Microsoft's spam weapon gets canned By Sam Varghese June 24, 2005 - 12:15PM http://www.theage.com.au/articles/2005/06/24/1119321887828.html
Sysadmins and network professionals are largely sceptical that Microsoft's move to enforce the use of a scheme, which may cause up to 10 per cent of legitimate email to end up in junk folders, will result in less spam. Craig Spiezle, director of Microsoft's technology care and safety team, was quoted yesterday as saying that the company believed it needed to begin requiring Sender ID to do a better job of cutting down on junk email. Sender ID is a scheme that aims to make the DNS system check if an email comes from a valid mail server; this would, theoretically, mean that emails that do not come from an authorised mail server are rejected. Sender ID is the fruit of the Sender Policy Framework (SPF) advanced by Meng Weng Wong, the founder of Pobox.com, and a failed proposal by Microsoft called Caller ID. Both proposals aim to stop spam. For Sender ID to work, the DNS records would need to have additional information, which mail transport agents like Sendmail, Postfix, Qmail or Exim are able to interpret. Currently, the mail server or MX records in the DNS indicate the servers that can receive mail for a domain. There is no record to show which server is responsible for sending mail from a particular domain. Mr Spiezle also said that for the past six months, Microsoft's Hotmail and MSN services had been checking Sender ID records as one test in determining whether a message is junk Melbourne-based independent IT consultant Craig Sanders said if Microsoft blocked all mail to Hotmail and MSN, except from domains that implemented Sender ID, then most legitimate mail would be classed as junk. "They will end up isolating and destroying their own mail services rather than forcing adoption of Sender ID," said Sanders, a long-time sysadmin and developer with the Debian GNU/Linux project. "There is no way they can force everyone to use their proprietary and patented Sender ID proposal. The internet just doesn't work like that." Last year, the Internet Engineering Task Force, a body that sets standards for the internet, dissolved a group that had been set up to discuss the implementation of Sender ID, partly because a portion of the specification included technology on which Microsoft was claiming a patent. Several participants in the group's discussions raised doubts over the patents filed by Microsoft to cover the technology, which includes many aspects of email authentication, including some which have been in use for a long time. David Banes, managing director of Cleartext, which focuses on securing email and instant messaging, said while Sender ID and SPF were good systems to increase trust in the sender of an email, spammers were already using these technologies. "The system thus falls over and is most likely not going to be as effective as some people think it will be," said Banes, a techie himself. "These technologies could be explained as 'reverse MX' so in theory all a spammer has to do is register a domain name and add the records to their DNS. This is what we are seeing now." Banes said it took much longer for legitimate organisations to adopt new technologies than it did for spammers. "This means that there is a very high likelihood that you'll be blocking lots of legitimate email as well as spam," he said. "So, whilst Sender ID isn't going to fix the spam problem, it should be part of the kit bag, but I wouldn't be putting a heavy weighting on it in your 'is it spam' algorithm. Richard Forno, an internationally renowned IT consultant, said it seemed Microsoft was taking a "go it alone" approach. "The fact that Microsoft pulled out of the IETF working group, in part because of the company's interests in a patent, tells me they're more concerned about themselves and defining 'their' standard than really doing anything for the community. Microsoft has a history of such imperial thinking," he said. Forno, who helped to establish the first incident response team for the US House of Representatives, said he thought Sender ID would present a lot of growing pains for Microsoft, its customers, and those non-MSN/Hotmail users who communicated with other people using MSN/Hotmail email. "Sender ID and related 'white lists' also present the problem of end-users potentially having to 'register' with multiple ISPs to ensure their mail gets past such filters. For the potential benefits of Sender ID, is that a viable/fair trade-off?" he asked. "Do I need to ensure my domain or email address is 'trusted' by everyone in my address book at some point? What about multiple addresses? In that case, the technical solution may be more trouble than it's worth." A senior anti-virus researcher with Computer Associates in Melbourne pointed out that soon after Sender ID was introduced, it turned out that a large percentage of those implementing the system very early were spammers themselves. "Some research conducted last year - by MXLogic in September 2004 - was already showing that a sixth of all investigated spam was implementing SPF," said Jakub Kaminski. He said while Sender ID might stop those who were spoofing domains, it would not prevent spammers from sending spam from legitimate domains. "The system might help tracking down the offenders, but a large chunk of spam is posted from and through kidnapped systems already." Kaminski said there could also be an unfortunate spin-off. "Information about exploited systems (zombies) is often for sale. The wider implementation of Sender ID and SPF systems might push the price of a kidnapped machine higher and certainly encourage hackers to intensify their efforts in search for new victims," he said. Another senior network professional said that in the short term, he suspected Microsoft's move would create a lot of unhappy users for whom the internet was no longer a happy-go-lucky place. In the longer term, however, there might be heightened awareness that online safety and security were everyone's business, said Paul Ducklin, the Asia-Pac head of technology for anti-virus software maker Sophos. Users, he said, might also realise that "through protecting yourself, you help to protect everyone else as well." "SPF/Sender ID is not a cure-all for spam and email viruses - not by a very long way. After all, the best approach to unwanted email is prevention, so that unwanted emails don't get sent out in the first place," he said. "If Microsoft is prepared to ride a wave of initial consumer complaints to help get people thinking along these lines, then I'm all for it." While Microsoft's move is unlikely to affect many businesses, NT BugTraq founder and editor Russ Cooper pointed out that consumers would expect their ISPs to be able to allow them to send mail to Hotmail and MSN addresses. Cooper, a senior security analyst with Cybertrust, was surprised by the move, which he said was unlike Microsoft. "Historically it has been their own reticence at stopping legacy insecure services (like file sharing or NetBIOS) that has led to so many exploits. Here, they're working towards forcing all legacy mail systems to at least be looked at, if not updated." If there was a demand from ISPs that all mail traffic should comply with Sender ID, Cooper said that would make the move by Microsoft worthwhile. "Most businesses would not have a problem complying, but many systems which are heavily abused could finally be brought down - or in other words, be stopped from being used as spam relays," he said. "So, all in all, I'm waiting to hear that Microsoft Corporate has stopped accepting mail from their customers that does not comply with Sender ID." You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
