Microsoft and Yahoo! Fight Spam - Sort Of

kyndig writes "In a Forbes article, Microsoft claims that 90% of email on the internet is spam. To fight this, Yahoo! has teamed with Cisco in developing DKIM, a signature based email authentication. Not to be outdone, Microsoft is proposing SenderID, which examines an email to see if it is coming from an authorized server. Earthlink's chief technology officer, Tripp Cox, goes on to examine the pro's and con's of each specification and provides practical application results." From the article: "Critics have accused Microsoft forcing SenderID on the industry without addressing questions about perceived shortcomings. The company drew fresh criticism recently when reports claimed that its Hotmail service would delete all messages without a valid SenderID record beginning in November. While AOL uses SPF, many e-mail systems do not. If Microsoft went through with this, for example, a significant portion of valid e-mails would never reach intended Hotmail recipients."

Bad news

[mfloy]

This has bad news written all over it. These companies are going to try and use their size to push their technologies on everyone else. This will result in systems that are beneficial for Yahoo and Microsoft, but that don't adress the needs of everyone else. If something like this is done, it should be done internationally by a group of companies and individuals from a variety of backgrounds.

what should be done

[hsmith]

is all the major companies sit down and design a new email system. the current email system is like a sinking boat they are trying to patch and prevent it from reaching the bottom. now, everyone is going their own seperate way (MS, Yahoo), where there will be no standard. the whole system needs to be scraped and rebuilt from the ground up taking into consideration spam, which was never present when the system was designed.

The problem... Meetings

[Alex+P+Keaton+in+da]

One of the main problems with this, in my OPINION, is that corporations can't keep up with individuals. It is sort of like how Geurrilas, from the time of the US colonies to Vietnam, have been able to put a hurting on huge armies.
Corporations aren't as light on their feet as spammers and internet miscreants (for the most part- I know I am speaking in generalities).
It takes many meetings over years it seems (Meetings- None of us is as dumb as all of us...) to come up with a new policy or system regarding spam etc.- commitees are formed, proposals made etc. Then, someone (or group) without meetings, without authorizations, comes up with a way around the new system.
As has been said a zillion times before on here, by people more intelligent than I- the only way to stop Spam is to make it not pay, by having no one respond to it. It is like Drugs or Prostitution- if there were no client base, there would be no sellers....

Re:All things considered, not a good thing

[Phrack]

SpamAssassin reduces my spam by 98%. That's just one example of filters... the point being that the more filters deployed out there (at ISP's, companies, etc), the more spam gets auto-tossed into the bit-bucket, and the less economically viable it is. Simply starve the market, requiring no protocol changes.

What About

[Noodlord]

PGP key's? I thought people knew about and used these. With a pgp key, it is signed with an encrypted hash, and you have the option of encrypting the message along side it. Once this is done, you know an email is coming from a valid user because it contains their key. These are already used in workplaces around the world. Why implement a new system when one already exists? Not only does one exist it is more or less and open standard. Yeesh! I wish people would actually stop rebuilding the wheel in the software industry.

Re:Let MS do it...

[Iriel]

My biggest concern (and please don't bash me for this) is not about Hotmail users getting all their email flagged as spam. The problem I can see with this is if Microsoft strongarms other servers into using the SenderID. It's almost like the way that the majority of websites have CSS hacks and workarounds for a broken browser(IE) that still won't be fixed in the next version. If enough people are using the proprietary garbage, then people will others will be forced to support it.

If they can muscle thier SenderID onto enough servers out there than less email becomes spam, then SenderID is free to be a gateway for other proprietary garbage that MS may decided to bundle with it. Microsoft has had its overwhelming failures at times, but it also has a record of 'forcing' their way onto enough of the market to make an impact for better or worse. That's just my take on it; it's not what it will do, but what it will allow to happen in the future (should it catch on)

Re:Heh

[hal9000(jr)]

It's not just Microsoft's old tricks. Many 800 lb. gorillas (Cisco, IBM, Intel) have done the same with more or less success. Most of the time, wrangling is done in working groups where vendors start deploying products based on early standard drafts, which commits them to lock-in, which then motivates them to fight for thier methods regardless of technical requirements. Besides, market dominant driven standardization is not always a bad thing. The anti-spam market is so fragmented that having a Microsoft force a decision may actually move a resolution.

Re:At least it works

[slavemowgli]

And? What would prevent a spammer or phisher from creating the necessary setup to pass verification? Things like SPF and Sender-ID are good for stopping (or at least warning about) mail that some spam clown sent with a forged From: address (which can be highly annoying if the forged address is in one of *your* domains), but it won't do a thing about, say, email that comes from, say, "support@paypa1.com" or so.

Besides, if you want to warn users about phishing, you don't even need any of these tricks. GMail, for example, warns me with a big red banner when it thinks that an email may be a phishing attempt, and so far, it's always been right - no false positives, no false negatives, even without any technical trick that depend on the honesty of the sender (which both SPF and Sender-ID ultimately do, in that they allow malicious senders to set up systems so that tests are passed for spam and phishing mails and the like).

I only wish their spam filter would be as effective... :)

Re:Hashcash for mail would be better

[Alioth]

The trouble is many spammers are now using networks (say, 50,000 or more) of pwned Windows zombies. They are doing it on a huge distributed network - they don't care if calculating a hash slows them down. If each zombie only sends 100 emails per day, that's 5 million spam emails sent. You'd have to have an insanely long calculation time to make a dent on a zombie network.

Zombies will steal your sender ID

[Animats]

Right now, most zombie machines send using some arbitrary identity. Most of them are just proxies or forwarders, not mail generators. The way the spam industry works is that you rent some zombies at SpecialHam, get a "bulletproof mail server" from Black Box Hosting in China, install Dark Mailer, and go. Dark Mailer runs on the "bulletproof mail server" and generates the messages, which are sent via your rented proxy farm.

If sender ID goes in, the software that takes over a target machine will just have to use the normal sending identity for that machine, or, more simply, transmit it back to the bulk mailer so the mailer can construct the outgoing messages accordingly.

MX Logic reports that, as of March, 9% of spam already has valid SPF markings, and 0.83% have valid Sender ID markings. So the technology to bypass SPF and Sender ID is already deployed.