community through a consortium-like committee that could share the technology across the board unencumbered by licensing fees.
  
  It is called defensive patenting. There is nothing wrong with applying for a patent on this. We do not want another Eolas, where some other company that produces zero innovation gets a patent on it instead, and puts a strangehold on the industry. While not perfect, Microsoft has been pretty good about not going after other companies with frivolous lawsuits over patenting issues. Since the USPTO now seems to accept pretty much anything, companies have to apply for patents on whatever possible, so that they have something to use to defend themselves in the future.
Zombie Boxen hastens Trusted Computing? by G4from128k · 2004-02-26 01:01 · Score: 5, Insightful

Caller-ID for email will help prevent spoofing, but will only increase spammers use of zombies. I wonder if increased exploitation of Microsoft OS weaknesses (to create spammer platforms) will have a long-term detrimental effect on Windows or whether it will hasten adoption of Trusted Computing? I wonder if Microsoft wants ISPs to become so sick of zombie boxen that the ISPs will prohibit all but a few chosen OS options (read the lastest version of Windows) for connection to their networks.

For a very well-entrenched provider, making everyone sick of you old product is a good way to force them to buy your new product.

--
Two wrongs don't make a right, but three lefts do.
thanks by flaez · 2004-02-26 01:02 · Score: 5, Insightful

if it will mean I have to pay fees to Microsoft to get my domain signed, I'd rather continue filtering out spoofed-bounces, thank you.

Interesting how instead of supporting a perfectly sound project that has been going for a year, everybody seems to have to come up with their own little *patented* scheme.
sucks / rocks by jilbert · 2004-02-26 01:04 · Score: 5, Funny

I hate XML, and a quick google reveals:

XML sucks = about 215,000
XML rocks = about 174,000

I'm pleased to see I am in the majority - I thought its buzzword status would have rated it higher.
1. Re:sucks / rocks by stanmann · 2004-02-26 01:24 · Score: 5, Funny
  
  What you were looking for is:
  
  XML Rules = about 2,580,000
  
  --
  Food not Bombs is a nice platitude but it breaks down when you notice that the Bombees are usually well fed
2. Re:sucks / rocks by jimi1283 · 2004-02-26 02:30 · Score: 5, Funny
  
  no no no, you've gotta do it with quotes, otherwise you just get a lot of .xml files with the other key words in them:
  "XML rocks" = 79
  "XML sucks" = 671
  "XML rules" = 5630 (obviously they're actually talking about rules here, and not commenting on quality - perceived or actual)
  "XML pwns j00" = 0
  
  Obviously the poor kids using 1337 speak have obviously never picked up the standard...
  
  --
  because what hunting rifle has a bayonet lug
Danger! Read the fine print! by Eponymous+Cowboy · 2004-02-26 01:06 · Score: 5, Insightful

Look what happens if you add support for "Caller ID for Email" to your software:
Microsoft and its Affiliates hereby grant you ("Licensee") a ... license ... to make, use, sell, offer to sell, import, and otherwise distribute Licensed Implementations, provided, Licensee ... grants Microsoft and all other Specification Licensees, a reciprocal fully paid, royalty-free, non-exclusive, worldwide, nontransferable, non-sublicenseable, license under Necessary Claims of Licensee to make, use, sell, offer to sell, import, and otherwise distribute Licensed Implementations.

(From Microsoft's license.)
So by building support for "Caller ID for Email" into your software, you suddenly give Microsoft an unlimited license to use and sell it. And, in fact, not only Microsoft, but everyone else who writes software that supports "Caller ID for Email."
There is a word for this: Insane.
No thanks. I'll stick with SPF--especially since the two are essentially identical, just a slightly different parsing format.

--
It's hard for thee to kick against the pricks.
Why we shouldn't use XML here... by doofusclam · 2004-02-26 01:08 · Score: 5, Insightful

... because the performance is crap. This is true on my pc (with any parser you care to name - i've tried it) so what it'd be like on a mail server handling x thousand messages a minute I have no idea.

XML is great, but only when the underlying data is sufficiently variable within a pre-defined schema and where throughput is not an issue. It's not necessary here.

sean.
1. Re:Why we shouldn't use XML here... by doofusclam · 2004-02-26 02:10 · Score: 5, Interesting
  
  Oh Pleeeeeze yourself.
  
  I ain't bashing Microsoft and I don't spell it with a '$' either. I've spent the last 14 years programming using their tools and operating systems, so quit with thinking i'm an OSS zealot.
  
  So read my comment again - i'm not bashing them, and at least they're doing something about spam. But for such a simple datastream, with the throughput needed, it seems unnecessary to bloat it (cpu and memory wise) by having to use an XML parser, regardless of which evil/non evil company designed it.
  
  Would YOU like your mail to be delayed because some bright spark decided to go all trendy and use XML in the mail processing rather than something which just does the job?
Re:At least by NightRain · 2004-02-26 01:19 · Score: 5, Funny

Could anyone who moderated it up provide a reason other than they're bashing MS, that's +1 baby!
Well no. They can't comment if they moderate now, can they?
Ray
Re:If Microsoft cared about SPAM... by jfengel · 2004-02-26 01:21 · Score: 5, Informative

It shouldn't have taken so long, but they claim that it's coming.
Re:Danger! Read the fine print! by DHam · 2004-02-26 01:31 · Score: 5, Informative

Actually, it doesn't say that. The important phrase is "Necessary Claims" and the word "reciprocal" gives a good hint too. This is just a defensive patent licence. It says that Microsoft won't sue you for breach of patent for implimenting the standard or dealing in implimentations and you promise the same to Microsoft and everyone else.

It is NOT a copyright licence to Microsoft to use and sell YOUR implimentation. It only affects you if you hold patents which Microsoft or someone else infringes by implementing this standard. It effectively sets implimentations of this standard in a "patent free zone".
What is a PGP signature? by stefaanh · 2004-02-26 01:35 · Score: 5, Informative

Shouldn't widespread adoption of PGP be the best solution? For me any implementation of PGP sig IS a Caller ID, only it is not XML, but it could easily be wrapped.

IMHO MS is reinventing a wheel, or trying to own it.

So, if everybody should become aware of the sense of a PGP sig, maybe with a service like "pgp://pgpserver.domain.tld" the problem is on its way to its solution... It shouldn't be part of SMTP sendmail or ... but is should be easy to hook it up anything.

Maybe the idea that mail could potentially be completely private (read:encrypted) is not that appealing to everyone.

So, tell them you read it here first. (Or point me to a similar idea.)

--
--------
* Sigh *
What XML REALLY is.... by jmlyle · 2004-02-26 01:48 · Score: 5, Funny

It's is not a data format.

It's not a framework.

XML is a badly-formed roman numeral.

It should probably be written "MXL".

But even that might be a problem. You might need to use the Unicode Standard symbols: 2169,216F,216C

--
I have misplaced my pants.
Re:MSXML experience by the+endless · 2004-02-26 01:59 · Score: 5, Informative

I've had the unfortunate experience of attempting to generate XML using Microsoft's MSXML object. What a piece of crap! In an attempt to completely abstract the format, the objects are obfuscated beyond reason. Even the simplest things require ridiculous complexity: just to escape-out special characters requires instantiating a new "entity" element in the middle of the text string element.

Er... in that respect, Microsoft are following the standards, because that's how it's done with the W3C's Document Object Model. If you have a problem with it, you have a problem with the DOM, not with Microsoft.
But the worst part is that I *succeeded* in using MSXML. Now, if I wanted to go back to just writing a text file (which I do!), I can't -- my code is tangled up in the objects to the point that it would take a complete rewrite.

Again, that's your fault, not Microsofts. Either live with it, or split out the XML-generation code into a separate module. The world and his dog has long since learned to separate out logic code and database-access code so that it's possible to change DBMS by just rewriting the database-access module rather than the entire application - exactly the same thing applies with XML.
Summary by dskoll · 2004-02-26 02:13 · Score: 5, Interesting

Basically, it's a very poor re-implementation of SPF, with all of SPF's disadvantages and none of its advantages.

Under the MSFT scheme, the TXT records are verbose, likely requiring several records where SPF will probably fit in one. They have a hare-brained scheme to parse Received: headers to get around certain problems. Their scheme is absurdly complex.

And neither SPF nor MSFT's scheme do anything about spam coming from <>, cracked Windoze machines, or "valid" throwaway accounts. They also make forwarding more difficult than it should be.