Spammers Hijack Sender ID - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

06:53 PM
Connect Directly

Spammers Hijack Sender ID

Microsoft's E-mail-filter technology, Sender ID, is unpopular with open-source advocates but popular with spammers, who are using it to bypass other filters.

On the heels of the repudiation of Microsoft's Sender ID E-mail-authentication scheme last week by two major open-source software groups, spammers are doing the opposite: They're embracing the very standard intended to curb their abuses.

According to E-mail security vendor MX Logic Inc., spammers are trying to make their messages appear more legitimate by adopting the Sender Policy Framework (SPF), which recently became part of Microsoft's Sender ID proposal. To comply with Sender ID, companies publish a list of authorized E-mail servers for the domains they control. That list is used by those receiving E-mail to make sure the purported server of origin matches the one listed in the message header. Because spammers may forge header information to disguise the origin of their messages, their spam would fail this test.

But since spamming is legal, those spammers not engaged in phishing or other fraud may choose to accurately identify their mail servers to avoid filtering based on Sender ID compliance. And that seems to be what's happening. Based on a sample of 400,000 spam messages, MX Logic found that 16% had published SPF records.

Scott Chasin, the company's chief technology officer, says this isn't unexpected. "The fact is that anybody can go out and purchase a $5 domain name and publish an SPF record," he says. "If you could publish your own credit report, how many folks out there would actually trust that?"

"From the perspective of what SPF does, which is provide authentication to stop domain spoofing and phishing attacks, it's fantastic," he says. "To leverage it alone, as a spam solution, is not why it was created."

He sees Sender ID as a vehicle for further industry innovation. "Conceptually, the industry needs to shift from identifying the bad senders to identifying the good ones," he says. Building upon authentication with reputation data is one way to do that. Not coincidentally, MX Logic last week added reputation analysis to its spam-detection scheme.

Other anti-spam vendors, notably IronPort Systems Inc., have been touting reputation as an important component in E-mail filtering for some time now. In part, that's because they see it as a revenue stream. Marketers who spend the money required to comply with applicable laws and public expectation are generally willing to spend more money to have their legitimate E-mail pitches bypass filters.

"A lot of the reputation-based services are indeed trying to position themselves as 'what you need to get delivered,'" says Ray Everett-Church, chief privacy officer at ePrivacy Group, a privacy consulting firm, and board member of the Coalition Against Unsolicited Commercial E-mail.

He notes that while direct mailers might be interested in paying for such a service, there are other companies and institutions outside the E-mail-delivery-for-money business that still need to get their E-mail delivered. "There are other proposals out here that don't have the same PR budget that Microsoft has for Sender ID that don't depend on a certifying agency to control everything," he says. Such anti-spam proposals--under consideration by Marid, an Internet standards group--include Yahoo's DomainKeys and the Trusted E-mail Open Standard, which Everett-Church helped develop. These schemes rely on cryptographic verification rather than sender reputation.

Sender ID's sudden popularity with spammers stands in contrast to its disrepute among some open-source organizations. Both the Apache Software Foundation and the Debian Project have objections to the terms of the current Microsoft Royalty-Free Sender ID Patent License Agreement.

While a Microsoft spokesperson was not immediately available for comment, the company did offer a prepared statement: "AOL, Cloudmark, IronPort, VeriSign, Bell Canada, and the 54-member Email Service Provider Coalition have voiced support for the Sender ID license offered by Microsoft. There's broad support for Sender ID technology, and we encourage others to support and implement this technology so that together we can do more to tackle spam."

Everett-Church suggests this disagreement will need to be resolved before Sender ID gains wide acceptance. "Until [there are] solutions are out there that are truly free to the market, open source, and based upon open standards, you're going to have a difficult time getting a lot of buy-in," he says. "At the end of the day, we don't want whole sections of the Internet dependent on a Microsoft licensing agreement. And that's not an anti-Microsoft thing. We wouldn't want it if it were all depending on IBM, Computer Associates, or Apple."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll