Microsoft to Deploy SPF for Hotmail Users
wayne writes "In a show of just how much Microsoft wants to put an end to email forgery, Hotmail, MSN and Microsoft.com will start enforcing Sender ID checks by Oct 1. In late May, MicroSoft announced that they would be adopting the Open Source SPF anti-forgery system (with a slight modification to make it Sender ID) and they have been working together with the IETF MARID working group to help create an RFC to define the Sender ID standard. Already tens of thousands of domain owners, such as AOL, Earthlink, and Gmail, have published SPF records, and thousands of systems are already checking SPF records. Publishing SPF records is easy, as is checking SPF records."
Let's hope this method of reducing spam will work. I have noticed that less spam I receive comes from Hotmail, Yahoo, etc. type e-mails, but hopefully this will help more. I am curious just how much work is involved in publishing these lists, and more importantly, how often are they updated? If they don't get real time or near-real time updates, they aren't going to be very useful.
"Have confidence that mail that SAYS it's coming from your bank, your credit card company, or the government really is!"
The problem arises though when the phisher/spammer uses a domain which is fairly similar to your bank or credit cards website, for example www.XYZCapitol.com instead of www.XYZCapital.com.
I sig, therefore I was.
It's not that I hate Microsoft. However, I am aware of the company's record of adopting standards and then breaking them. Remember 'embrace and extend'? This could be a step forward for us all. It could also be step back.
UNIX/Linux Consulting
That Microsoft is taking part is to their credit. Finally the Internet at large is going to actually try to apply a solution to spam at the source. Although the unsolicited commercial email problem is largely one of perception (as with violent computer games, smoking in public, or 'indecent' radio broadcasting) perhaps the solution will have less of a negative impact on society. One can only hope.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
Um. . .isn't that the point of open source?
I think I'll stop here.
Okay, now we can verify that a mail server that says it is someserver.com is really someserver.com. Back when the big problem was open SMTP relays that sure would have been helpful.
But now that the problem is spam zombies on millions of user PCs, how will this put a dent in the problem? Sure they won't be able to connect directly to Hotmail to say they're someserver.com, but it won't stop them from sending spam through their own ISP's mail server. Since the key to spam zombies is having a lot of PCs that send relatively few spams per PC, it will be very difficult for each ISP to track down and stop each zombie.
The person that wrote "RTFA" is trying to help you in a more profound way. They are trying to teach to learn to read before asking, something that will make you look like less of an idiot (which you presently look like).
Give the man a fish, and you feed him for a day. Teach the man to fish, and you feed him for a lifetime.
I am unconvinced this scheme will make much of a difference in the spam epidemic.
If anything, the SPF idea primarily favors the big ISPs and consolidated mail services. Microsoft and others aren't doing the industry a favor at all by adopting this standard. It clearly benefits them more than it does small and medium-sized Internet hosts. I am under the impression that for any Internet operation that doesn't control all the inbound and outbound mail for domains they manage will have a much higher administrative burden than the big guys. So this scheme makes sense for large ISPs and costs more time and money for smaller ones.
And ultimately, it would only stop spam if every system on the planet adopted it. Otherwise a spammer will simply operate from a host that isn't SPF-compliant. Until the lion's share of systems adopt SPF, no ISP can afford to arbitrarily reject non-compliant systems.
This scheme seems to heavily favor the "all-in-one" Internet companies, who manage both sending and receiving. If you're having one company manage your domain and using a local ISP for SMTP, then you run into problems. As an owner of a hosting company, if this scheme were adopted, I'd probably get several phone calls a day from customers freaking out that their mail bounced, and even if I had an automated system where they could specify authorized smtp hosts, I'd still have to waste a bunch of time explaining to them that if they configure their local client to be "from" their domain, and they change ISPs, they need to update these records as well.
Ultimately, this is bad. It makes the largest ISPs, who can afford to offer SMTP and all other services, easier to work with, and the smaller guys have more of an administrative overhead to keep up with DNS management.
This does not work if you are a minor player. Microsoft is a minor player in e-mail servers. This is also the reason why Microsoft wants to adopt SPF instead of creating something themselves.
Besides, my understanding of SPF is that it doesn't use anything in the email header at all, only what's in the envelope.
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
I use a forwarding address from my alma-mater as my main personal email address (me@alumni.XXX.edu). They offer a webmail interface, but it sucks eggs. So I subscribe to Yahoo Mail Plus which allows me to send mail "from" any of my accounts (they verify the account before letting me do this), and I can also consolidate several accounts there in one nice interface. When I send email from Yahoo "from" my alumni.XXX.edu address, it comes from Yahoo's outgoing server, and the SPF record from alumni.XXX.edu wouldn't match (if it's there at all).
Is there any mechanism in SPF (or Sender ID) for this email setup?