Slashdot Mirror
Hotmail To Junk Non-Sender-ID Mail
William Robinson writes "If your e-mail does not have a Sender ID, Microsoft wants to junk your message. Somewhere after November, MSN and Hotmail will consider it as spam. Sender ID is a specification for verifying the authenticity of e-mail by ensuring the validity of the server from which the e-mail came. Some experts feel that 'Sender ID' is not an accepted standard and has many shortcomings. Some also feel that Microsoft is trying to strong-arm the industry into the adoption of an incomplete and not accepted standard."
This means that I will stop using Hotmail -- go figure!
Zhrodague.net - I do projects and stuff too.
...to verify where this story came from. I'm sorry, it'll have to be rejected.
I've fallen off your lawn, and I can't get up.
Been wanting to get friends to get off the hotmail bandwagon for years. As an isp, I'd be telling my customers to tell their friends who use hotmail to get on the stick and go to yahoo or gmail before november so their ability to communicate isn't cut off. Please note, SenderID and SPF are both bad ideas. SPF didn't start off that way. In fact it made a strange kind of sense. It was co-opted. The IETF marid working group archives are a great place to go read about how MS really helped screw the pooch. Hotmail and MSN orphaning themselves is probably a good thing in the long run. It's a shame though. And yes, I publish spf records, no I do not make use of them. They are not useful.
If we all buy Microsoft email servers it will be a standard, won't it.
Deleted
This is a trial baloon. If some other big ISPs decide to go along with this, I can see it happening. If nobody else goes along with it, they won't enforce it. No need to panic here.
"We think Microsoft is trying to strong-arm the industry into the adoption of an incomplete and not accepted standard".
Gee, when's the last time this happened?
Personally, it will only be a matter of time until the spammers figure out a way to get around this. End result: a serious pain for everyone that accomplishes nothing.
Despite the fact that Hotmail will only be using SPF v2 records to do the filtering, it seems that Hotmail themselves haven't bothered yet to publish one: http://www.dnsstuff.com/tools/lookup.ch?type=TXT&n ame=hotmail.com
I've had my fun with e-mail spoofing, but now that e-mail is everywhere and used by almost everyone it's probably close to "time" for mechanisms and protocols that make e-mail more trustworthy and difficult to spoof (of course there are always going to be exceptions). But Microsoft contributes little by doing their own end run on the industry.
From the article:
This opens up a huge can of worms... I don't quite get why Microsoft doesn't learn from past mistake^H^H^H^H^H^H^Hefforts. The unwashed masses (read, typical computer users) already deal daily with mind numbing quirky computer behavior (or lack of). For example (and I know I'm beating a dead horse (checkmate!)), Microsoft's morphing menus with chevrons, Microsoft's dumping of random files in random directories to mold their vision of a magical world (how many have been burned by the unexpected "thumbs.db" file in their picture folders?), and bizarro network settings (ever wonder why seemingly every computer in a home network gets configured with bridging?) -- these are just a few examples of things that confuse and irritate typical users, but the ripple effect is into the "support" community (that's us).
Rolling out this semi-baked quasi-standard e-mail device could wreak havoc with the e-mail users. I'm hoping whatever they do it's configured by default to not reject non-ID'ed e-mails. Regardless, unless and until there's a stronger and more mature standard, this one's trouble.
Hotmail and MSN will flag as potential spam those messages that do not have the tag to verify the sender
It's only fair cause we already tag mail from those domains as potential spam.
And Mailinator does a better job at throwaway addresses anyways.
I wonder if G-Mail will be out of Beta by then? That could be an interesting opertunity for Google.
Anyway, G-Mail is already so superior to Hotmail, in both the interface and spam blocking, I can't imagine why people still use Hotmail.
1. Microsoft (virri vulnerabilities) causes SPAM. Slashdot outraged.
2. Microsoft fights SPAM. Slashdot equally outraged.
Conclusion: Microsoft is always evil no matter what they do.
I bet that if it was a story about Gmail then it would be a great idea, becasue Google never does evil.
Karma: Positive (probably because of superiour intellect)
There are a large number of people who haven't heard of Gmail. These are people who use the Internet to casually browse, and who check their email every other day. Hanging out in the geek community, its hard to believe people don't know their alternatives - but its true!
Many of these people view email as a very set-in-stone thing. Their friends and family all know their Hotmail address, and all their favourite news letters are delivered there. To them, its a huge pain in the arse to switch addresses. Its almost unthinkable.
Its these people that will happily put up with whatever Microsoft does to Hotmail, just so they don't have to bother with all this technical nonsense.
Every time RBLs are discussed here, there are a great many comments (quite a lot at +5) to the effect of "they're my mail servers, I can drop any mail I want to" from those defending their use of the various RBLs.
How is this any different?
It's official. Most of you are morons.
Frankly, Sender-ID is a dead duck for many reasons but the biggest is simply that many legitimate emails come from random IPs while plenty of spam comes from infected "authorised" machines.
This is just another, on a thirty-year-long run, example of the fact that when it comes to IT, MS is clueless. Business methods and the law are their fortes.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
Hotmail has been on a steady decline every since Microsoft bought it. Just compare it to gmail or yahoo (which you CAN use with almost ANY useragent, even ones that don't support javascript). Most other webmail providers are now more rhobust, with a cleaner interface.
Not to mention you don't have to worry about them trashing your Non-Sender-ID emails.
"Is this just useless, or is it expensive as well?"
Some also feel that Microsoft is trying to strong-arm the industry into the adoption of an incomplete and not accepted standard.
...And some (like me) feel that anything from
Hotmail most likely counts as spam anyway, and
have the entire domain in my filter list.
So Hotmail can't get mail from me anymore. Boo-frickin'-hoo. What next, AOL doing the same? Then perhaps Yahoo?
Sorry, but until a major provider that matters picks an anti-spam tech, they will accomplish nothing more than effectively depriving their customers from using email.
That's untrue!
It will stop SPAM that is from a forged sender, which is a non-trivial amount.
Meaning, I can't send you a message purporting to be from billgates@microsoft.com, which is how things are right now.
Look over your SPAM headers, and you'll see, most of the return-addresses do not match the machine that relayed the message.
One invite already gone, 49 to go. :-)
Nothing to see here. Move along.
MSN Messenger is the crazy glue that holds together the consumer with the hotmail account. I gave all of my friends gmail accounts which are far superior going by interface alone (and they agree with this). However because they use MSN Messenger they almost always prefer to check their hotmail accounts. What Google needs to do to successfully compete with MSN is to release their own messenger program that's tied in with GMail, only then will it be easier to switch your friends over to another free email service.
Some experts feel that 'Sender ID' is not an accepted standard and has many shortcomings. Some also feel that Microsoft is trying to strong-arm the industry into the adoption of an incomplete and not accepted standard.
Let me guess, the story submitter is a Wikipedian? Let's try to avoid weasel terms. Unlike Wikipedia, Slashdot has no neutrality obligation, but if you want to attack something then be clear about it. Don't be redundant either; if a web standard is not accepted by the W3C (the only real web standards authority), then it is not a standard. Let me show you:
Opponents believe the non-standard 'Sender ID' is flawed, and that Microsoft is trying to force the industry to adopting an incomplete protocol.
See? It's shorter, unequivocal while maintaining all previous meaning. Weasel words do not sanitize an opinion in any way.
-- User:Xmnemonic
Microsoft has been using this kind of "embrace and extend" or pure "we implement and damned what everyone says" with their OS for so long, that they have forgotten how to do anything else. They're going to have quite a wakeup call when they try this in a market where they're far from being the main dominant force.
---- Take the Space Quiz!
Well that cinches it... now I can block Hotmail permanently, since they are refusing to deliver mail from my legitimate MX.
There are lots of alternatives to using Hotmail... Gmail, Yahoo mail, and others. Use them instead.
99% of the mail coming from Hotmail is spam anyway, so this gives me more reason to stop the spam coming from Hotmail to my users. I'm protecting my users by blocking Hotmail.
I for one am tired of Microsoft claiming to embrace standards by strangling off the air from the lungs of the real standards bodies. When Sender-ID is a widespread industry standard (i.e. in every MTA without patching), THEN I'll begin working with Microsoft to stop spam.
I will not be strong-armed by Microsoft, ever, especially where it affects MY server and MY users and MY mail. Period.
Until their OS stops being a malware replication engine, their services stop harboring spammers by the millions, and their patches actually FIX problems instead of CAUSING them, they can go pound sand.
Heh... I use a GMail account for normal use, and have a Hotmail account for use with Hotmail users. (it appears that Hotmail automatically blocks GMail e-mails)
I tell the person in the first e-mail (from the Hotmail account) to make my GMail address a contact - therefore whitelisting it. I also usually send a GMail invite their way once they whitelist me.
My mail server stopped accepting mail from hotmail over 2 years ago.
I've been using hotmail for years, way before MS ever owned hotmail. At the time I signed up for hotmail everyone was chilling with their @netcom or any simular isp branded e-mail. If you're anything like me you've gone through a couple ISPs over the last 10 years. You also are probably aware what a PITA it is to change e-mail addresses. That's why I've stuck with hotmail all theses years.
I have a g-mail account, it's pretty awesome and probably better then hotmail... but one feature that hotmail has over other web-based e-mails is easy integration with a fat-client e-mail system.
I've yet to see a web-based client that can handle my e-mail needs... Even MS's OWA isn't a replacement for outlook.
I know there will be a flurry of flames about using outlook, etc etc... but the bottom line is that nothing integrates better for my needs, my palm, my blackberry, my non-work hotmail, owa, etc.
My basic point is that there are at least some merrits to using hotmail.
Your mammas flamebait.
a lot of people use MSN... as much as I don't like it, I have to use it to keep in touch with most of my non-tech-savvy friends, who won't use any other IM...
And to use MSN you need a hotmail account.
Google still has a lot of public awareness ground to cover IMO... when I give out my gmail address, some people ask me "so you work for the government?"
I've never had an hotmail.com or msn.com account and I've been using msn messenger for years. Go visit passport.com and register your email address with them. No, they don't spam. Never.
This is your sig. There are thousands more, but this one is yours.
This is one of those utterly stupid "anti-spam" systems that just creates hastle for legitimate users while failing to take into account the actual effect it'll have on spam. It's moronic, the people proposing it are morons, and anyone blindly supporting it hasn't paid it more than a few seconds of thought.
Want to know why we have so much spam? Why it grows every year? Because the bulk of the "anti-spammers" are too myopic in their hatred of a minor technical problem to encourage and adopt solutions that'll work. Hence the ever increasing attempts to build increasingly ineffectual blacklists and whitelists. Meanwhile, the spammers simply increase the amount of stuff they send, knowing that if only 1% of their messages will get through, they have to send 100x as many messages. The entire thing has become nothing more than a game between anti-spammers creating little intellectual challenges and spammers solving them.
What is Sender-ID? A lemon. It solves the wrong issue. I want to be able to say "Have I given this entity permission to email me?" It says "Well, can't tell you that, but I'll tell you what, this is coming from an entity unwise enough to not protect their domain name with a list of 'legitimate' SMTP servers. So I'll junk it, because I think that's bad practice."
They're breaking email, and they don't care. As long as they can pretend it's the spammers that are at fault, like some thug that breaks all the windows of all the buildings owned by a particular landlord because one of the landlord's tenants in one particular building plays his music loudly at 3 in the morning, they can justify their actions to themselves in a fit of self-righteousness. Fuck 'em, and the horse they rode in on.
You are not alone. This is not normal. None of this is normal.
Some of you might find this interesting. I was working with an Email list for job applicants to my company this morning. I decided to do a quick analysis of what domain these candidates had their Email at.
These are applicants for an entry-level blue collar job. They're supposed to be at least 21 years old, but at this point of the employment process, that hasn't been verefied yet. About 2/3 or our applicants are male. We have locations in all 50 US states, as well as Puerto Rico and Canada.
yahoo.com 7110
aol.com 3255
hotmail.com 2857
msn.com 556
sbcglobal.net 539
comcast.net 334
bellsouth.net 293
earthlink.net 134
gmail.com 132
cox.net 118
I'm not sure what this all means, but it does explain why you're having trouble finding a Yahoo ID that hasn't already been taken.
It's the land of the brave, and the home of the free
Where the less you know, the better off you'll be.
Nope, you were clear. Unfortunately, what is also clear is that MS doesn't have our collective environment at heart.
They tried to get a standard in place that could not be implemented with open source. There's restrictive liscensing and I think a patent as well. This is a move to benefit their Server bussiness to the detriment of Open Source Mail servers everywhere.
Since they wouldn't drop the resreictions against open source, the initiative was refused. So now they are going to use their marketing muscle to force it down our throughts as a defacto standard anyways.
Microsofts gesture could be characterized more as a middle finger than an olive branch.
GMail will integrate with a fat client over POP3. Check here: http://mail.google.com/support/bin/answer.py?answe r=12103&topic=194
/. zen: Imagine a Beowulf cluster of Beowulf clusters...
Yes. A lot of ordinary users use it. Examining a database of customer addresses from people who have contacted technical support where I work, I see the following:
Those are all the ones that are above 1%.
It will stop SPAM that is from a forged sender
Bullshit. It will do no such thing.
Most spam comes from trojaned machines (zombie networks), and there is *NOTHING* that will stop the trojan authors from simply having the zombie do a whois lookup and setting the return address to something that will bypass sender checks (even if it means sending through an upstream mail server.)
Result? The From: address will still be forged, legitimate forwarded email is stopped, nobody wins.
Look over your SPAM headers, and you'll see, most of the return-addresses do not match the machine that relayed the message.
Which will *WILL NOT CHANGE*, even with SPF.
And as someone else said, there is *nothing* to stop a spammer from spending $10 to register a domain, spamming for a week or two using Sender ID/SPF legitimately, then abandoning the domain if it gets blacklisted.
If you think this is an anti-spam measure, then you really don't have a clue as to how email operates, or how spammers operate, or both.
Ah, the Google Alternative for Instant Messaging. The name finally makes sense! :)
While both SPF and SenderID break on many forwarded emails, SenderID breaks on many mailing lists also. Moreover, one of the most promising solutions to the SPF forwarding problem (a specialized DNS server, as outlined in section 9.3.1.2 in the SPF spec) breaks when SenderID uses it.
So, SenderID is a patented system that is incompatible with many of the F/OSS mail servers that currently dominate the internet, it doesn't work as well as other technologies, it damages the use of SPF, and outside of MS, it is being used by almost no one.
If this was just a matter of hotmail and MSN hurting themselves, then I wouldn't have any problems with it. However, this appears to be a case of Microsoft working hard to hurt the entire internet email environment.
SPF support for most open source mail servers can be found at libspf2.
Because ICQ is a crufty old monster. Most of the people I know who use ICQ haven't used the official client in years - the official ICQ client is the fugliest piece of software I've ever seen. I use Miranda for both MSN and ICQ, but most of my friends have migrated from ICQ to MSN.
I think this is what happened: ICQ took a strangle-hold of Canada. Backwards Americans missed the boat. Then, Mirabilis/AOL ran ICQ down the tubes by bloating it into a monstrous, crufty piece of crap. As a reaction, users migrated to the IM program that was already residing on their computer (and, at the time, launched automatically when you opened OE).
I use 2 Hotmail accounts. The first gets NOTHING but spam. In fact, I have a rule setup that just deletes it all. I really should change that, but the idea that all that spam is impacting their server gives me a warm feeling. The other, I use for anything that I need to fill out. If it happens to generate spam or can I use that.
Look, I don't mind M$ doing stupid things like this. How big of a share does Hotmail have? Probably not much. The more people have problems with it the more they'll stay away. Even better! I live for the day M$ is reduced to an applications company. Where Windows no longer exists. Where THEY are dependent upon licenses from vendors. Total destruction would be nice but I can live with "just another player."
I'm convinced M$ is inherently evil. Like murder, molestation, Satan, Eminem. The world would be much better off without it.
Why? I have no idea. I'm guessing it's Microsoft way of throwing "Sign-up for Hotmail!" signs when you're filling up your info in MSN Messenger.
Personally, I hate Hotmail. Yahoo! and GMail upgrade all their users' space at the same time. As for Hotmail, it still has my account at *2 megs*, the same limit it had since *1998*, when I signed up for it. I wrote an email to Support asking if they were planning on upgrading my account and they just advertised Hotmail Plus!, the paid version.
(joke)My guess is that they still have my account stored in an old Solaris box and they can't find where it is.(/joke) I haven't used my Hotmail account for a long time now, but I keep it around just in case some distant family member who got my email 5 years ago tries to contact me -- yes, it happens more often than I expected.
Bored? Browse Slashdot with a +6 modifier for Troll comme
I have friends that use each of the services. I use Gaim and the problem is solved.
Hotmail people will have to check their spam folder so regularly for for things that aren't actually spam that Sender-ID will just annoy them so much that they'll abandon Hotmail.
That's not how SenderID works. The emails that fail validation will be refused. They will not be forwarded to a user's spam folder.
Microsoft can push SenderId all that they want. All that they will accomplish is excluding their domains from useful communication. This will be rolled back in under 60 days, if it is implemented at all.
I can't think of any companies that are going to make considerable modifications to their email systems just to please Microsoft (or any other for that matter). Furthermore, the use of SenderId/SPF breaks some email delivery features (such as forwarding).
I think that it's great that a company like pobox.com is financing the implemntation of SPF on the OSS side, but I don't expect a wide-spread adoption given the administration costs. Also, I feel compelled to ask, is Microsoft truly doing this to combat spam or do they want to force people to upgrade to Exchange 2006? And SenderId itself will never become a standard protocol as long as M$ owns it. There is too much concern that they would try to lock out OSS from implementing a protocol that they own the rights to.
It's a valid cause but the implementation is flawed and doomed for failure.
Ryosen
One man's "Troll, +1" is another man's "Insightful, +1".
Look, who cares if SPF breaks things. The things it breaks arn't really that important, and the internet email system is so clogged with spam it's worthless anyway.
autopr0n is like, down and stuff.
Yes, everyone can crapflood hotmail through your server (for a short period of time), but the flood is a lot easier to stop with SPF required.
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law
H3RBAL VI@GRA???
...because "hacker" sounds way sexier than "code drone."
Get it here.
...because "hacker" sounds way sexier than "code drone."
What administration costs? It took about about 10 minutes for me to create and install a SPF record for my site.
As for supporting it on the other side, future releases of mail software will do so the next time I would have upgraded anyway.
I'm all for it. You would not believe the number of phishing emails, purporting to be from my site, that say, "Your account information is enclosed. Please open and read."
It may break some forwarding, but I'd rather END phishing and trojans. Besides, we're not supposed to be open relaying anyway...
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
While I agree with everything you said (except that you imply that Sender-ID might actually work, when it doesn't) it's important to distinguish between SPF and Sender-ID.
SPFv1 is an anti-forgery system that works. It does not claim do anything whatsoever to stop spam . But, preventing forgery is necessary before you CAN do anything to stop spam (think about it).
SenderID, AKA SPFv2(pra) is an attempt by Microsoft to seize control over an open standard (SPFv1) so that they can control who gets to send email and who doesn't. They claim it prevents forgery (but it doesn't) and that it does not break some forms of forwarding the way SPF does (they lie) and that it is open (actually, they've submarine-patented parts of it) and that it is an anti-spam measure (which it wouldn't be even if it worked).
Once someone really understands these two facts, all becomes clear. The 800-pound gorilla is beating its chest and waving its tiny pecker around, hoping you will be either be afraid enough to adopt MS-controlled SenderID, or outraged enough to not adopt open, useful SPFv1.
For more information you might want to read some SPF-discuss list threads.
It's not exactly difficult to add an SPF record for your mailserver
Unless your primary e-mail account is with a provider that offers POP3 and IMAP but not SMTP (e.g. spamcop.net), and you must forge your own address through your ISP's outgoing server. Or unless your primary e-mail account is with your ISP and your ISP hasn't implemented SPF. How should one handle that situation?
Not true. A lot of spam is now sent via thousands of zombies which would be nearly impossible to encompass in an SPF record.
It is true that SPF will not stop spam on its own. As part of the whole puzzle, SPF is best used along with a reputation system if you want to stop spam.
There are some problems for legitimate senders and are confined to situations where there is unknown or uncontrollable forwarding going on. There are ways around these problems too (SRS et al...)
Another problem is that M$ is trying to co-op SPF with this "Sender-ID" which is NOT the same thing!
--
I use Gaim and the problem is solved.
Not really. You're still using the service, even if you're not using the official client. And you have to have an account for each of the services you want to use (AIM, Yahoo, MSN, Jabber, etc). I for one refuse to sign up for an MSN account of any sort. Using its messaging service with or without the official client ranks only slightly lower on my not-gonna-do-it list. Then again, if that doesn't bother you, then for you, the problem is solved.
I'm making a
Each of the established IMs have millions or tens of millions of subscribers
That's why GAIM is the answer. Everyone I've given it to loves it. GAIM is one of the most useful OSS apps available on Windows. It's handling of multiple IM protocols simultaneously easily trumps all other clients.
"I assumed blithely that there were no elves out there in the darkness"
we need a "get in" based system and I think MS is trying to get some accountability on the ISP side.. of course the purpose of email is to contact people you don't know... that's what this wrecks. We need a new protocol like customized Jabber or some kind of pre-authorized opt-in agreement between companines. So I can pre authorize to your companies servers, then send away. of couse the OTHER big thing is SOX requiring all sorts of tracking and documentation.. SOX alone is enough to kill email as we know it... we need something between email, IM, slashdot, and blogs. Due to SOX "private" email will be dead at most companies anyway... so a more forum based alternative may be better.
Again, MS holds the current customers, but oss holds the long term lead. if we can get enough admins to switch over... we've got to gun for an incompatible exchange replacement and do it better.. if MS is calling it, then let's break it better..and faster... there's no way they could keep up.
Lets run through it. I want to send spam from buymycrap.com e-mail addresses to hotmail users.
I have a buddy at buyhiscrap.com who has a mail server he'll let me use.
I add an spf record for my domain that says "yes, the buyhiscrap.com mail server is allowed to send mail for the buymycrap.com domain".
I start spamming hotmail.
Hotmail says "don't accept any e-mail from buymycrap.com e-mail addresses"
I can only send e-mail from spf-validated mail servers, so the mail has to go through a published mail-server (no zombies, open relays, etc)
I try to send more spam to hotmail.
I can't.
I buy a new domain name. Rinse, repeat.
The burden in this scenario has just shifted from the recieving mail server to the spammer. Now the spammer has to do more legwork and the hotmail mail server admin has to do less.
when you get to the "MAIL FROM:" part of the SMTP conversation, you have total control over what happens, which means you don't have to play games with mail from: versus reply-to: addresses. If I'm not sending through a server that's supposed to be sending mail for the domain in my mail from: address, the connection is dropped. If I have that right, and I've offended the mail server admin with previous messages from that domain, the connection *can* be dropped (before a message gets transmitted).
"Murphy was an optimist" - O'Toole's commentary on Murphy's Law