Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft to Deploy SPF for Hotmail Users

Posted by michael on from the ever-so-slightly-less-spam dept.

wayne writes "In a show of just how much Microsoft wants to put an end to email forgery, Hotmail, MSN and Microsoft.com will start enforcing Sender ID checks by Oct 1. In late May, MicroSoft announced that they would be adopting the Open Source SPF anti-forgery system (with a slight modification to make it Sender ID) and they have been working together with the IETF MARID working group to help create an RFC to define the Sender ID standard. Already tens of thousands of domain owners, such as AOL, Earthlink, and Gmail, have published SPF records, and thousands of systems are already checking SPF records. Publishing SPF records is easy, as is checking SPF records."

25 of 562 comments (clear)

  1. Making sure I see my role in this... by E1ven · · Score: 5, Interesting

    Ok.. Let me make sure I understand this correctly..

    I maintain a few domains, such as a Sq7.org, from which I send e-mail.. I send it from home, from my girlfriends house, from wherever I happen to be.. But I send it by connecting through the sq7.org server, and forwarding mail through there.

    The way I understand SPF, I just need to publish that the IP sq7.org runs on is authorized to send Sq7.org's mail, and NOT the IP for my home, office, etc, since I don't send directly from the local computer.

    If I did send directly from the local computer, without going through the external server, I'd need to add my local IP to the SQ7.org DNS records.

    As it is, though, I'll need to avoid using my ISP's SMTP servers if mine go down, or add them to the domain.

    Am I understanding this right?

    -Colin

    --
    Colin Davis
    1. Re:Making sure I see my role in this... by YetAnotherDave · · Score: 5, Informative

      SPF allows you to state a list of servers which are qualified to send.

      So you could add your server + your ISP's servers, so your fallback would still be within your SPF record

    2. Re:Making sure I see my role in this... by mshultz · · Score: 5, Interesting

      Yeah, I was wondering about this too--- particularly how this is going to work with things like universities. Where I just graduated from, you're only allowed to use their SMTP server if you are either on campus, use the VPN, or are using authentication over SSL from wherever. For everyone off campus, you are expected to use your ISP's SMTP server.... and often, you'd have to anyway, with ISP's blocking outgoing port 25 these days. So how then would a university, for example, implement SPF with people using whatever.edu 'From' addresses, but going through thousands of different ISP-owned SMTP servers?

      Surely there's a better solution than to have people change their 'From' address based on who's providing their internet connection at that moment (a real challenge for wireless hotspot users.....), and just keep the Reply-To header constant.

      Maybe I understand this wrong-- just wondering how it's all going to work.

  2. No posts =( by Bwerf · · Score: 4, Funny

    Damn, now I have to read the article.

    --
    If noone rtfa, then what's the slashdot effect?
  3. I'm confused.. maybe I've had too much free beer by peculiarmethod · · Score: 5, Funny

    Wait a second. Microsoft is willingly employing open source market software? (looks at calendar).. hmm.. it's not early april. It's either armageddon, or old dogs can be taught new tricks!

    pm

    --
    ** "It's not my job to stand between the people talking to me, and the ones listening to me." -- Pego the Jerk
  4. Great by bnewendorp · · Score: 4, Insightful

    Let's hope this method of reducing spam will work. I have noticed that less spam I receive comes from Hotmail, Yahoo, etc. type e-mails, but hopefully this will help more. I am curious just how much work is involved in publishing these lists, and more importantly, how often are they updated? If they don't get real time or near-real time updates, they aren't going to be very useful.

  5. Misinterpreted headline by Joey+Patterson · · Score: 5, Funny

    Microsoft to Deploy SPF for Hotmail Users

    So, now that Microsoft already dominates the OS and free e-mail markets, it's trying to get into the sunscreen market as well?

    I don't know which is worse, the cure or the disease.

    1. Re: Misinterpreted headline by cuzality · · Score: 4, Funny

      ...it's trying to get into the sunscreen market as well?

      Microsoft is just trying to protect its empire from the Sun.

  6. False Sense of Security by Linuxthess · · Score: 4, Insightful
    The SPF's website says,
    "Have confidence that mail that SAYS it's coming from your bank, your credit card company, or the government really is!"

    The problem arises though when the phisher/spammer uses a domain which is fairly similar to your bank or credit cards website, for example www.XYZCapitol.com instead of www.XYZCapital.com.

    --

    I sig, therefore I was.
  7. SPF version? by pio!pio! · · Score: 5, Funny

    Next year MSFT will release SPF15 for those needing additional protection. SPF 30 and 45 to follow for those extremely pale nerds who never go in the sun

    1. Re:SPF version? by TopShelf · · Score: 5, Funny

      Obviously this is a major initiative by Microsoft to wipe out Solaris...

      (sorry, couldn't help myself)

      --
      Stop by my site where I write about ERP systems & more
  8. Re:PGP/GPG? by FooAtWFU · · Score: 5, Informative

    PGP/GPG are nice, but they have nothing to do with the anti-spamming technology present in SPF. All SPF is, is special data set in your DNS telling you which hosts are allowed to send mail on behalf of your server. That way when your 0wn3d computer sends mail from "hotgirl@hotmail.com", people can tell it's a fake.

    --
    The World Wide Web is dying. Soon, we shall have only the Internet.
  9. Easy? by Compholio · · Score: 4, Interesting

    Publishing SPF records is easy, as is checking SPF records."

    Only if you can edit your own DNS records, most management tools only allow modification of A, MX, and CNAME records. For this to really take off the tools need to add support for TXT records.

  10. nice concept but not as practical in all scenarios by mabu · · Score: 4, Informative

    Generally, I like this idea, especially from the perspective of controlling misdirected bounces.

    Where it seems to be a problem though (someone correct me if I'm wrong), is in a case where someone, for example is doing web hosting and controls a domain, and the customer wants to configure his e-mail client to send mail "from" the domain through a local ISP. The way SPF works, the authorized hosts from which mail with that domain in the header must be defined in the DNS records. This means that if the hosting company isn't the customer's ISP or mail relay, he needs to keep track of what mail relays the customers use. If a customer changes ISPs and doesn't have the DNS info updated, then their mail may suddenly be rejected by SPF servers?

    This seems to be good for ISPs and services like Hotmail and gMail, which endeavor to have exclusive control of incoming and outgoing mail under their domains, but for smaller ISPs or scenarios where one person may be managing the domain, with the customer using a local ISP/mail relay, it seems to be a big pain in the butt.

  11. Re:Curious by Neil+Watson · · Score: 5, Insightful

    It's not that I hate Microsoft. However, I am aware of the company's record of adopting standards and then breaking them. Remember 'embrace and extend'? This could be a step forward for us all. It could also be step back.

    --
    UNIX/Linux Consulting
  12. MSN Broke My Email by stoolpigeon · · Score: 4, Interesting

    They are making all kinds of changes lately-- and they are not bothering to send anything to their users. I've been an MSN customer since just after they started up the service. Last week Outlook couldn't pull my email from their pop3 server any more. I sent in a help ticket. The reply I got said it was a problem they were fixing- and gave me instructions to set up Outlook Express to pull web mail from an http server.

    I responded that I don't use Outlook Express, I use Outlook 2000 and it will only pull Email from pop or imap servers. Their response, upgrade to Outlook 2002 (or above) or just use the hotmail interface. Of course using hotmail means no more hot syncing to my palm and I have to start manually sifting through spam again (my filter I use is an Outlook plug in)

    I had been thinking about changing my ISP but now I don't even have a choice.

    What ticks me off most is there was no advance notice of these changes- and it took multiple emails to MSN support to find out what was really going on.

    --
    It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
  13. Proof that technology (not legislation) works. by Sheetrock · · Score: 4, Insightful
    Part of the secret to the success of the Internet is in allowing unfettered communication between endpoints. While I am to some degree concerned about the technical approach to solving the spam problem, because of the collateral consequences it may have, it does not raise the spectre of 1st Amendment violation that anti-spam legislation does.

    That Microsoft is taking part is to their credit. Finally the Internet at large is going to actually try to apply a solution to spam at the source. Although the unsolicited commercial email problem is largely one of perception (as with violent computer games, smoking in public, or 'indecent' radio broadcasting) perhaps the solution will have less of a negative impact on society. One can only hope.

    --

    Try not. Do or do not, there is no try.
    -- Dr. Spock, stardate 2822-3.




  14. Re:What is the difference between SenderID and SPF by wayne · · Score: 5, Informative
    Okay, all I know is that SPF is a good deal simpler than SenderID and much more popular, due to the simple text format verses the use of XML.

    XML was dropped from the Sender ID spec by the IETF last month.

    The primary difference between SPF and Sender ID is that Sender ID also has the ablility to check the RFC2822 From: email header in addition to the RFC2821 envelope from value. This is something that most of the people in the SPF community wanted to do all along, but it would require changes in end-user mail systems, such as outlook, to do right. Without the support from MicroSoft, this couldn't really be done.

    --
    SPF support for most open source mail servers can be found at libspf2.
  15. Re:Curious by E-Rock · · Score: 4, Informative

    My understanding is that you should be changing the REPLY-TO not the FROM. Let FROM be where the message is actually from and there's no blocking problem. With the REPLY-TO set, anyone that presses reply goes to your prefered destination.

  16. How will this stop spamming? by mabu · · Score: 5, Insightful

    I am unconvinced this scheme will make much of a difference in the spam epidemic.

    If anything, the SPF idea primarily favors the big ISPs and consolidated mail services. Microsoft and others aren't doing the industry a favor at all by adopting this standard. It clearly benefits them more than it does small and medium-sized Internet hosts. I am under the impression that for any Internet operation that doesn't control all the inbound and outbound mail for domains they manage will have a much higher administrative burden than the big guys. So this scheme makes sense for large ISPs and costs more time and money for smaller ones.

    And ultimately, it would only stop spam if every system on the planet adopted it. Otherwise a spammer will simply operate from a host that isn't SPF-compliant. Until the lion's share of systems adopt SPF, no ISP can afford to arbitrarily reject non-compliant systems.

    This scheme seems to heavily favor the "all-in-one" Internet companies, who manage both sending and receiving. If you're having one company manage your domain and using a local ISP for SMTP, then you run into problems. As an owner of a hosting company, if this scheme were adopted, I'd probably get several phone calls a day from customers freaking out that their mail bounced, and even if I had an automated system where they could specify authorized smtp hosts, I'd still have to waste a bunch of time explaining to them that if they configure their local client to be "from" their domain, and they change ISPs, they need to update these records as well.

    Ultimately, this is bad. It makes the largest ISPs, who can afford to offer SMTP and all other services, easier to work with, and the smaller guys have more of an administrative overhead to keep up with DNS management.

  17. Re:Hey, Microsoft willingly employs HTTP as well! by gordyf · · Score: 4, Interesting

    They've fiddled with HTTP also. ISTR some tricks IE did with IIS to keep persistent connections so that page loads would be quicker.

  18. This is not a solution. by pavera · · Score: 4, Informative

    SPF requires that you know every mail server that will ever relay mail for your domain. This is unknowable. I manage 40 domains, people using these domains for email regularly travel to branch offices where they change their outgoing smtp server to whatever server is local to that office... I'm talking about a rotating list of around 1000 smtp servers that have to be on all 40 of these domains... That is the most unmanagable hack I've ever seen. This is not one company I manage small domains for contractors that need to be able to have 1 email address, but that are constantly moving to different physical locations, and using many smtp servers. Furthermore, VPN is not a solution as most of the time they are on heavily firewalled and NATed networks where VPN does not work reliably. Also, I work for a small ISP and many of our users use our outgoing smtp server to relay mail for their work accounts that don't have VPN set up for them. All of this email will now be summarily rejected.... whoever came up with SPF is an idiot, thanks for breaking email, this is the death of it.

  19. Re:Curious by LordNimon · · Score: 5, Insightful
    That's just not going to be acceptable to anyone. The reply-to is only used during a reply. When the recipient first receives the message, he sees what the From: line says, not what the Reply-To: says. When people receive email from me, I want them to see that it's from me, and I want it to be same no matter what server I use.

    Besides, my understanding of SPF is that it doesn't use anything in the email header at all, only what's in the envelope.

    --
    And the men who hold high places must be the ones who start
    To mold a new reality... closer to the heart
  20. Missing the point by eadz · · Score: 5, Informative

    A great opt in solution... .. If you don't have SPF records in your DNS, it doesn't mean Hotmail won't accept your mail.

    If you DO have SPF record for your domain, and the message wasn't sent from one of the specified IP addresses, then Hotmail may block your message.

    But the real kicker is when you recieve a message from someone@hotmail.com. If the IP address used to send the message isn't listed in hotmail's SPF TXT DNS record then you know it's not a message sent from hotmail. And same for Gmail :

    dig -t txt gmail.com
    gmail.com. 300 IN TXT "v=spf1 a:mproxy.gmail.com a:rproxy.gmail.com -all"

    Which means that the only servers authorized to send mail from @gmail.com are mproxy and rproxy.gmail.com

    1. Re:Missing the point by Otto · · Score: 4, Informative

      OK- so if I have my own domain:
      example.com
      and I choose NOT to have an SPF record for that domain, I should be able to SEND emails out as per my post above and they "should" go through and not get rejected?
      The only reason I would WANT to publish an SPF would be to PREVENT a spammer from using example.com as a bogus FROM address?

      Pretty much, yes. Although it's slightly more complicated than that.

      If you don't publish an SPF record for your domain, then the receiving machine will have to fall back on whatever the default is. The default, however, is not defined. It can be accept the mail, reject the mail, accept the mail but flag it as possibly forged, accept the mail and add a "no SPF" weighing to whatever anti-spam algorithim it uses, etc. Basically, it depends on who you send it to.

      Since there's not a heck of a lot of places using SPF yet, any likely defaults currently are to accept the mail. Once SPF is widely implemented, a lot of those might start flagging it as a possible forgery or maybe even simply rejecting it altogether. But that may never occur, basically.

      The advantage to SPF is mainly when the sender has SPF records published and the receiver is reading and acting on them. In that event, it'll work all the way through. But you don't really see a lot of spam prevention benefit until SPF is very widely adopted and the defaults start to become something other than "accept it if there is no SPF record".

      But you're right in that publishing a SPF record has absolutely no negative consequences and can only prevent spammers from forging your domain name to receivers using SPF records.

      --
      - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.