Yenra : Anti Virus : Caller ID for EMail : Policy and technical proposals aimed at helping contain the spam problem

Caller ID for EMail

To know who is sending an e-mail message to you and to be able to make decisions before you open it or even see it. In his keynote address at the RSA Conference 2004 today, Microsoft Chairman and Chief Software Architect Bill Gates announced a detailed vision and proposals on how technology can be used to help put an end to spam, including outlining the company's Coordinated Spam Reduction Initiative (CSRI) and technical specifications for the establishment of Caller ID for E-Mail.

"Spam is our e-mail customers' No. 1 complaint today, and Microsoft is innovating on many different fronts to eradicate it," Gates said. "We believe that Caller ID for E-Mail and the Coordinated Spam Reduction Initiative will help change the economic model for sending spam and put spammers out of business."

To be more effective in the fight against junk e-mail, filters need additional information that is not available in e-mail messages today. Microsoft believes some relatively simple but systemwide changes to the e-mail infrastructure are needed to provide greater certainty about the origin of an e-mail message and to enable legitimate senders to more clearly distinguish themselves from spammers.

CSRI is Microsoft's long-range industry plan for dramatically reducing spam through technology. It is based on three proposals to better enable effective filtering:

Caller ID for E-Mail

Existing spam filters look at an e-mail message's origin to determine whether it is spam. However, there is currently no guarantee that an e-mail message came from whom it says it did. "Spoofing," or sending e-mail purporting to be from someone it's not, is an increasingly common and relatively simple way for spammers to trick filters. In addition, this practice can pose a security risk when used to deliver e-mail viruses.

Microsoft has developed the Caller ID for E-Mail proposal to help eliminate domain spoofing and increase the effectiveness of spam filters by verifying what domain a message came from -- much like how caller ID for telephones shows the phone number of the person calling. The proposal involves three steps to authenticate a sender:

1. E-mail senders, large or small, publish the Internet protocol (IP) addresses of their outbound e-mail servers in the Domain Name System (DNS) in a format described in the Caller ID for E-Mail specification.

2. Recipient e-mail systems examine each message to determine the purported responsible domain (i.e., the Internet domain that purports to have sent the message).

3. Recipient e-mail systems query the DNS for the list of outbound e-mail server IP addresses of the purported responsible domain. They then check whether the IP address from which the message was received is on that list. If no match is found, the message has most likely been spoofed.

Microsoft is moving ahead with plans for a pilot implementation of Caller ID for E-Mail in its Hotmail service. Hotmail will begin publishing outbound IP addresses today and will begin checking inbound addresses early this summer. In addition, the company continues to work with others in the industry to test this proposal, including Amazon.com Inc., Brightmail Inc. and Sendmail Inc.

"Amazon.com is working aggressively to combat spoofing on several fronts, and we are committed to collaborating with others in the industry to find effective solutions for the problem of spam," said Larry Hughes Jr., senior manager for IT Security at Amazon.com. "We look forward to working with Microsoft and others in the industry to test their proposals."

"Most spammers disguise the source of their e-mail to evade spam filters and detection," said Enrique Salem, CEO and president of Brightmail, a leading provider of anti-spam technology. "We are excited to join Microsoft in testing this new Caller ID for E-Mail technology to help promote the establishment of verifiable identity in e-mail. We believe that by combining verifiable identity with our Reputation Service, we will improve our best-of-breed anti- spam technology to help legitimate e-mail get delivered while helping keep spam out of users' inboxes."

"Authenticated sender technologies like Microsoft's caller ID are essential to help address fraud and spam in Internet e-mail," said Eric Allman, CTO at Sendmail. "The key to ensuring that these types of technologies are successful is widespread adoption. Sendmail's millions of users -- including more than 70 percent of the Fortune 1000 -- substantially increase the deployment of such technologies. We are excited to work with Microsoft in promoting the acceptance of caller ID as an open standard on the Internet."

Not all commercial e-mail is junk. Many regulated businesses including banks, brokerage firms and insurance companies rely on e-mail to contact their customers and provide information about their services. Other organizations such as airlines, news media and a variety of online retail services send legitimate e-mail to their customers. However, today there is no easy way for these businesses to distinguish themselves from spammers.