Spammers Hijack Sender ID

On the heels of the repudiation of Microsoft's Sender ID E-mail-authentication scheme last week by two major open-source software groups, spammers are doing the opposite: They're embracing the very standard intended to curb their abuses.

According to E-mail security vendor MX Logic Inc., spammers are trying to make their messages appear more legitimate by adopting the Sender Policy Framework (SPF), which recently became part of Microsoft's Sender ID proposal. To comply with Sender ID, companies publish a list of authorized E-mail servers for the domains they control. That list is used by those receiving E-mail to make sure the purported server of origin matches the one listed in the message header. Because spammers may forge header information to disguise the origin of their messages, their spam would fail this test.

But since spamming is legal, those spammers not engaged in phishing or other fraud may choose to accurately identify their mail servers to avoid filtering based on Sender ID compliance. And that seems to be what's happening. Based on a sample of 400,000 spam messages, MX Logic found that 16% had published SPF records.

Scott Chasin, the company's chief technology officer, says this isn't unexpected. "The fact is that anybody can go out and purchase a $5 domain name and publish an SPF record," he says. "If you could publish your own credit report, how many folks out there would actually trust that?"

"From the perspective of what SPF does, which is provide authentication to stop domain spoofing and phishing attacks, it's fantastic," he says. "To leverage it alone, as a spam solution, is not why it was created."

He sees Sender ID as a vehicle for further industry innovation. "Conceptually, the industry needs to shift from identifying the bad senders to identifying the good ones," he says. Building upon authentication with reputation data is one way to do that. Not coincidentally, MX Logic last week added reputation analysis to its spam-detection scheme.

Other anti-spam vendors, notably IronPort Systems Inc., have been touting reputation as an important component in E-mail filtering for some time now. In part, that's because they see it as a revenue stream. Marketers who spend the money required to comply with applicable laws and public expectation are generally willing to spend more money to have their legitimate E-mail pitches bypass filters.

"A lot of the reputation-based services are indeed trying to position themselves as 'what you need to get delivered,'" says Ray Everett-Church, chief privacy officer at ePrivacy Group, a privacy consulting firm, and board member of the Coalition Against Unsolicited Commercial E-mail.

He notes that while direct mailers might be interested in paying for such a service, there are other companies and institutions outside the E-mail-delivery-for-money business that still need to get their E-mail delivered. "There are other proposals out here that don't have the same PR budget that Microsoft has for Sender ID that don't depend on a certifying agency to control everything," he says. Such anti-spam proposals--under consideration by Marid, an Internet standards group--include Yahoo's DomainKeys and the Trusted E-mail Open Standard, which Everett-Church helped develop. These schemes rely on cryptographic verification rather than sender reputation.

Sender ID's sudden popularity with spammers stands in contrast to its disrepute among some open-source organizations. Both the Apache Software Foundation and the Debian Project have objections to the terms of the current Microsoft Royalty-Free Sender ID Patent License Agreement.

While a Microsoft spokesperson was not immediately available for comment, the company did offer a prepared statement: "AOL, Cloudmark, IronPort, VeriSign, Bell Canada, and the 54-member Email Service Provider Coalition have voiced support for the Sender ID license offered by Microsoft. There's broad support for Sender ID technology, and we encourage others to support and implement this technology so that together we can do more to tackle spam."

Everett-Church suggests this disagreement will need to be resolved before Sender ID gains wide acceptance. "Until [there are] solutions are out there that are truly free to the market, open source, and based upon open standards, you're going to have a difficult time getting a lot of buy-in," he says. "At the end of the day, we don't want whole sections of the Internet dependent on a Microsoft licensing agreement. And that's not an anti-Microsoft thing. We wouldn't want it if it were all depending on IBM, Computer Associates, or Apple."