Microsoft Corp. is attempting to get the industry to mimic the company’s own aggressive plans for rolling out Sender ID, the emerging email authentication specification, but spammers, as usual, are ahead of the curve.
At a Sender ID implementation conference at the firm’s Redmond campus yesterday, dates of October 1 and December 31 were given as suggested rollout deadlines to about 50 major service providers and software firms.
This is the second in a series of summits Microsoft anticipates facilitating on the Sender ID Framework to help ensure that those in the industry looking to implement Sender ID have access to the information and resources they need, a spokesperson said.
The deadlines depend on what kind of company is participating in the rollout. Mail transfer agent (MTA) software vendors, for example, are expected to review the specs in October and release compliant software before the end of the year.
Participating ISPs are expected to implement Sender ID checks on incoming mail by October. Regular companies are expected to publish their own Sender Policy Framework records in October and upgrade to compliant MTAs before January.
These guidelines are similar to Microsoft’s own internal deadlines. The company said earlier this year that its Hotmail and MSN services will start checking incoming email for Sender ID compliance in October.
Sender ID requires email senders to publish the IP addresses of their outgoing MTAs in their domain name system records. Recipients do a purported responsible address lookup to make sure incoming mail is coming from the domain it says it is.
The idea is to make it easier to fight spam, email worms, and phishing attacks, most of which use spoof their header information, but because implementing Sender ID is a relatively simple task, the bad guys will implement it too.
A common misconception is that we will be able to solve spam, or identify spammers, said Paul Judge, CTO of CipherTrust. But Sender ID simply says the message is from who it says it’s from. It doesn’t say if it’s from a good person or a bad person.
CipherTrust, an email security gateway maker, implemented Sender Policy Framework, Sender ID’s predecessor, in May, and says it has seen that spam is 34% more likely to pass an SPF check than a legitimate email.
In other words this is an area, again, where spammers are adapting quickly to new technology, said Judge. On the bright side, legitimate senders are catching on too, with 33 of the Fortune 1000 SPFs ready now, compared to 11 in May.
Spammers can register a domain for less than $10 and quickly put up SPF records, meaning each attack could come from a disposable domain. Once an attack is detected, the domain would be blocked, but the spammer would move to a new domain.
To get around this problem, spam filters would have to use reputation services that negatively score senders who have yet to prove their good behavior. This will likely only be feasible when Sender ID adoption is widespread.