Editors’ update, June 24, 2005 – This article has been expanded since original publication to address an additional question concerning e-mail domains that do not publish SPF records.
REDMOND, Wash., June 22, 2005 — E-mail scams, whether they involve spamming or the more malicious “spoofing” and “phishing,” continue to rob consumers and organizations of their security, privacy and financial assets. A study conducted this year by Ferris Research reports that 80 to 90 percent of all e-mail messages are spam, and will cost businesses worldwide approximately US$50 billion in 2005. E-mail authentication technologies play a promising role in reducing the level of spam by providing helping provide detailed information about the source of email. However, the industry as a whole, as well as organizations in general, must adopt this technology to ultimately protect the online ecosystem.
Microsoft has been working with its customers and others across the industry to better protect e-mail as an essential communications tool. The company is embracing e-mail authentication technologies like the Sender ID Framework (SIDF) and continues to invest in anti-spamming, anti-spoofing and anti-phishing initiatives. In January, MSN Hotmail implemented SIDF, which in combination with filtering technology such as Microsoft SmartScreen helps intercept more than 3.2 billion deceptive e-mail messages a day before they reach Hotmail users’ inboxes. In continuing in its commitment to consumer safety, Microsoft today announced it is providing warning alerts visible via a new safety bar in the MSN Hotmail user interface on e-mail in which the sender can not be authenticated.
The Hotmail safety bar is designed to alert customers to potential deceptive e-mail messages and provide more meaningful information on e-mail authentication. The alerts are available in 20 languages today, supporting more than 200 million customers worldwide.
Craig Spiezle, director, Microsoft Technology Care & Safety Group
PressPass spoke with Craig Spiezle, a director in the Technology Care and Safety group at Microsoft, to learn more about how and why the Sender ID e-mail authentication technology helps Hotmail users and the significance of today’s announcement in the context of Microsoft’s overall e-mail safety strategy.
PressPass: Every e-mail user has been spammed at least once, but most people who haven’t had the unfortunate experience of being spoofed or phished don’t know what these terms mean. Can you explain them?
Spiezle: Spoofing and phishing can be much more insidious and destructive than spamming. Spoofing is the common practice used by spammers and scammers of altering the From address of an e-mail message so that it appears to come from a legitimate sender. While seen in common spam attacks (usually in the spammer’s attempt to trick e-mail filters), spoofing is often used in more nefarious phishing scams. Phishing is the attempt to trick people into giving out personal information, such as credit-card numbers or account passwords, by sending e-mail or setting up a Web site pretending to be from a legitimate source, such as a user’s bank, credit-card company or online Web merchant.
Not only are consumers at risk of losing their privacy and financial assets, but legitimate businesses that have had their name and e-mail domains used in phishing schemes often are faced with damage to the reputation of and trust in the brand name they’ve worked so hard to establish. It’s critically important that the industry and businesses work together to help protect people and organizations from these concerns and help restore confidence in electronic messaging and e-commerce.
Screenshot of a Sender ID warning alert on MSN Hotmail.
PressPass: How do e-mail authentication technologies like Sender ID help combat these scams?
Spiezle: E-mail authentication technology is one of the most promising efforts to date in combating deceptive e-mail, and one that is demonstrating real results. The Sender ID Framework (SIDF) is an Internet Protocol (IP)-based solution that aims to prevent spoofing by verifying that every e-mail originates from the Internet domain from which it claims to have been sent. This is accomplished by checking the address of the server sending the mail against a registered list of servers that the domain owner has authorized to send e-mail.
SIDF checks are automatically performed by the Internet service provider (ISP) or recipient’s mail server before the e-mail message is delivered to the user. They can be used as additional input into the filtering tasks already performed by the mail server. Once the sender has been authenticated, the mail server may consider past behaviors, traffic patterns and the sender’s reputation, as well as apply conventional content filters when determining whether to deliver mail to the recipient.
We’re encouraged by the groundswell of support for SIDF throughout the industry and e-mail ecosystem in the past several months. More than 1 million domains today have published their Sender Policy Framework (SPF) records, the method used within SIDF to identify a sender’s authorized outbound e-mail servers, and more than 1 billion e-mail messages are sent each day that contain SPF records. This meteoric rise in the number of SPF records is an important step in promoting a safer computing environment and empowering people and organizations to confidently interact and conduct business online.
PressPass: What is the significance of today’s announcement and what can Hotmail customers expect?
Spiezle: Deploying Sender ID on the MSN Hotmail service allows Microsoft to move to the next level of protection, which is to provide information about suspicious e-mails to recipients via the Hotmail interface. The safety bar on the Hotmail interface is designed to alert customers to the potential issues surrounding suspicious e-mails by displaying phrases such as, “The sender of this message could not be verified by Sender ID.” The alerts will provide customers with options to learn more about Sender ID and provide guidance on staying safe online. Sender ID is one of many factors in the filtering process to determine the legitimacy of e-mail coming to MSN Hotmail customers’ Inboxes. Filtering decisions are not made on the Sender ID check alone, but on a series of checks that help protect against spam and false-positives.
Today’s announcement accomplishes two things: It further protects consumers by providing them more information about suspicious e-mails, and it’s a call to action for domain holders and e-mail senders to publish their SPF records to help protect their brands and maximize the deliverability and reliability of their e-mail.
PressPass: Is Hotmail going to stop accepting e-mail from domains that don’t publish SPF records?
Spiezle: Hotmail is not planning to junk or delete legitimate e-mail that our customers want to receive solely because the sending domain does not have an SPF record. Our use of e-mail authentication is to aid the accuracy of our e-mail filtering, but it remains only one of many factors that our filters examine when evaluating incoming e-mail.
As adoption of Sender ID and SPF records grows, and the lack of a domain with an SPF record becomes the exception to the norm, we may choose to investigate unauthenticated e-mail mail more closely before deciding whether to deliver it to the users’ inbox. That doesn’t mean the message will automatically get tagged as junk, just that the message may appear more suspicious to the filter and warrant additional investigation. What is most valuable about the implementation of authentication solutions like Sender ID is to have a reliable mechanism for verifying the source of e-mail. Such information can then also be used to help build more robust sender reputation systems that can understand and inform filters as to whether a given domain sending an incoming e-mail message might commonly be a source of spam.
We do not have a hard cutoff date for tougher filtering on non-authenticated e-mail, but expect to see adoption rates rise later this year in anticipation of heavier commerce activity in the holiday timeframe. We are hoping, and will continue to support the industry’s efforts to reach critical mass of adoption, especially by that timeframe.
It is important to note that Sender ID is not a “silver bullet” for our anti-spam efforts, and we believe there are other emerging complementary authentication solutions, like cryptographic-based domain-signing solutions, as well as reputation-based and other emerging solutions that together could prove valuable for protecting customers. Again, the goal is to get the right mix of effective solutions in place to help filters do a better job of protecting customers and businesses to help ensure legitimate mail gets through while spam, phishing scams and other unwanted e-mail does not.
PressPass: Beyond Sender ID, what else is MSN doing to protect Hotmail customers from online threats?
Spiezle: We want our customers to enjoy a safe online experience, and we have made an investment in technologies to help do just that. In addition to the new SIDF alert being announced today, MSN Hotmail provides several tools and features that help protect consumers from spam and other online threats. Some of those features include virus scanning and cleaning of e-mail before it reaches a customers Inbox; a junk e-mail filter with three levels of protection to give customers choice in the strictness of the filtering, and a Block Sender feature that allows customers to refuse e-mail from specific senders. Additionally MSN Hotmail has a URL disablement feature that detects e-mails that appear to be phishing attempts, delivers them to the customer’s junk folder, and notifies them the URL in the e-mail has been disabled for their protection.
PressPass: It sounds like MSN Hotmail is driving a number of protection efforts that are having an impact. How can other businesses and e-mail users ensure they, too, are taking the necessary steps to protect their customers and themselves?
Spiezle: Getting businesses and e-mail users to recognize the importance and urgency surrounding e-mail authentication technologies is half the battle. To fully realize the benefits of these technologies, it’s incumbent on us as an industry to act swiftly, authenticate our outbound mail and check inbound mail to help ensure we protect e-mail as a valuable communications tool for users worldwide.
The industry continues to encourage ISPs and businesses to publish an SPF record to protect their domain and ultimately enhance their brand name. The process of publishing an SPF record is relatively easy, and freely available tools help simplify the process further. The cross-industry emailauthentication.org Web site (www.emailauthentication.org/resources.html) provides e-mail authentication tools and other resources to assist the IT and business communities, as well as a step-by-step process for creating your SPF record.
In addition, an industry coalition of more than three dozen companies has organized the Email Authentication Implementation Summit 2005 to provide organizations an opportunity to investigate and discuss how to effectively implement e-mail authentication mechanisms like SIDF. Being held on July 12 in New York City, this event sets the stage at the broadest industry level to help promote the integrity and reputation of legitimate e-mail and will provide prescriptive advice and reference case studies to aid companies in deployment.
We and others in the industry recognize that technology alone cannot contain the spam problem. In the last two years, Microsoft has promoted not only effective technology but also industry collaboration, education, legislation and enforcement solutions — all of which have vastly improved our customers’ online experience.
Spammers and scammers are continually innovating and getting more sophisticated in their methods of escaping detection — it is a game of cat and mouse. That’s why we must continue to move forward in all of these areas to not only stay ahead of the curve, but eventually turn their incentives upside down and make it no longer profitable to send spam or scams. That’s what will actually contain these issues in the long run.