Slashdot Mirror

← Back to Stories (view on slashdot.org)

IETF Decides On SPF / Sender-ID issue

Posted by Hemos on from the making-the-hard-choices dept.

Zocalo writes "The MARID working group at the IETF responsible for deciding on which extensions to SMTP will be used to try and prevent spoofing of the sender has made their decision. At issue was whether Microsoft's patent encumbered Sender-ID would be eligable for inclusion in an Internet standard. An initial analysis of the text of their decision, available here with a brief analysis, would suggest not. Unless Microsoft is going to make any dramatic concessions out of desperation, that pretty much clears the way for Meng Wong's Classic SPF to become the standard and hopefully make Joe-Jobs at thing of the past."

28 of 269 comments (clear)

  1. I saw spammers are ready for this by Anonymous Coward · · Score: 4, Interesting

    Why is that the spammers actually supporting this ? Does this give them more targeted email addresses ?

    1. Re:I saw spammers are ready for this by JamesD_UK · · Score: 4, Informative

      SPF and Sender-ID don't prevent spam, they are used so that systems recieving e-mails can verify that e-mails are sent from servers that are authorised to do so for particular e-mail addresses. This prevents JoeJobs and (hopefully) allows for faster tracking of e-mail abuse. Spammers implement/support SPF or Sender-ID records in order to circumvent systems that discard e-mails that SPF or Sender-ID marks as spoofed.

    2. Re:I saw spammers are ready for this by DrZaius · · Score: 4, Interesting

      SPF isn't meant to stop spam. It is meant to stop spam that spoofs the from address.

      This means all the spam that comes from AOL and Hotmail accounts that don't actually leave from there servers would be bounced at your mail servers. At this point in time, if everyone used SPF, my guess is that at least 50% of spam would be blocked.

      Of course, spammers are going to register domains to use for spamming and set SPF records so that their mail appears legit to the SPF filters.

      You're probably thinking, "What's the point?" Well, it's easier to understand if you have ever hosted a domain that has been either blacklisted or had an increase in bandwidth charges because of millions of bouncebacks due to spammers using a FROM address in your domain.

      --
      -- DrZaius - Minister of Sciences and Protector of the Faith
    3. Re:I saw spammers are ready for this by Albanach · · Score: 4, Informative
      And what forms the majority of email folk get that has a forged sender address. Yep, spam and viruses.

      While not designed to stop spam, I'm more than sure spam was a big consideration. Certainly it impacts on spam - either spammers have to use domains the have bought - which leaves a paper trail most spammers would rather didn't exist or not use SPF. If they are using SPF it makes using 0wned computers for bulk mailing a lot more difficult - either they need to do a DNS update for every new machine, ot use -all in the spf record, a flag that would probably then be used by spamassassin to increase the spam score.

      You are correct in that SPF won't stop spam, but to suggest that it's not another tool diseigned to be used against spammers is, however, wrong.

  2. I love it by kc0re · · Score: 5, Insightful

    I love it when the world has a moment of clarity and decides that Microsoft has enough damn patents and we're not going to let them run everything. Adopt the open standard that everyone can use. It makes more sense.

  3. Standards == Monopoly?? by bunburyist · · Score: 5, Interesting

    Question: Is the IETF allowed to adopt patent-encumbered standards? I mean, wouldn't that grant some sort of monopoly license in effect for MS, seeing as if you want to adopt a standard, you need to pay somebody? Shouldn't standards be free, and people can make money off the implementation of said standards? I don't know how these things work, nor am I a lawyer of any capacity.

    1. Re:Standards == Monopoly?? by voop · · Score: 4, Informative

      Yes, the IETF does accept proposals which are subject to IPR claims in whatever form.

      Here's for more information about the official IPR position of the IETF:

      http://www.ietf.org/ipr.html

      --
      -- "Life is a bitch - and she hates me..."
    2. Re:Standards == Monopoly?? by peragrin · · Score: 4, Insightful

      Yes the ITEF can use patented standards.

      On the other hand if the majority of Email servers are F/OSS, and F/OS doesn't adopt it because of the patent, it doesn't make sense to support it anyway. You suddenly appear to be in MSFT's pocket.

      Being in MSFT's pocket nowadays isn't considered a good thing.

      --
      i thought once I was found, but it was only a dream.
    3. Re:Standards == Monopoly?? by EvilAlien · · Score: 4, Informative
      Sure... just ask Cisco and OpenBSD. OpenBSD developed CARP to address Cisco's aggression against an IETF standard which they believe to overlap with their HSRP patent.

      3.5: "CARP License" and "Redundancy must be free":

      The IETF community proposed work in this direction in the late 90's, however in 1997 Cisco informed them that they believed some of Cisco's patents covered the proposed IETF VRRP (Virtual Router Redundancy Protocol); on March 20, 1998 they went further and specifically named their HSRP "Hot Standby Router Protocol" patent. Reputedly, they were upset that IETF had not simply adopted the flawed HSRP protocol as the standard solution for this problem. Despite this legal pressure, the IETF community forged ahead and published VRRP as a standard even though there was a patent in the space. Why? There was much deliberation at all levels of the IETF, and unfortunately for all of us the politicians within eventually decided to allow patented technology in standards -- as long as the patented technology is licensed under RAND (Reasonable And Non Discriminatory) terms. As free software programmers, we therefore find ourselves in the position that these RAND standards must not be implemented by us, and we must deviate from the standard. We find all this rather Unreasonable and Discriminatory and we *will* design competing protocols. Some standards organization, eh?

      Due to some HSRP flaws fixed by VRRP and for compatibility with the (HSRP-licensed) VRRP implementations of their competitors, Cisco in recent times has largely abandoned HSRP and now relies on VRRP instead -- a protocol designed for and by the community, but for which they claim patent rights.

      On August 7 2002, after many communications, Robert Barr (Cisco's lawyer) firmly informed the OpenBSD community that Cisco would defend its patents for VRRP implementations -- meaning basically that it was impossible for a free software group to produce a truly free implementation of the IETF standard protocol. Perhaps this is because Cisco and Alcatel are currently engaged in a pair of patent lawsuits; a small piece of which is Cisco attempting to use the HSRP patent against Alcatel for their use of VRRP. Some IETF working group members took note of our complaints, however an attempt in April 2003 to have the IETF abandon the use of patented technology failed to "reach consensus" in the IETF.

      A few years ago, the W3C, who designs our web protocols, tried to move to a RAND policy as well (primarily because of pressure from Microsoft and Apple), but the community outrage was so overpowering that they backed down. Some standards groups use this policy, while others avoid it -- the one differentiation being the amount of corporate participation. In the IETF, the pro-RAND agents work for AT&T, Alcatel, IBM, Cisco, Microsoft, and other large companies. Since IETF is an open forum, they can blend in as the populace, and vote just like all others, except against the community.

      Translation: In failing to "reach consensus", the companies who benefit from RAND won, and the community lost again.

      --
      perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'
  4. It's been said before, but it's worth repeating by Weaselmancer · · Score: 4, Insightful

    Microsoft shouldn't be surprised that their patent-encumbered method didn't fly. Remember the whole "burn all GIFs" campaign, when a patent made gif files possibly illegal to use? Now - imagine that mess with your email, and Microsoft holding the reins. Argh.

    We've been through the whole embrace-and-extend loop with MS before, and it's nice to see the IETF understand the problems that a patent encumbered standard would produce.

    --
    Weaselmancer
    rediculous.
    1. Re:It's been said before, but it's worth repeating by gbjbaanb · · Score: 4, Funny

      when a patent made gif files possibly illegal to use?

      oh yeah, I remember that really stopped people using Gifs. Especially vigorous in their destruction of gifs because they were patent-encumbered were the kind of people who read this site

    2. Re:It's been said before, but it's worth repeating by Weaselmancer · · Score: 4, Insightful

      Well, it's not really a problem anymore because the gif patent expired, so they're ok to use now.

      But I still think the point is a valid one - and an excellent example of why software patents are a bad idea. I know it's contrary to Slashdot groupthink, but what if Microsoft's implementation is the superior one? (Work with me guys, it's hypothetical) Now, because of the patents, it'll never be used and we'll be missing out on a good thing.

      --
      Weaselmancer
      rediculous.
  5. Worried... by renelicious · · Score: 4, Interesting

    This worries me more than it makes me excited. I have several email addresses that I send mail from home through ISP. I don't believe they are going to put those domains in thier DNS list.

    In the case I guess the only option will to be use webmail for any addresses not provided by my ISP. That's a pain...

    --
    "Luke, I am your node.parent();"
    1. Re:Worried... by mosch · · Score: 4, Informative

      The domain you are sending as is what matters. So if you send mail from renelicious.com through your ISP, renelicious.com just needs an spf record that looks something like "v=spf1 include:yourisp.net -all"

      Your ISP doesn't need to do anything at all.

  6. Reason #1 That I don't like SPF by Anonymous Coward · · Score: 4, Interesting

    SPF Breaks Forwarding.

    Yes I know about SRS. (sender rewriting scheme)

    SRS is a LAME workaround for the fact that SPF breaks forwarding.

    1. Re:Reason #1 That I don't like SPF by SunCrushr · · Score: 4, Informative

      I think you need to read up on this flaw a little better. What SPF breaks is pre-delivery forwarding (not the forwarding you would associate with the forward button in your email program), which is the ability for an email to go from one smtp server to another and then to another until it reaches its destination server.

      This is a non-issue however, because most sane people that run good email servers do not allow smtp pre-delivery forwarding to take place at all (unless its for messages that are being forwarded to another one of their own servers) as this "feature" (when manipulated correctly) can be used to make their servers into open relays, thus making them into some spammer's bitch.

      And yes, for those that need pre-delivery forwarding, there are workarounds available.

  7. make sendmail look bad by hey · · Score: 4, Interesting

    They caved and send they'd implement Sender-ID.
    It makes Apache and FSFlook good as they
    proved resistance isn't futile.

    http://it.slashdot.org/article.pl?sid=04/02/24/1 44 2237&tid=111&tid=109

  8. Will ITEF make a difference? by milgr · · Score: 5, Interesting

    When Microsoft ships their method on all their mail servers and mail clients, will it matter that it is not a sanctioned standard?

    --
    Where law ends, tyranny begins -- William Pitt
  9. SPF is NOT about... by warrax_666 · · Score: 4, Informative

    combatting spam. It's about being able to verify that the envelope sender is actually authorized to send mail for the domain in the envelope. That is all.

    --
    HAND.
    1. Re:SPF is NOT about... by afidel · · Score: 4, Insightful

      Yes, but this does change the method finding the origionator of spam and other annoying messages. It allows an ISP to lock down a compromised system after it sends a very large volume of emails through their gateway, it allows black holes to target ip's used by spammers more efficiently, and it allows email gateways to throw away virus emails which came directly from infected system which are obviously not authorized to send for the myriad of spoofed addresses they have classically used. It is just a tool in the fight against spam and viruses, but it is a fairly powerfull first step in patching SMTP into a more trustworthy system.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  10. Time to bug DNS hosters by hey · · Score: 4, Interesting

    I already sent a mail to the company that hosts the DNS A records for my domains (also my DNS registrar) asking when I'll be able to add an SPF record.

  11. Good. Now let's improve SPF. by jefp · · Score: 5, Interesting

    The one feature of Sender-ID that I'd like to see in SPF is checking the header-sender as well as the SMTP-sender. Of course this is expensive, requiring reception of the message body, but it's worth it.

    It occurred to me recently that I could write a separate milter to implement just this one check. It would compare the SMTP-sender against the header-sender, and if they don't match then it would add a header to the message saying "possibly forged". A later step in the delivery process, such as bogofilter, would see this header and weigh it appropriately.

    I'm interested in comments on this idea.

  12. It is absolutely insane to let MS be involved by Featureless · · Score: 4, Insightful

    There is absolutely zero value proposition for anyone to let MS own, encumber, or otherwise threaten, by act or by fear of an act, the email standard.

    They need to be kept 1000 feet away from any standards setting. Microsoft should only encounter the email standard when they send an email. Anything else is an absurdly bad idea.

    If you had to bet, could you honestly bet they wouldn't exploit their license to shut out open source, or (more likely) GPL, now or (more likely) later?

    I'd bet your well-cushioned ass they would.

    It is hardly a conspiracy theory, when you can open any business section and read about their new patent portfolio manager or the SCO lawsuit. They play dirty, they do it in exactly this way, and everybody knows it.

    Letting them taint the standard is bad for other vendors. It's bad for service providers. It's bad for users (read: most of the world's population, individuals and businesses). It's even bad for Microsoft itself.

    It is absolutely absurd to have a standards war over email. But now we have to consider it.

    Standards bodies may do the right thing. That's great. But what I fear now is that Microsoft will say "OK, you don't want to play our game? That's fine. Have it your way. Just don't bother sending any emails to @microsoft.com or @hotmail.com (and everywhere else we can buy or control) without a patented Caller/Sender ID record."

    When they do this, we have to stand in a big line facing them, stare back, grin, and say "your loss."

    Get ready...

    --

    Want to Know How to Cheat the GPL? Read On!
  13. Joe-jobs or just forged headers still are a pain by Artifex · · Score: 4, Interesting

    I'm now seeing 30-40 bounceback emails a day originally sent from people spoofing my vanity domain - I haven't given any accounts out, of course. Makes me wonder how many of their emails got through to their victims, as these are just some of the failures. The most annoying part for me is that I see them come in batches - with very different originating IPs and to different mail servers for each message - so I don't know if it's a pack of zombies and my domain is one of the ones in rotation, picked out of someone's address book, or if someone is doing a deliberate joe-job on me.

    This ought to be considered actionable as a DOS attack - if companies start filtering out my domain name, I can't apply for jobs with them, for example. And if my upstream ever gets tired of explaining to idiots to read their headers instead of thinking it's me, then I'll have to hunt for another provider. Even without those reasons, it still takes me time every day to clean out my admin box so I can get my real mail. In fact, because I'm the only person at my vanity domain, and it's part of my online identity, it also ought to be considered slander for someone to pretend to be from my domain, because they're effectively claiming I'm sending these ads, etc.

    I hope SPF becomes generally accepted, and soon. I'm afraid it won't, though, because there are millions of people running old copies of MS Exchange, etc., and they probably won't want to pay to upgrade or take the performance hit to authenticate messages this way. Still, if I go ahead and stick the DNS entries in, it might at least prevent some of the damage.

    --
    Get off my launchpad!
  14. Re:Certificate based sender authentication by l3v1 · · Score: 4, Insightful

    Such a good thought that I was thinking and spreading this idea for a time. But I had to realize I can't succeed. Why ? Because while our IT friends use GPG, nobody else does it willingly. They all say it would make their life more difficult. Most of them out there don't even know what signing is, let alone GPG. My answer to that is as always: right, complaining is easier :P

    The problem all around spam is most of the users are just users. Don't understand, don't care, don't want to care. They just spread other people's viruses, spam, etc. without knowing or if knowing don't believeing they do much trouble by using crappy buggy and vulnerable sw.

    If I could afford the luxury to devnull all e-mails I receive that are not signed, I would never ever get spam, that's for sure. The problem is one can't easily talk others into GPG.

    They would much more easily turn into over-patented Microsoft solutions however crappy or overpatented they would be.

    --
    I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
  15. Re:I've always wondered... by Doctor+Crumb · · Score: 5, Informative

    If your system asks the sending *server*, this is redundant, as you already know the sending server sent it, by definition.

    If your system asks the domain that the mail is supposedly from, then you may as well be using SPF, as it saves on network traffic and gets you the same answer.

  16. That's certainly not how I read it by mccalli · · Score: 5, Informative
    From the judgement:
    3. On the issue of ignoring patent claims, the working group has at least rough consensus that the patent claims should not be ignored. Additionally, there is at least rough consensus that the participants of the working group cannot accurately describe the specific claims of the patent application. This stems from the fact that the patent application is not publicly available. Given this, it is the opinion of the co-chairs that MARID should not undertake work on alternate algorithms reasonably thought to be covered by the patent application. We do feel that future changes regarding the patent claim or its associated license could significantly change the consensus of the working group, and at such a time it would be appropriate to consider new work of this type.

    Look closely. The wording to pay close attention to is "This stems from the fact that the patent application is not publicly available. Given this, it is the opinion of the co-chairs that MARID should not undertake work on alternate algorithms reasonably thought to be covered by the patent application.".

    In other words, we don't know what the patent is, so we shouldn't waste time doing any work an anything that might infringe it. That's significantly different to saying that the original patent-encumbered work won't be accepted, in fact the wording has been very carefuly picked to remain non-committal on that point.

    Next, look at an extract from point 4 of the summary:
    4. ...With regard to items 3 and 4 above, it is also the opinion of the co-chairs that any attempt by the MARID working group to define any new scopes other than "mailfrom" and "pra" for the SPF syntax will at this time result in failure to find consensus within the working group.

    In other words, not only the should the committee not waste its time until all the patent claims are made public, but neither should anybody else try submitting new things until the committee knows what's happening with the current proposals.

    I read the summary as a glorified "we can't know what to do as not all claims have been made public, so we'll just put everything off until the claims are fully known". Neither backing for, nor rejection of Sender-ID. And certainly nothing whatsoever about falling back purely onto SPF.

    Cheers,
    Ian

  17. Diplomacy: Patents have to be clear and public by Spoing · · Score: 4, Interesting
    This is a diplomactic negotiation.

    It's not over for Microsoft's efforts...though it's very close to being over. The important section that points this out -- with highlighted text -- is below;

    1. 3) On the issue of ignoring patent claims, the working group has at least rough consensus that the patent claims should not be ignored. Additionally, there is at least rough consensus that the participants of the working group cannot accurately describe the specific claims of the patent application. This stems from the fact that the patent application is not publicly available. Given this, it is the opinion of the co-chairs that MARID should not undertake work on alternate algorithms reasonably thought to be covered by the patent application. We do feel that future changes regarding the patent claim or its associated license could significantly change the consensus of the working group, and at such a time it would be appropriate to consider new work of this type.

    They aren't saying that the Microsoft patent (or any patent) is bad...they are saying that it can't be publically reviewed or is not clear enough to make a decision.

    This does give Microsoft some wiggle room if they want to 'clarify' what they mean...and in the course of that, possibly elminate the problems they originally introduced.

    Microsoft has a choice to either correct the mistakes (by 'clarifying' them) or what they contributed with patent encumberences will not be accepted.

    --
    A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.