Hotmail To Junk Non-Sender-ID Mail

William Robinson writes "If your e-mail does not have a Sender ID, Microsoft wants to junk your message. Somewhere after November, MSN and Hotmail will consider it as spam. Sender ID is a specification for verifying the authenticity of e-mail by ensuring the validity of the server from which the e-mail came. Some experts feel that 'Sender ID' is not an accepted standard and has many shortcomings. Some also feel that Microsoft is trying to strong-arm the industry into the adoption of an incomplete and not accepted standard."

Big Surprise

[alvinrod]

From the article:

"We think Microsoft is trying to strong-arm the industry into the adoption of an incomplete and not accepted standard".

Gee, when's the last time this happened?

Personally, it will only be a matter of time until the spammers figure out a way to get around this. End result: a serious pain for everyone that accomplishes nothing.

Do as I say, not as I do

[asc4]

Despite the fact that Hotmail will only be using SPF v2 records to do the filtering, it seems that Hotmail themselves haven't bothered yet to publish one: http://www.dnsstuff.com/tools/lookup.ch?type=TXT&n ame=hotmail.com

this one could be a problem for casual users

[yagu]

I've had my fun with e-mail spoofing, but now that e-mail is everywhere and used by almost everyone it's probably close to "time" for mechanisms and protocols that make e-mail more trustworthy and difficult to spoof (of course there are always going to be exceptions). But Microsoft contributes little by doing their own end run on the industry.

From the article:

Microsoft's unilateral move may hurt Internet users, he said. "Sender ID isn't widely deployed, meaning that average users are now at risk for having their legitimate e-mail tagged as spam when they send messages to Hotmail users."

Experts say one of the problems with Sender ID is that it doesn't work with e-mail forwarding services. The basic premise of Sender ID is to check if an e-mail that claims to be coming from a certain Internet domain is really being sent from the e-mail servers associated with that domain.

This opens up a huge can of worms... I don't quite get why Microsoft doesn't learn from past mistake^H^H^H^H^H^H^Hefforts. The unwashed masses (read, typical computer users) already deal daily with mind numbing quirky computer behavior (or lack of). For example (and I know I'm beating a dead horse (checkmate!)), Microsoft's morphing menus with chevrons, Microsoft's dumping of random files in random directories to mold their vision of a magical world (how many have been burned by the unexpected "thumbs.db" file in their picture folders?), and bizarro network settings (ever wonder why seemingly every computer in a home network gets configured with bridging?) -- these are just a few examples of things that confuse and irritate typical users, but the ripple effect is into the "support" community (that's us).

Rolling out this semi-baked quasi-standard e-mail device could wreak havoc with the e-mail users. I'm hoping whatever they do it's configured by default to not reject non-ID'ed e-mails. Regardless, unless and until there's a stronger and more mature standard, this one's trouble.

Re:Who uses hotmail?

[defkkon]

Unfortunately, yes.

There are a large number of people who haven't heard of Gmail. These are people who use the Internet to casually browse, and who check their email every other day. Hanging out in the geek community, its hard to believe people don't know their alternatives - but its true!

Many of these people view email as a very set-in-stone thing. Their friends and family all know their Hotmail address, and all their favourite news letters are delivered there. To them, its a huge pain in the arse to switch addresses. Its almost unthinkable.

Its these people that will happily put up with whatever Microsoft does to Hotmail, just so they don't have to bother with all this technical nonsense.

Home workers

[nagora]

So, how does this work for companies with large numbers of home-workers who are happily sending main aout throught their home ISP's with "spoofed" headers claiming, quite correctly, that their email comes from the company?

Frankly, Sender-ID is a dead duck for many reasons but the biggest is simply that many legitimate emails come from random IPs while plenty of spam comes from infected "authorised" machines.

This is just another, on a thirty-year-long run, example of the fact that when it comes to IT, MS is clueless. Business methods and the law are their fortes.

TWW

Re:strongarm what?

[Launch]

I've been using hotmail for years, way before MS ever owned hotmail. At the time I signed up for hotmail everyone was chilling with their @netcom or any simular isp branded e-mail. If you're anything like me you've gone through a couple ISPs over the last 10 years. You also are probably aware what a PITA it is to change e-mail addresses. That's why I've stuck with hotmail all theses years.

I have a g-mail account, it's pretty awesome and probably better then hotmail... but one feature that hotmail has over other web-based e-mails is easy integration with a fat-client e-mail system.

I've yet to see a web-based client that can handle my e-mail needs... Even MS's OWA isn't a replacement for outlook.

I know there will be a flurry of flames about using outlook, etc etc... but the bottom line is that nothing integrates better for my needs, my palm, my blackberry, my non-work hotmail, owa, etc.

My basic point is that there are at least some merrits to using hotmail.

Re:Stop using Hotmail

[Slipped_Disk]

As I understand it, you're wrong:
> You still have a trusted list that will redirect straight to the inbox.

According to the SenderID docs from Microsoft, your "trusted list" will NEVER BE CONSULTED -- the INBOUND SMTP SERVER will reject the message if there is no SPF record published, or if the originating mail server is not in the SPF record.

Ergo your filters never run - the message is never delivered to them because it is assumed that the message is spam.

Someone correct me if I'm wrong.

Re:One little problem: MSN Messenger

[Pxtl]

Because ICQ is a crufty old monster. Most of the people I know who use ICQ haven't used the official client in years - the official ICQ client is the fugliest piece of software I've ever seen. I use Miranda for both MSN and ICQ, but most of my friends have migrated from ICQ to MSN.

I think this is what happened: ICQ took a strangle-hold of Canada. Backwards Americans missed the boat. Then, Mirabilis/AOL ran ICQ down the tubes by bloating it into a monstrous, crufty piece of crap. As a reaction, users migrated to the IM program that was already residing on their computer (and, at the time, launched automatically when you opened OE).

Re:Brilliant Move Microsoft. I salute you!

[thdexter]

Hmm.

I have a domain, glitterandtwang.org, which is hosted by suffusions.net. Suffusions.net has an SMTP server, but it requires authentication (in the form of having checked your email in the last 15 minutes over POP) and so I use my ISP's SMTP server. So my email is from dexter@suffusions.net, but it's sent from adelphia.net... am I going to be shitlisted by everybody with SPF and Sender ID?

Re:SPF spec author says: SenderID is crap

[wayne]

Now what's your option on DomainKeys?

I like the concept of using cryptographic methods to protect the mail headers and body. I think that is the most promising approach. That said, crypto solutions like DomainKeys is not without problems.

Crypto solutions breaks on way too many mailing lists and more than a few email forwarders because content is often added (ads on the bottom) or changed (spam/virus filtering), and this breaks the crypto signatures.

Also, there is also a real problem with replaying a message. You just can't distinguish a Yahoo customer sending a message to a large mailing list, and a spammer who signs up with Yahoo, sends a message to themselves, and then redistributes that correctly signed email to their list of 50 million victims.

There are various ways to try and solve to both of these problems, but none of the solutions are very clean and probably not very effective.

I think that if there was a nice, clean solution to the forged email problem, it would have been discovered many years ago.

I think the crypto solutions, and things like SPF (or DMP, or RMX, or any of the other LMAP-type solutions) can help each other out. SPF primarily fails on forwarded email, while the crypto solutions primarily fail on mailing lists. If all email uses both, it can help automate the detection of forwarders and mailing lists, and then you can know which system to use for each email.

DomainKeys is not the only crypto solution, there is also IIM, and META-signatures. I actually like the latter two better because I think they handle the problems with mailing lists better. Yahoo and Cisco have announced that they are merging DK and IIM into a single spec, but they haven't released the spec yet, and the details will be very important.

Domainkeys, like SenderID, has two other problems that could cause problems for the F/OSS world of email. First off, Yahoo has patents on DomainKeys and their license isn't (currently) compatible with many F/OSS software. I suspect that Y! will be much more willing to make changes to their license than MS was, but who knows. Secondly, like SenderID, it turns out that DomainKeys is already trademarked by someone else and this could cause lots of legal fun for the parties involved.