REDMOND, Wash., and PHILADELPHIA, May 25, 2004 — Microsoft Corp., author of the Caller ID for E-mail proposal, and Meng Wong, co-founder and CTO of Pobox.com and author of the Sender Policy Framework (SPF), have announced today that they have agreed to converge the two proposals into one specification designed to help eliminate domain spoofing and provide greater protection against phishing schemes. By providing a unified specification, Microsoft and Wong hope to simplify industry adoption of effective e-mail authentication technology, thereby helping to more swiftly provide greater spam protection to e mail users worldwide.
“Spoofing,” or sending e-mail purporting to be from someone its not, is an increasingly common and relatively simple way for spammers to try to trick filters. It can also pose a security risk when used to deliver e-mail viruses or phisher scams, which attempt to trick users into divulging personal information such as credit card numbers or account passwords by pretending to be from a legitimate source, such as a users bank. Caller ID and SPF aim to prevent spoofing by confirming what domain a message came from and thereby increase the effectiveness of spam filters.
Under the merged proposal, organizations will publish information about their outgoing e-mail servers, such as IP addresses, in the Domain Name System (DNS) using the industry-standard XML format. Backward compatibility will be provided for the many domains that have already published information in the SPF TXT format.
The converged specification will enable receiving systems to test for spoofing at both the message transport (SMTP) level, or envelope, as originally proposed in SPF, as well as in the message body headers, as originally proposed in Caller ID. Testing for spoofing at the message transport level allows receiving systems to block some spam messages before they are sent. In cases in which a deeper examination of the message contents is required to detect spoofing and phishing attacks, the Caller ID-style header check can be employed.
A formal specification will be published next month and submitted to the Internet Engineering Task Force (IETF) standards body for evaluation and review, as part of its work to define effective industry Internet e-mail standards to address the problem of spam.
“We are pleased to see Microsoft and the SPF community working together on a unified specification for IP-based sender identification,” said Andrew Newton, co-chair of the IETFs MARID working group. “Microsoft and Meng Wong presented this joint proposal to the MARID working group last week, and we are very optimistic that this proposal will provide the type of solution that MARID is looking for.”
“The marriage of SPF and Caller ID is a major step forward in the war on spam, as it consolidates the strengths of both proposals to provide even greater protection against spoofing and phishing schemes,” Wong said. “Through continued industry cooperation and broad adoption of this new specification, we expect to further reduce the impact of spam on e-mail users worldwide.”
“Convergence of these two technical specifications is a critical step in our efforts to eliminate the spam problem and a big win for e-mail users worldwide,” said Ryan Hamlin, general manager of the Anti-Spam Technology and Strategy group at Microsoft. “By working together with Meng Wong and the SPF community, we plan to create one technical specification that we believe the entire industry can rally around that will virtually eliminate domain spoofing and help restore user trust and value to e-mail.”
“Spoofing is one of the earliest and most nefarious tricks used to propagate spam,” said Matt Cain, senior vice president of industry analyst firm META Group Inc. “The merging of Caller ID and SPF into one backward-compatible DNS-based sender authentication specification represents a major step forward for the industry in stemming the spam plague.”
To be more effective in the fight against junk e-mail, filters need additional information that is not available in e-mail messages today. By making simple but important changes to the e-mail infrastructure, such as those outlined in the merged SPF-Caller ID proposal, greater certainty can be provided about the origin of an e-mail message and enable legitimate senders to more clearly distinguish themselves from spammers.
Founded in 1975, Microsoft (Nasdaq “MSFT”) is the worldwide leader in software, services and solutions that help people and businesses realize their full potential.Microsoft, Windows Server System and Windows are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Note to editors: If you are interested in viewing additional information on Microsoft, please visit the Microsoft Web page at http://www.microsoft.com/presspass/ on Microsoft’s corporate information pages. Web links, telephone numbers and titles were correct at time of publication, but may since have changed. For additional assistance, journalists and analysts may contact Microsoft’s Rapid Response Team or other appropriate contacts listed at http://www.microsoft.com/presspass/contactpr.asp .