Q&A: Microsoft Hosts Industry Sender ID Summit in Fight Against Spam and Phishing

REDMOND, Wash., Aug. 12, 2004 — Over 80 members of the E-mail Service Provider Coalition (ESPC) — which provides e-mail delivery services to over 250,000 clients in North America — will gather at the Microsoft campus today for a summit on the Sender ID Framework, demonstrating strong consensus toward authenticated e-mail solutions to the problems of spam, domain spoofing and phishing.

Sender ID is an emerging technical approach designed to ensure that e-mail originates from the Internet domain it claims to come from by validating the sender’s server Internet Protocol (IP) address. It combines Microsoft’s Caller ID for E-Mail technology with the Sender Policy Framework (SPF) authored by Meng Weng Wong, CTO of Pobox.com, and is currently being evaluated by the Internet Engineering Task Force as an industry standard for e-mail authentication.

Spoofing, or sending e-mail purporting to be from someone it’s not, is an increasingly common and relatively simple way for spammers to try to trick spam filters. It can also pose a security risk when used to deliver e-mail viruses or phishing scams, which attempt to trick users into divulging sensitive information, such as credit card numbers or account passwords, by pretending to be from a legitimate source, such as a user’s bank. Sender ID aims to prevent spoofing by confirming what domain a message came from. Doing so can help legitimate senders protect their domain names and reputations, and help recipients more effectively identify and filter junk e-mail.

To learn more about Sender ID and the significance of today’s summit for the e-mail community, PressPass spoke with Craig Spiezle , director of industry and partner relations for Microsoft’s Safety Technology and Strategy Team, and Trevor Hughes , executive director of the ESPC.

PressPass: Why is Microsoft hosting this summit today?

Spiezle: The summit is being held at the request of the E-mail Service Provider Coalition (ESPC), which provides mail delivery services to over 250,000 clients in North America, in addition to leading companies and organizations, such as mail transfer agents (MTA), reputation and seal providers, and anti-spam vendors. The coalition came to Microsoft asking for help in educating their member companies about Sender ID and in enabling ESPC as an organization to support the implementation of Sender ID. It’s a collaborative effort. Speakers and industry panels will offer detailed information about the Sender ID framework, spam and phishing trends, and updates on best practices, legislation and enforcement.

PressPass: What is the significance of the summit?

Spiezle: Today, a number of companies have announced their plans for specific products and services that support the Sender ID framework, from e-mail applications to anti-spam appliances and services. The companies include Cloudmark, DoubleClick, IronPort, Sendmail, Symantec, Tumbleweed and VeriSign. The summit sends a message to the industry that the leaders are moving forward, implementing this technology, and companies can start to make plans for their own deployment. It also sends a message to Internet Service Providers (ISPs) of the best practices for effectively filtering out unwanted and spoofed e-mail. At the end of the day, we all want to adhere to best practices to help our customers more easily manage their Inboxes. We all want to ensure the deliverability of our mail. These companies are the early adopters, and they are taking a leadership position and making this commitment toward combating spam, spoofing and phishing. It is a significant step in the industry’s efforts to combat spam.

PressPass: Why is Sender ID important to the members of ESPC?

Hughes: We see authenticated e-mail as the most promising step toward a more complete solution to spam, and we have been strong advocates of authenticated e-mail solutions. For over two years, the ESPC has been working to address the problem of spam while protecting legitimate uses of e-mail. Our efforts have focused on a number of areas, including legislation and best practices. Early last year, we released Project Lumos, which was our effort to promote some thinking in the authenticated e-mail world. We have worked consistently over the past year and a half to try to facilitate and promote discussions and thinking and work on authenticated e-mail solutions, and some of that work has included meetings with the relevant constituents in the e-mail world.

We were delighted when Microsoft introduced an authenticated e-mail solution, and we are even more delighted that it has now emerged as the Sender ID protocol. As an authenticated e-mail solution, it is consistent with our thinking in terms of how to combat the spam problem, so our members are eager to learn more, to work hard to implement Sender ID, and to engage in a very strong dialogue making sure that these solutions are successful in the marketplace.

PressPass: What are the ESPC members hoping to get out of today’s summit?

Hughes: We’re looking forward to two things: We want to learn about the implementation of Sender ID and the issues and challenges that it may pose in the legitimate sending marketplace. And we want to engage in a dialogue with Microsoft and the other companies and organizations that are active in this area, so that they can understand the issues that will result from Sender ID being implemented in a broad way in the sending world.

PressPass: What are the latest developments in Sender ID?

Spiezle: The biggest thing is the groundswell of support for the Sender ID framework, which is coming from three dimensions.

First, it’s coming from within the industry of the solution providers, the anti-spam vendors and the MTA vendors — the vendors that are creating messaging software, whether it’s Microsoft Exchange or companies like Sendmail. They recognize that for the viability, reliability and deliverability of e-mail, we need to move forward on some of these technical proposals. We’re past the point of discussing and debating — we’re now moving into implementation. These are the companies that are announcing product plans today.

Second, there’s support from the ESPC — the legitimate e-mail marketers who work for every major corporation in the United States. They represent companies like Microsoft, and Amazon.com and eBay, which use e-mail to make transactions with their customers, correspond over customer accounts, etc. They also represent banks that send statements and offers, and many others. These legitimate e-mail marketers want to comply. Their customers are demanding the deliverability and reliability of e-mail.

Third, there’s support from the enterprise customers themselves whose e-mail is being spoofed, leading to fraud and phishing scams as well as to infringements on their trademarks, damage to their brand names and loss of end-user customers’ faith in their business. Sender ID provides an immediate step — though not a silver bullet — to help counter the vulnerability of these companies’ e-mail to spoofing.

PressPass: Can you talk a little bit more about phishing? Does Sender ID help prevent phishing?

Spiezle: Phishing is the practice of attempting to trick e-mail recipients into divulging personal information, such as credit card numbers or account passwords, by sending e-mail pretending to be from a legitimate source, such as a user’s bank, credit card company or online Web merchant. Sender ID does not explicitly prevent spam or phishing scams from being sent, but it does make them much easier to detect because it provides a more reliable answer to the question “Who sent the message?”

It is also important to note that 95 percent of all phishing attacks come from e-mail in which the “from” address has been spoofed, so if you can help eliminate spoofing, you can thereby also help reduce phishing. If a phisher sends out 2 million spoofed e-mails and tricks 100 people into giving up sensitive information, that’s a good return on the phisher’s investment. This is the challenge, and this is why the industry is saying we need to move forward on some of these effective approaches as quickly as possible. However, Microsoft and the industry recognize very clearly that there is no single perfect solution to the problem. This is not the end of the journey. It’s a significant step forward.

PressPass: Why are e-mail service providers important in the adoption and implementation of authenticated e-mail solutions like Sender ID?

Hughes: E-mail service providers represent an important pivot point in the e-mail marketplace. The members of the ESPC provide delivery services to about 250,000 legitimate senders in North America. As a result, the members of ESPC provide a spectacular way to network the effect of Sender ID to a very large number of legitimate senders. We have data from IronPort sender base system that suggest that our members account for 25 percent of the legitimate e-mail in the United States today. As a result, the ESPC represents a huge step toward broad-scale implementation of authenticated e-mail solutions.

PressPass: Is Sender ID recognized as a standard?

Spiezle: The Sender ID specification is still under review by the Internet Engineering Task Force (IETF) for consideration as an industry-wide standard for e-mail authentication. The effort to arrive at a standard continues to be a very collaborative process, bringing together a number of industry stakeholders to develop an approach that has the support of the entire industry. Over the past 18 months, Microsoft has worked with the IETF, Meng Wong, industry groups and others in an effort to come up with a solution that’s deployable and extensible across multiple platforms and messaging environments, and we will continue to do so.

At the same time, our partners and customers are pushing for strong solutions to the spam problem today. Even though Sender ID is still technically a draft standard proposal, the confidence level is such that companies are already moving into the deployment and implementation stage. Between now and the start of 2005, you can expect to see companies adopting the Sender ID framework to achieve a higher level of reliability and deliverability of their good e-mail. The important point is that we cannot solve this in isolation; it has to be done through cooperation and collaboration. It had to come down to ongoing industry-wide commitment to best practices. It’s what our customers want and what we must do as an industry if we are to effectively protect e-mail as a valuable communications tool worldwide.

PressPass: What should e-mail service providers do to support industry adoption of Sender ID?

Hughes: Our members are here today at Microsoft in a strong show of force, and I think that that’s one of the biggest and best things they can do. They can attend this meeting, engage in the dialogue, take the lessons back and — as we roll out Sender ID — make sure that their operations and their customers’ and clients’ operations are in compliance with Sender ID standards. We are expecting as much from our members and, by all indications, that is indeed what we will have in very short order.