Slashdot Mirror


Microsoft to Deploy SPF for Hotmail Users

wayne writes "In a show of just how much Microsoft wants to put an end to email forgery, Hotmail, MSN and Microsoft.com will start enforcing Sender ID checks by Oct 1. In late May, MicroSoft announced that they would be adopting the Open Source SPF anti-forgery system (with a slight modification to make it Sender ID) and they have been working together with the IETF MARID working group to help create an RFC to define the Sender ID standard. Already tens of thousands of domain owners, such as AOL, Earthlink, and Gmail, have published SPF records, and thousands of systems are already checking SPF records. Publishing SPF records is easy, as is checking SPF records."

11 of 562 comments (clear)

  1. Great by bnewendorp · · Score: 4, Insightful

    Let's hope this method of reducing spam will work. I have noticed that less spam I receive comes from Hotmail, Yahoo, etc. type e-mails, but hopefully this will help more. I am curious just how much work is involved in publishing these lists, and more importantly, how often are they updated? If they don't get real time or near-real time updates, they aren't going to be very useful.

  2. False Sense of Security by Linuxthess · · Score: 4, Insightful
    The SPF's website says,
    "Have confidence that mail that SAYS it's coming from your bank, your credit card company, or the government really is!"

    The problem arises though when the phisher/spammer uses a domain which is fairly similar to your bank or credit cards website, for example www.XYZCapitol.com instead of www.XYZCapital.com.

    --

    I sig, therefore I was.
  3. Re:Curious by Neil+Watson · · Score: 5, Insightful

    It's not that I hate Microsoft. However, I am aware of the company's record of adopting standards and then breaking them. Remember 'embrace and extend'? This could be a step forward for us all. It could also be step back.

  4. Proof that technology (not legislation) works. by Sheetrock · · Score: 4, Insightful
    Part of the secret to the success of the Internet is in allowing unfettered communication between endpoints. While I am to some degree concerned about the technical approach to solving the spam problem, because of the collateral consequences it may have, it does not raise the spectre of 1st Amendment violation that anti-spam legislation does.

    That Microsoft is taking part is to their credit. Finally the Internet at large is going to actually try to apply a solution to spam at the source. Although the unsolicited commercial email problem is largely one of perception (as with violent computer games, smoking in public, or 'indecent' radio broadcasting) perhaps the solution will have less of a negative impact on society. One can only hope.

    --

    Try not. Do or do not, there is no try.
    -- Dr. Spock, stardate 2822-3.




  5. Re:I'm confused.. maybe I've had too much free bee by Reckless+Visionary · · Score: 3, Insightful

    Um. . .isn't that the point of open source?

    --
    I think I'll stop here.
  6. Solves the 1998 spam problem? by kawika · · Score: 3, Insightful

    Okay, now we can verify that a mail server that says it is someserver.com is really someserver.com. Back when the big problem was open SMTP relays that sure would have been helpful.

    But now that the problem is spam zombies on millions of user PCs, how will this put a dent in the problem? Sure they won't be able to connect directly to Hotmail to say they're someserver.com, but it won't stop them from sending spam through their own ISP's mail server. Since the key to spam zombies is having a lot of PCs that send relatively few spams per PC, it will be very difficult for each ISP to track down and stop each zombie.

  7. Re:"enforcing" by jhunsake · · Score: 3, Insightful

    The person that wrote "RTFA" is trying to help you in a more profound way. They are trying to teach to learn to read before asking, something that will make you look like less of an idiot (which you presently look like).

    Give the man a fish, and you feed him for a day. Teach the man to fish, and you feed him for a lifetime.

  8. How will this stop spamming? by mabu · · Score: 5, Insightful

    I am unconvinced this scheme will make much of a difference in the spam epidemic.

    If anything, the SPF idea primarily favors the big ISPs and consolidated mail services. Microsoft and others aren't doing the industry a favor at all by adopting this standard. It clearly benefits them more than it does small and medium-sized Internet hosts. I am under the impression that for any Internet operation that doesn't control all the inbound and outbound mail for domains they manage will have a much higher administrative burden than the big guys. So this scheme makes sense for large ISPs and costs more time and money for smaller ones.

    And ultimately, it would only stop spam if every system on the planet adopted it. Otherwise a spammer will simply operate from a host that isn't SPF-compliant. Until the lion's share of systems adopt SPF, no ISP can afford to arbitrarily reject non-compliant systems.

    This scheme seems to heavily favor the "all-in-one" Internet companies, who manage both sending and receiving. If you're having one company manage your domain and using a local ISP for SMTP, then you run into problems. As an owner of a hosting company, if this scheme were adopted, I'd probably get several phone calls a day from customers freaking out that their mail bounced, and even if I had an automated system where they could specify authorized smtp hosts, I'd still have to waste a bunch of time explaining to them that if they configure their local client to be "from" their domain, and they change ISPs, they need to update these records as well.

    Ultimately, this is bad. It makes the largest ISPs, who can afford to offer SMTP and all other services, easier to work with, and the smaller guys have more of an administrative overhead to keep up with DNS management.

  9. Re:Curious by gnuman99 · · Score: 3, Insightful
    It's not that I hate Microsoft. However, I am aware of the company's record of adopting standards and then breaking them. Remember 'embrace and extend'?

    This does not work if you are a minor player. Microsoft is a minor player in e-mail servers. This is also the reason why Microsoft wants to adopt SPF instead of creating something themselves.

  10. Re:Curious by LordNimon · · Score: 5, Insightful
    That's just not going to be acceptable to anyone. The reply-to is only used during a reply. When the recipient first receives the message, he sees what the From: line says, not what the Reply-To: says. When people receive email from me, I want them to see that it's from me, and I want it to be same no matter what server I use.

    Besides, my understanding of SPF is that it doesn't use anything in the email header at all, only what's in the envelope.

    --
    And the men who hold high places must be the ones who start
    To mold a new reality... closer to the heart
  11. Forwarding address ... will I be SOL? by looper_man · · Score: 3, Insightful

    I use a forwarding address from my alma-mater as my main personal email address (me@alumni.XXX.edu). They offer a webmail interface, but it sucks eggs. So I subscribe to Yahoo Mail Plus which allows me to send mail "from" any of my accounts (they verify the account before letting me do this), and I can also consolidate several accounts there in one nice interface. When I send email from Yahoo "from" my alumni.XXX.edu address, it comes from Yahoo's outgoing server, and the SPF record from alumni.XXX.edu wouldn't match (if it's there at all).

    Is there any mechanism in SPF (or Sender ID) for this email setup?