Hotmail To Junk Non-Sender-ID Mail

William Robinson writes "If your e-mail does not have a Sender ID, Microsoft wants to junk your message. Somewhere after November, MSN and Hotmail will consider it as spam. Sender ID is a specification for verifying the authenticity of e-mail by ensuring the validity of the server from which the e-mail came. Some experts feel that 'Sender ID' is not an accepted standard and has many shortcomings. Some also feel that Microsoft is trying to strong-arm the industry into the adoption of an incomplete and not accepted standard."

Brilliant Move Microsoft. I salute you!

[cmefford]

Been wanting to get friends to get off the hotmail bandwagon for years. As an isp, I'd be telling my customers to tell their friends who use hotmail to get on the stick and go to yahoo or gmail before november so their ability to communicate isn't cut off. Please note, SenderID and SPF are both bad ideas. SPF didn't start off that way. In fact it made a strange kind of sense. It was co-opted. The IETF marid working group archives are a great place to go read about how MS really helped screw the pooch. Hotmail and MSN orphaning themselves is probably a good thing in the long run. It's a shame though. And yes, I publish spf records, no I do not make use of them. They are not useful.

Only if other ISPs go along with it

[matt_morgan]

This is a trial baloon. If some other big ISPs decide to go along with this, I can see it happening. If nobody else goes along with it, they won't enforce it. No need to panic here.

this one could be a problem for casual users

[yagu]

I've had my fun with e-mail spoofing, but now that e-mail is everywhere and used by almost everyone it's probably close to "time" for mechanisms and protocols that make e-mail more trustworthy and difficult to spoof (of course there are always going to be exceptions). But Microsoft contributes little by doing their own end run on the industry.

From the article:

Microsoft's unilateral move may hurt Internet users, he said. "Sender ID isn't widely deployed, meaning that average users are now at risk for having their legitimate e-mail tagged as spam when they send messages to Hotmail users."

Experts say one of the problems with Sender ID is that it doesn't work with e-mail forwarding services. The basic premise of Sender ID is to check if an e-mail that claims to be coming from a certain Internet domain is really being sent from the e-mail servers associated with that domain.

This opens up a huge can of worms... I don't quite get why Microsoft doesn't learn from past mistake^H^H^H^H^H^H^Hefforts. The unwashed masses (read, typical computer users) already deal daily with mind numbing quirky computer behavior (or lack of). For example (and I know I'm beating a dead horse (checkmate!)), Microsoft's morphing menus with chevrons, Microsoft's dumping of random files in random directories to mold their vision of a magical world (how many have been burned by the unexpected "thumbs.db" file in their picture folders?), and bizarro network settings (ever wonder why seemingly every computer in a home network gets configured with bridging?) -- these are just a few examples of things that confuse and irritate typical users, but the ripple effect is into the "support" community (that's us).

Rolling out this semi-baked quasi-standard e-mail device could wreak havoc with the e-mail users. I'm hoping whatever they do it's configured by default to not reject non-ID'ed e-mails. Regardless, unless and until there's a stronger and more mature standard, this one's trouble.

Re:Who uses hotmail?

[defkkon]

Unfortunately, yes.

There are a large number of people who haven't heard of Gmail. These are people who use the Internet to casually browse, and who check their email every other day. Hanging out in the geek community, its hard to believe people don't know their alternatives - but its true!

Many of these people view email as a very set-in-stone thing. Their friends and family all know their Hotmail address, and all their favourite news letters are delivered there. To them, its a huge pain in the arse to switch addresses. Its almost unthinkable.

Its these people that will happily put up with whatever Microsoft does to Hotmail, just so they don't have to bother with all this technical nonsense.

Home workers

[nagora]

So, how does this work for companies with large numbers of home-workers who are happily sending main aout throught their home ISP's with "spoofed" headers claiming, quite correctly, that their email comes from the company?

Frankly, Sender-ID is a dead duck for many reasons but the biggest is simply that many legitimate emails come from random IPs while plenty of spam comes from infected "authorised" machines.

This is just another, on a thirty-year-long run, example of the fact that when it comes to IT, MS is clueless. Business methods and the law are their fortes.

TWW

One little problem: MSN Messenger

[mindaktiviti]

MSN Messenger is the crazy glue that holds together the consumer with the hotmail account. I gave all of my friends gmail accounts which are far superior going by interface alone (and they agree with this). However because they use MSN Messenger they almost always prefer to check their hotmail accounts. What Google needs to do to successfully compete with MSN is to release their own messenger program that's tied in with GMail, only then will it be easier to switch your friends over to another free email service.

Re:Damn if they don't, damn if they do...

[I+confirm+I'm+not+a]

2. Microsoft fights SPAM. Slashdot equally outraged.
Conclusion: Microsoft is always evil no matter what they do.

Nope, Microsoft isn't fighting SPAM - if they were they'd be cooperating with the "rest of the Internet", instead of promoting their own proprietary scheme - SenderID - that's so un-open as to provoke this comment from the Apache Software Foundation:

We believe the current license is generally incompatible with open source, contrary to the practice of open Internet standards, and specifically incompatible with the Apache License 2.0. Therefore, we will not implement or deploy Sender ID under the current license terms.

Various other disparate organisations have raised similar concerns, eventually resulting in the IETF ditching Microsoft's proposal.

Microsoft, at least in this case, weren't interested in a working solution; they were interested in a Microsoft-friendly, FLOSS-hostile solution. Which is daft, given the open-source nature of most Internet technologies.

Re:Ambiguous praise

[squiggleslash]

In a world in which it costs $10 to register a new, throwaway, domain, I can assure you that having to "having to" put a fake return-address in your emails is even less necessary than it ever really was.

This is one of those utterly stupid "anti-spam" systems that just creates hastle for legitimate users while failing to take into account the actual effect it'll have on spam. It's moronic, the people proposing it are morons, and anyone blindly supporting it hasn't paid it more than a few seconds of thought.

Want to know why we have so much spam? Why it grows every year? Because the bulk of the "anti-spammers" are too myopic in their hatred of a minor technical problem to encourage and adopt solutions that'll work. Hence the ever increasing attempts to build increasingly ineffectual blacklists and whitelists. Meanwhile, the spammers simply increase the amount of stuff they send, knowing that if only 1% of their messages will get through, they have to send 100x as many messages. The entire thing has become nothing more than a game between anti-spammers creating little intellectual challenges and spammers solving them.

What is Sender-ID? A lemon. It solves the wrong issue. I want to be able to say "Have I given this entity permission to email me?" It says "Well, can't tell you that, but I'll tell you what, this is coming from an entity unwise enough to not protect their domain name with a list of 'legitimate' SMTP servers. So I'll junk it, because I think that's bad practice."

They're breaking email, and they don't care. As long as they can pretend it's the spammers that are at fault, like some thug that breaks all the windows of all the buildings owned by a particular landlord because one of the landlord's tenants in one particular building plays his music loudly at 3 in the morning, they can justify their actions to themselves in a fit of self-righteousness. Fuck 'em, and the horse they rode in on.

Re:strongarm what?

[zaxus]

GMail will integrate with a fat client over POP3. Check here: http://mail.google.com/support/bin/answer.py?answe r=12103&topic=194

Re:Stop using Hotmail

[Slipped_Disk]

As I understand it, you're wrong:
> You still have a trusted list that will redirect straight to the inbox.

According to the SenderID docs from Microsoft, your "trusted list" will NEVER BE CONSULTED -- the INBOUND SMTP SERVER will reject the message if there is no SPF record published, or if the originating mail server is not in the SPF record.

Ergo your filters never run - the message is never delivered to them because it is assumed that the message is spam.

Someone correct me if I'm wrong.

SPF spec author says: SenderID is crap

[wayne]

I am the current editor of the SPF specification. Both Meng Wong and I agree that SenderID is a horrible idea, that it doesn't work as well as SPF, and that SenderID is abusing current SPF records in incompatible way.

While both SPF and SenderID break on many forwarded emails, SenderID breaks on many mailing lists also. Moreover, one of the most promising solutions to the SPF forwarding problem (a specialized DNS server, as outlined in section 9.3.1.2 in the SPF spec) breaks when SenderID uses it.

So, SenderID is a patented system that is incompatible with many of the F/OSS mail servers that currently dominate the internet, it doesn't work as well as other technologies, it damages the use of SPF, and outside of MS, it is being used by almost no one.

If this was just a matter of hotmail and MSN hurting themselves, then I wouldn't have any problems with it. However, this appears to be a case of Microsoft working hard to hurt the entire internet email environment.

Re:One little problem: MSN Messenger

[Pxtl]

Because ICQ is a crufty old monster. Most of the people I know who use ICQ haven't used the official client in years - the official ICQ client is the fugliest piece of software I've ever seen. I use Miranda for both MSN and ICQ, but most of my friends have migrated from ICQ to MSN.

I think this is what happened: ICQ took a strangle-hold of Canada. Backwards Americans missed the boat. Then, Mirabilis/AOL ran ICQ down the tubes by bloating it into a monstrous, crufty piece of crap. As a reaction, users migrated to the IM program that was already residing on their computer (and, at the time, launched automatically when you opened OE).

Re:Nothing wrong with that

[Ryosen]

Hotmail people will have to check their spam folder so regularly for for things that aren't actually spam that Sender-ID will just annoy them so much that they'll abandon Hotmail.

That's not how SenderID works. The emails that fail validation will be refused. They will not be forwarded to a user's spam folder.

Microsoft can push SenderId all that they want. All that they will accomplish is excluding their domains from useful communication. This will be rolled back in under 60 days, if it is implemented at all.

I can't think of any companies that are going to make considerable modifications to their email systems just to please Microsoft (or any other for that matter). Furthermore, the use of SenderId/SPF breaks some email delivery features (such as forwarding).

I think that it's great that a company like pobox.com is financing the implemntation of SPF on the OSS side, but I don't expect a wide-spread adoption given the administration costs. Also, I feel compelled to ask, is Microsoft truly doing this to combat spam or do they want to force people to upgrade to Exchange 2006? And SenderId itself will never become a standard protocol as long as M$ owns it. There is too much concern that they would try to lock out OSS from implementing a protocol that they own the rights to.

It's a valid cause but the implementation is flawed and doomed for failure.