Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft to Deploy SPF for Hotmail Users

michael posted more than 10 years ago | from the ever-so-slightly-less-spam dept.

Microsoft 562

wayne writes "In a show of just how much Microsoft wants to put an end to email forgery, Hotmail, MSN and Microsoft.com will start enforcing Sender ID checks by Oct 1. In late May, MicroSoft announced that they would be adopting the Open Source SPF anti-forgery system (with a slight modification to make it Sender ID) and they have been working together with the IETF MARID working group to help create an RFC to define the Sender ID standard. Already tens of thousands of domain owners, such as AOL, Earthlink, and Gmail, have published SPF records, and thousands of systems are already checking SPF records. Publishing SPF records is easy, as is checking SPF records."

Sorry! There are no comments related to the filter you selected.

PGP/GPG? (2, Interesting)

Nosf3ratu (702029) | more than 10 years ago | (#9780688)

Why not just use PGP or GPG? I for one, would like to see greater implementation (read: any implementation whatsoever) of these systems in the more common web-based/free email systems such as Yahoo and Hotmail.

Re:PGP/GPG? (5, Informative)

FooAtWFU (699187) | more than 10 years ago | (#9780811)

PGP/GPG are nice, but they have nothing to do with the anti-spamming technology present in SPF. All SPF is, is special data set in your DNS telling you which hosts are allowed to send mail on behalf of your server. That way when your 0wn3d computer sends mail from "hotgirl@hotmail.com", people can tell it's a fake.

Re:PGP/GPG? (0)

bizard (691544) | more than 10 years ago | (#9781004)

Using PGP would just be attacking the problem from a different angle. Rather than saying what servers you can send from, your receiving server could just refuse to accept mail from un-authenticated (no pgp signature) senders. Once enough people were using pgp signatures (including spammers since it wouldn't take much effort) you would then need to either restrict to signatures of people you know (not very useful...you can do that now) or allow all mail from a particular signing authority (imnotspam.com) or trust level that you set.

Obviously the biggest drawback to this is that instead of convincing several large ISPs to make the change, you would have to convince the general public to make changes and set up a trust infrastructure so that you could still receive mail from people you don't know if you wanted to.

I think that using PGP would be a better system, but I don't think it will ever actually happen...too difficult to implement.

Re:PGP/GPG? (3, Interesting)

blowdart (31458) | more than 10 years ago | (#9781054)

I think that using PGP would be a better system, but I don't think it will ever actually happen...too difficult to implement.

Except PGP would mean you have to accept the complete message, then check the signature (and cache a signature for every from address).

SPF does it a lot sooner, from the FROM command, so you're not wasting that much bandwidth. Also there's less caching as it's one record *per domain*

Re:PGP/GPG? (2, Interesting)

Anonymous Coward | more than 10 years ago | (#9780831)

Additional benefit of using GPG/Pubkey Cryptography:

Bulkmailers will have to encrypt every mail with the public key of the recipient. Considering that the average number of mails in a batch is usually >> 50,000, the amount of time needed is non-trivial.

Apart from that, the bulkmailer will also have to retrieve and store the public key of each single recipient.

Re:PGP/GPG? (1)

blowdart (31458) | more than 10 years ago | (#9780842)

OK how is that going to help? PGP means you know the sender, SPF means you are checking that the email address in the header is coming from a valid IP for that domain. Two completely different things.

Also PGP means you have to accept the message and it is up to the user to decide if the message is valid. SPF allows you to reject early during the message transmission, saving bandwidth and disk space if the message is from a forged domain.

Re:PGP/GPG? (1, Insightful)

Anonymous Coward | more than 10 years ago | (#9780867)

I will never post my private key on a hotmail server.

All the computation need to be local and not remote.

Re:PGP/GPG? (0)

Anonymous Coward | more than 10 years ago | (#9780902)

YOU PUBKEY YOU STUPID US-FUCKHEAD

(I hate it when they are completely clueless.)

Re:PGP/GPG? (1, Informative)

Anonymous Coward | more than 10 years ago | (#9780877)

PGP solves a different problem.

With SPF, you can tell that a mail comes from a server which isn't supposed to send it, if SPF records are present and the mail was sent through a server which doesn't match.

With PGP, you can tell that a mail comes from the person who owns the key, if a PGP signature is present and checks out ok. You cannot tell if a mail comes from the person who owns the mail address if no PGP signature is present. PGP would have to have a very high market penetration to be useful as an anti-spam indicator.

Re:PGP/GPG? (1)

xmas2003 (739875) | more than 10 years ago | (#9780889)

PGP/GPG are on the client Email program side ... and are good things in of themselves. But interesting that Microsoft is moving this fast ... and the question is will the other large ISP's (ex: gmail!) and Fortune-50 companies enforce this also ... could have a BIG impact on spam Email because would make using zombie PC's MUCH more difficult for the slimebags - The Hulk [komar.org] keeps trying to smash these guys, but they keep coming back! ;-)

Curious (2, Insightful)

gregarican (694358) | more than 10 years ago | (#9780690)

To me this sounds like a positive step. I'm just wondering what the Microsoft haters will post about it to make it sound like a bad thing...

Re:Curious (0, Flamebait)

RLW (662014) | more than 10 years ago | (#9780731)

No one hates microsoft. What are you talking about? ;-)

Re:Curious (0)

Anonymous Coward | more than 10 years ago | (#9780739)

I'm just wondering what the Microsoft haters will post about it to make it sound like a bad thing...

too late
not enough
won't work
big deal, they still suck in x, y, and z

Re:Curious (2, Informative)

Anonymous Coward | more than 10 years ago | (#9780805)

They'll tell Microsoft burried SPF by requiring post-DATA checks on messages (parsing of RFC 2822 headers), instead of pre-DATA fast MAIL FROM parsing.

*And* requiring a totally useless XML format, so that every SPF-capable MTA has to incorporate an XML parser.

(feeling like one of them, strangely... :-)

Re:Curious (2, Insightful)

gnuman99 (746007) | more than 10 years ago | (#9780990)

*And* requiring a totally useless XML format

What XML? I don't see any XML in the spf1 records.

Re:Curious (5, Insightful)

Neil Watson (60859) | more than 10 years ago | (#9780824)

It's not that I hate Microsoft. However, I am aware of the company's record of adopting standards and then breaking them. Remember 'embrace and extend'? This could be a step forward for us all. It could also be step back.

Re:Curious (2, Insightful)

irokitt (663593) | more than 10 years ago | (#9781045)

As heated as the e-mail competition is now, and as frantic as it could get once GMail comes out, Microsoft is not going to be able to strangle things with an off-standard implementation via Hotmail. Hotmail has serious competition from Yahoo and other web-based ilk, particularly since Hotmail still has an inbox size of only 2MB (this despite promises that an upgrade is "coming soon").

One way Microsoft could push this is if they implement it in Outlook, which has a monopoly where desktop e-mail clients are concerned. But implementing it through Hotmail means it has to fight with every other web-based site's methods.

Re:Curious (3, Insightful)

gnuman99 (746007) | more than 10 years ago | (#9781058)

It's not that I hate Microsoft. However, I am aware of the company's record of adopting standards and then breaking them. Remember 'embrace and extend'?

This does not work if you are a minor player. Microsoft is a minor player in e-mail servers. This is also the reason why Microsoft wants to adopt SPF instead of creating something themselves.

Agreed. (1)

gregarican (694358) | more than 10 years ago | (#9781059)

Good point. This has certainly happened in the past. The XML standards is one counterexample but there aren't that many of them. I can only hope that they won't "extend" a broken supposed standard and wind up falling short of the mark.

Re:Curious (2, Interesting)

Al Dimond (792444) | more than 10 years ago | (#9780872)

I can't quite get my head around how this affects me, actually... I'm a student at University of Illinois, I use an @uiuc.edu email address. If I live in an apartment off campus, however, I send my outgoing mail to my ISP's smtp server with my uiuc.edu address as the "from" address, because that's where I prefer to get my e-mail. So will this put my e-mail to SPF-enabled receivers under scrutiny? Or am I OK as long as my ISP is legit according to this system?

Based on the article, it seems like it would... and that's no beef with Microsoft, it's a beef with the filtering systems.

Re:Curious (4, Informative)

E-Rock (84950) | more than 10 years ago | (#9780911)

My understanding is that you should be changing the REPLY-TO not the FROM. Let FROM be where the message is actually from and there's no blocking problem. With the REPLY-TO set, anyone that presses reply goes to your prefered destination.

It IS bad, because... (1, Interesting)

Anonymous Coward | more than 10 years ago | (#9780918)

it will make it more harder for guys like me to run an SMTP server on their own Linux box from a dynamic IP address. And it will do pretty much nothing to prevent spam.

Dispite being a Microsoft hater (2, Insightful)

eGuy (545520) | more than 10 years ago | (#9780948)

I refuse to buy a handheld/laptop/desktop with MS software - such is my hate. Nonetheless, this is a great thing:
- They are going about it the right way (IETF rfc as an open standard, open source system)
- They have a lot of weight to actually make it happen
- This is something that should have been done a long time ago.
If they modified things from other proposals, I don't care. This is just something that simply has to happen!
So despite coming from microsoft, this is great news.

Opps, that would be "Despite" (1)

eGuy (545520) | more than 10 years ago | (#9780985)

That would be Despite. Just had to correct myself before someone else does.

Making sure I see my role in this... (5, Interesting)

E1ven (50485) | more than 10 years ago | (#9780695)

Ok.. Let me make sure I understand this correctly..

I maintain a few domains, such as a Sq7.org [sq7.org] , from which I send e-mail.. I send it from home, from my girlfriends house, from wherever I happen to be.. But I send it by connecting through the sq7.org server, and forwarding mail through there.

The way I understand SPF, I just need to publish that the IP sq7.org runs on is authorized to send Sq7.org's mail, and NOT the IP for my home, office, etc, since I don't send directly from the local computer.

If I did send directly from the local computer, without going through the external server, I'd need to add my local IP to the SQ7.org DNS records.

As it is, though, I'll need to avoid using my ISP's SMTP servers if mine go down, or add them to the domain.

Am I understanding this right?

-Colin

Re:Making sure I see my role in this... (5, Informative)

YetAnotherDave (159442) | more than 10 years ago | (#9780855)

SPF allows you to state a list of servers which are qualified to send.

So you could add your server + your ISP's servers, so your fallback would still be within your SPF record

Re:Making sure I see my role in this... (0)

Anonymous Coward | more than 10 years ago | (#9780864)

exactly.

Re:Making sure I see my role in this... (5, Interesting)

mshultz (632780) | more than 10 years ago | (#9780887)

Yeah, I was wondering about this too--- particularly how this is going to work with things like universities. Where I just graduated from, you're only allowed to use their SMTP server if you are either on campus, use the VPN, or are using authentication over SSL from wherever. For everyone off campus, you are expected to use your ISP's SMTP server.... and often, you'd have to anyway, with ISP's blocking outgoing port 25 these days. So how then would a university, for example, implement SPF with people using whatever.edu 'From' addresses, but going through thousands of different ISP-owned SMTP servers?

Surely there's a better solution than to have people change their 'From' address based on who's providing their internet connection at that moment (a real challenge for wireless hotspot users.....), and just keep the Reply-To header constant.

Maybe I understand this wrong-- just wondering how it's all going to work.

Re:Making sure I see my role in this... (2, Interesting)

bitMonster (189384) | more than 10 years ago | (#9780895)

That sounds right to me. I think I need to do the same for my domain,

This will be ticky for some family members that I provide (inbound) forwarding service for. In fact, I wonder how this will work for pobox.com forwarding accounts? Will they need to provide outbound SMTP service as well?

How about all the folks that use forwarding addresses like @alumni.myschool.edu? Or @computer.org?

Re:Making sure I see my role in this... (1)

extra88 (1003) | more than 10 years ago | (#9781063)

How about all the folks that use forwarding addresses like @alumni.myschool.edu? Or @computer.org?

I think the primary purpose of @alumni addresses is to provide an "eternal" address for *receiving* mail rather than sending it. An individual would advertise their @alumni address in various places such as in their .sig file and maybe use it on a Reply-To: line but not on the From: line.

Re:Making sure I see my role in this... (1)

jzilla (256016) | more than 10 years ago | (#9780910)

SPF just allows the reciever to verify that the email server that a given email claimes to have used could have actually sent the mail.

No matter what ip is sending the mail, as long as you server answers "yes, the user in question is allowed to send email from this server", the SPF check will succeed.

A simple break down. An incoming mail claims to have been sent from myhost.com. Recieving server contacts myhost.com's registered email server and asks "can this user send mail". myhost.com answer either yes or no. So what ip you send the mail from doesn't enter the equation.

Re:Making sure I see my role in this... (1)

tgd (2822) | more than 10 years ago | (#9781012)

Um, have you looked at the standard? Its DNS based, the IP it comes from is all that matters.

YES (1)

autopr0n (534291) | more than 10 years ago | (#9781056)

You are correct. Although, you could add those other IPs if you wanted to, and send directly from those machines.

No posts =( (4, Funny)

Bwerf (106435) | more than 10 years ago | (#9780703)

Damn, now I have to read the article.

I'm confused.. maybe I've had too much free beer (5, Funny)

peculiarmethod (301094) | more than 10 years ago | (#9780705)

Wait a second. Microsoft is willingly employing open source market software? (looks at calendar).. hmm.. it's not early april. It's either armageddon, or old dogs can be taught new tricks!

pm

Re:I'm confused.. maybe I've had too much free bee (0)

Anonymous Coward | more than 10 years ago | (#9780759)

Microsoft has no problem using open source software. The surprise is them admitting it.

Re:I'm confused.. maybe I've had too much free bee (1)

FooAtWFU (699187) | more than 10 years ago | (#9780781)

Hey, Microsoft willingly employs HTTP as well! Maybe this open-source thing isn't so bad after all!
(sound of head beating against wall here)

Hey, Microsoft willingly employs HTTP as well! (1)

dpilot (134227) | more than 10 years ago | (#9780899)

No they don't. If they did, the Browser Wars would be largely irrelevant, and people could pick what they liked instead of being forced by 'this site best view with...' requirements. Spoofing the user agent never would have needed to be invented.

Re:Hey, Microsoft willingly employs HTTP as well! (2)

WhiteBandit (185659) | more than 10 years ago | (#9780950)

No they don't. If they did, the Browser Wars would be largely irrelevant, and people could pick what they liked instead of being forced by 'this site best view with...' requirements. Spoofing the user agent never would have needed to be invented.

Yes they do. ;)

You're thinking of HTML, not HTTP which are two different things. :p

Re:Hey, Microsoft willingly employs HTTP as well! (4, Interesting)

gordyf (23004) | more than 10 years ago | (#9781037)

They've fiddled with HTTP also. ISTR some tricks [grotto11.com] IE did with IIS to keep persistent connections so that page loads would be quicker.

Re:Hey, Microsoft willingly employs HTTP as well! (2, Informative)

Bedouin X (254404) | more than 10 years ago | (#9781022)

You're confusing HTTP with HTML.

Re:I'm confused.. maybe I've had too much free bee (0)

Anonymous Coward | more than 10 years ago | (#9780788)

I always get a cold chill when I read a phrase like this:

"In late May, MicroSoft announced that they would be adopting the Open Source SPF anti-forgery system (with a slight modification to make it Sender ID)" [added emphasis]

After all, their Kerberos change for Active Directory was only slight as well, and *that* didn't cause any problems, did it? Anyone have any details on these new 'slight changes'?

Re:I'm confused.. maybe I've had too much free bee (1, Troll)

Curunir_wolf (588405) | more than 10 years ago | (#9780830)

Wait a second. Microsoft is willingly employing open source market software?

No, you missed the part about "(with a slight modification to make it Sender ID)".

Standard Microsoft "embrace and extend" technique.

Re:I'm confused.. maybe I've had too much free bee (3, Insightful)

Reckless Visionary (323969) | more than 10 years ago | (#9780924)

Um. . .isn't that the point of open source?

If the wanted to help (0)

Anonymous Coward | more than 10 years ago | (#9780711)

they'd shut down hotmail, buy aol and shut it down too.

Great (4, Insightful)

bnewendorp (764839) | more than 10 years ago | (#9780712)

Let's hope this method of reducing spam will work. I have noticed that less spam I receive comes from Hotmail, Yahoo, etc. type e-mails, but hopefully this will help more. I am curious just how much work is involved in publishing these lists, and more importantly, how often are they updated? If they don't get real time or near-real time updates, they aren't going to be very useful.

"enforcing" (1, Redundant)

nurb432 (527695) | more than 10 years ago | (#9780713)

Does this mean that if my email doesnt ( or cant, as i admit i dont know enough about SPF to know ) comply to what they feel is the 'answer', i can no longer send email to hotmail users?

While I'm also against spam, is allowing a large monoply to force the use of a particular method the proper route to take?

Re:"enforcing" (0)

Anonymous Coward | more than 10 years ago | (#9780744)

RTFA

Re:"enforcing" (1)

nurb432 (527695) | more than 10 years ago | (#9780884)

How about 'GTFH'.. how damned helpful of you by answering a simple question with a useless, sarcastic comment.

A question that many people will be wondering who may not be able to just 'rtfa', as you so eloquently put it.

Get up on the wrong side of the sidewalk today did we?

Re:"enforcing" (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#9780958)

No. He just obviously doesn't like to deal with people who are fucking stupid, like you.

The only thing stopping you from actually reading the article is the fact that you're a stupid cunt. Nothing more, nothing less.

Re:"enforcing" (3, Insightful)

jhunsake (81920) | more than 10 years ago | (#9781018)

The person that wrote "RTFA" is trying to help you in a more profound way. They are trying to teach to learn to read before asking, something that will make you look like less of an idiot (which you presently look like).

Give the man a fish, and you feed him for a day. Teach the man to fish, and you feed him for a lifetime.

No. RTFA (2, Informative)

stryders (564863) | more than 10 years ago | (#9780757)

Messages that fail the check will not be rejected, but will be further scrutinized and filtered, said Craig Spiezle

A failed PRA check will be a "factor" that Microsoft's SmartFilter technology will use to determine whether a given message is spam, according to George Webb

Re:"enforcing" (2, Informative)

BasilBrush (643681) | more than 10 years ago | (#9780946)

It's a new open standard that forms part of the way you send mail from now on. It is a very worthwhile method of cutting down on SPAM that spoofs it's origin. If you (or more likely your ISP) don't want to conform to the standard, no one is stopping you from sending eMail. But you just have to accept that there is a much higher chance of it being filtered by a spam filter, no matter who you send it to.

Re:"enforcing" (0)

Anonymous Coward | more than 10 years ago | (#9781000)

Hey, we want our apostrophe back.

Microsoft adopting open source... (0, Troll)

Vaginal Discharge (706367) | more than 10 years ago | (#9780718)

Umm... damn, I just saw a pig flying by my office window.

Re:Microsoft adopting open source... (1)

Opie812 (582663) | more than 10 years ago | (#9781014)

Umm... damn, I just saw a pig flying by my office window.

Your girlfriend get off work early today?

Misinterpreted headline (5, Funny)

Joey Patterson (547891) | more than 10 years ago | (#9780740)

Microsoft to Deploy SPF for Hotmail Users

So, now that Microsoft already dominates the OS and free e-mail markets, it's trying to get into the sunscreen market as well?

I don't know which is worse, the cure or the disease.

Re: Misinterpreted headline (4, Funny)

cuzality (696718) | more than 10 years ago | (#9780862)

...it's trying to get into the sunscreen market as well?

Microsoft is just trying to protect its empire from the Sun.

Re:Misinterpreted headline (1)

Walterk (124748) | more than 10 years ago | (#9780977)

Well, if you have a hot mail address, you're going to need some UV protection. The late commitment to protecting their users with sunscreen will only lead to the detection of skin cancer in a lot of people!

False Sense of Security (4, Insightful)

Linuxthess (529239) | more than 10 years ago | (#9780751)

The SPF's website says,
"Have confidence that mail that SAYS it's coming from your bank, your credit card company, or the government really is!"

The problem arises though when the phisher/spammer uses a domain which is fairly similar to your bank or credit cards website, for example www.XYZCapitol.com instead of www.XYZCapital.com.

Re:False Sense of Security (1)

Zaranne (733967) | more than 10 years ago | (#9780865)

Yea, but that would only be a problem if you don't have a junk folder. Your "safe lists" can tell the difference. If I go into my junk folder and find something supposedly from my bank, friends, etc., then a red flag is raised in my mind. I don't assume it's the real thing.

That's not a false sense of security to me. It just means I need to pay attention, which is what we all should be doing anyway.

Opening up the "Pink Slip Virus" is something that dingbats do...after repeatedly being told NOT to.

Re:False Sense of Security (2, Insightful)

BasilBrush (643681) | more than 10 years ago | (#9781010)

Even that is less serious than it once was. At least you have a high degree of certainty that it originated from www.XYZCapitol.com, which gives you a lead on tracing the true source of the phish.

SPF version? (5, Funny)

pio!pio! (170895) | more than 10 years ago | (#9780756)

Next year MSFT will release SPF15 for those needing additional protection. SPF 30 and 45 to follow for those extremely pale nerds who never go in the sun

Re:SPF version? (1)

Joey Patterson (547891) | more than 10 years ago | (#9780837)

Next year MSFT will release SPF15 for those needing additional protection. SPF 30 and 45 to follow for those extremely pale nerds who never go in the sun

Microsoft has also announced the followup to SPF 15, SPF 30, and SPF 45. In a statement, Microsoft CEO Steve Ballmer announced SPF 2007, which analysts believe won't be ready for release until at least 2010.

Re:SPF version? (1)

Dr. Evil (3501) | more than 10 years ago | (#9780852)

Great, now I'm stuck thinking "Spam Protection Factor" every time I see the acronymn SPF.

Thanks.

Re:SPF version? (1)

lukewarmfusion (726141) | more than 10 years ago | (#9780854)

If you never go in the sun, why do you need the protection?

Sounds like walking into Best Buy and asking to buy the service plan on an appliance you don't have and don't plan to get.

Re:SPF version? (5, Funny)

TopShelf (92521) | more than 10 years ago | (#9780882)

Obviously this is a major initiative by Microsoft to wipe out Solaris...

(sorry, couldn't help myself)

Honest curiosity here... (1)

Sephiro444 (624651) | more than 10 years ago | (#9780765)

Will the mentioned "slight modifications" made by Microsoft to create the Sender ID standard also make it different enough from the OS SPF to call it proprietary?

For woe be the day MS openly embraces a developing standard not of its own design!

Re:Honest curiosity here... (1)

BasilBrush (643681) | more than 10 years ago | (#9781051)

No. SPF isn't the standard any more. MS CallerID and SPF were merged by mutual consent to create SenderID.

Wow (1)

PhilippeT (697931) | more than 10 years ago | (#9780772)

MicroSoft
havent seen it writen like that in a long time

Any Windows DNS folk reading this... (2, Interesting)

bheer (633842) | more than 10 years ago | (#9780794)

Is there a easy guide to deploying SPF on Windows 2000's DNS Service? Something that I can give the MCSEs who run our IS team and get their attention would be appreciated.

Re:Any Windows DNS folk reading this... (1)

blowdart (31458) | more than 10 years ago | (#9780904)

It's like anything else, it's just a text record. Use the online SPF generator [pobox.com] (it's called a wizard, which should make MCSEs happy), then add a TXT record by right clicking on your domain in the DNS admin, choose add new record, choose TXT and paste the wizard results in.

Brings a new meaning to (1, Funny)

GillBates0 (664202) | more than 10 years ago | (#9780798)

*hot*mail. I'll start using SPF-90 sunscreen while handling hotmail.

What is the difference between SenderID and SPF (1)

spitzak (4019) | more than 10 years ago | (#9780807)

Okay, all I know is that SPF is a good deal simpler than SenderID and much more popular, due to the simple text format verses the use of XML.

However can somebody please clearly explain what (if any) differences there are between what they do. I mean after the data is decoded, is one of the superior to the other, or a superset of the other? Or are they totally independent checks, or are they slightly intersecting checks?

Honestly I can say I am extremely happy to see Microsoft adopting a standard that was not proposed by them. They should learn from this, the amount of good feelings they engender by doing this and resulting increses in sales of their other products and increased cooperation by other programmers probably outweighs any monetary gain from a proprietary solution by a hundred fold or more.

Re:What is the difference between SenderID and SPF (5, Informative)

wayne (1579) | more than 10 years ago | (#9780897)

Okay, all I know is that SPF is a good deal simpler than SenderID and much more popular, due to the simple text format verses the use of XML.

XML was dropped from the Sender ID spec by the IETF last month.

The primary difference between SPF and Sender ID is that Sender ID also has the ablility to check the RFC2822 From: email header in addition to the RFC2821 envelope from value. This is something that most of the people in the SPF community wanted to do all along, but it would require changes in end-user mail systems, such as outlook, to do right. Without the support from MicroSoft, this couldn't really be done.

Re:What is the difference between SenderID and SPF (1)

frankie (91710) | more than 10 years ago | (#9780922)

SenderID is a superset of SPF, it supports both SPF TXT records and MS XML records.

Easy? (4, Interesting)

Compholio (770966) | more than 10 years ago | (#9780815)

Publishing SPF records is easy, as is checking SPF records."

Only if you can edit your own DNS records, most management tools only allow modification of A, MX, and CNAME records. For this to really take off the tools need to add support for TXT records.

Re:Easy? (3, Informative)

Rich0 (548339) | more than 10 years ago | (#9780933)

And currently most free dynamic DNS services do not support it.

This of course means that my outgoing mail will probably get spam filtered in the near future unless this changes.

nice concept but not as practical in all scenarios (4, Informative)

mabu (178417) | more than 10 years ago | (#9780822)

Generally, I like this idea, especially from the perspective of controlling misdirected bounces.

Where it seems to be a problem though (someone correct me if I'm wrong), is in a case where someone, for example is doing web hosting and controls a domain, and the customer wants to configure his e-mail client to send mail "from" the domain through a local ISP. The way SPF works, the authorized hosts from which mail with that domain in the header must be defined in the DNS records. This means that if the hosting company isn't the customer's ISP or mail relay, he needs to keep track of what mail relays the customers use. If a customer changes ISPs and doesn't have the DNS info updated, then their mail may suddenly be rejected by SPF servers?

This seems to be good for ISPs and services like Hotmail and gMail, which endeavor to have exclusive control of incoming and outgoing mail under their domains, but for smaller ISPs or scenarios where one person may be managing the domain, with the customer using a local ISP/mail relay, it seems to be a big pain in the butt.

MSN Broke My Email (4, Interesting)

stoolpigeon (454276) | more than 10 years ago | (#9780825)

They are making all kinds of changes lately-- and they are not bothering to send anything to their users. I've been an MSN customer since just after they started up the service. Last week Outlook couldn't pull my email from their pop3 server any more. I sent in a help ticket. The reply I got said it was a problem they were fixing- and gave me instructions to set up Outlook Express to pull web mail from an http server.

I responded that I don't use Outlook Express, I use Outlook 2000 and it will only pull Email from pop or imap servers. Their response, upgrade to Outlook 2002 (or above) or just use the hotmail interface. Of course using hotmail means no more hot syncing to my palm and I have to start manually sifting through spam again (my filter I use is an Outlook plug in)

I had been thinking about changing my ISP but now I don't even have a choice.

What ticks me off most is there was no advance notice of these changes- and it took multiple emails to MSN support to find out what was really going on.

Re:MSN Broke My Email (2, Informative)

Kenja (541830) | more than 10 years ago | (#9780900)

"I've been an MSN customer since just after they started up the service."

Customer or user? Customers pay for a service and expect a level of support for their dollar. Most pople who have Hotmail acounts are just users, who pay nothing and should not expect anything back.

Re:MSN Broke My Email (1)

pHatidic (163975) | more than 10 years ago | (#9780984)

Not true. Hotmail isn't free, it just doesn't cost any money. You have to look at advertisements every time you check you email and this is how you pay. If Microsoft can make me forget all the advertisements I've ever seen from them so I can be 100% positive they no longer can influence my buying decisions, then I'd say it would be perfectly fair for Microsoft to suspend service of its email.

Re:MSN Broke My Email (1)

stoolpigeon (454276) | more than 10 years ago | (#9781060)

Customer - I'm talking about MSN not hotmail. (in other words the account address I'm talking about is 'foo@msn.com' not 'foo@hotmail.com') But they are now telling me that if I don't upgrade (buy) a newer version of Outlook, I can only get to my mail through the hotmail interface.

I have been a paying customer of the MSN dial-up service for quite a few years- long before hotmail existed.

Proof that technology (not legislation) works. (4, Insightful)

Sheetrock (152993) | more than 10 years ago | (#9780829)

Part of the secret to the success of the Internet is in allowing unfettered communication between endpoints. While I am to some degree concerned about the technical approach to solving the spam problem, because of the collateral consequences it may have, it does not raise the spectre of 1st Amendment violation that anti-spam legislation does.

That Microsoft is taking part is to their credit. Finally the Internet at large is going to actually try to apply a solution to spam at the source. Although the unsolicited commercial email problem is largely one of perception (as with violent computer games, smoking in public, or 'indecent' radio broadcasting) perhaps the solution will have less of a negative impact on society. One can only hope.

I guess it's time to do some research (3, Interesting)

Paul Carver (4555) | more than 10 years ago | (#9780839)

I have a couple of domains registered and pointed at a cheap shared host. I generally send mail using either Mutt over ssh or Mozilla via several different SMTP servers (cablem modem ISP, web host ISP, work SMTP server) and I routinely edit my from address to use whatever userid and whichever of my domains is relevant.

I guess this change means that hotmail users won't be able to receive mail from me unless I read up on SPF and figure out how to get the appropriate configurations into my bargain basement DNS and hosting configs. I hope this doesn't require any administrative privliges since I don't run my own DNS or mail servers for my domains. You can't do that sort of thing for less than $20/month.

Re:I guess it's time to do some research (1)

athakur999 (44340) | more than 10 years ago | (#9780981)

If you don't have any SPF entries published as part of your DNS record, then receiving hosts won't try to do any SPF authentication. So if you don't want to or can't set up SPF records, then no worries, your mail will be treated the same as it always has been.

Yay, no more hotmail forgery bounces (2, Interesting)

frankie (91710) | more than 10 years ago | (#9780861)

Just yesterday I got multiple "Delivery Status Notification (Failure)" messages from postmaster@mail.hotmail.com, informing me that stupid spams could not be delivered. The headers show they were sent from 62.231.179.13 (in Novokuznetsk Russia) and claimed to be from my employer's domain (in eastern USA).

Now if only our anti-spam group would add SPF records. They're deep in the Redmond camp, so the phrase "Microsoft is doing it" should convince them.

This is nice (2, Insightful)

fluor2 (242824) | more than 10 years ago | (#9780871)

This is very nice comparing to what others do: nothing.

The SMTP protocol have sucked for ages, and we applaud any action taken to improve it.

We're gradually seeing the start of SPF, I think. (1)

caluml (551744) | more than 10 years ago | (#9780925)

It was just yesterday I think, that someone on here was saying that it would take MS, Yahoo, or AOL to start using SPF to drag the rest of the world onto it. I have looked at it, but I haven't started using it. Once a few sites start rejecting me for not using it, I guess I'll have to add the records. There was a wizard somewhere for generating the SPF records you would need for your domain. Time to look it up, I think.

Solves the 1998 spam problem? (3, Insightful)

kawika (87069) | more than 10 years ago | (#9780929)

Okay, now we can verify that a mail server that says it is someserver.com is really someserver.com. Back when the big problem was open SMTP relays that sure would have been helpful.

But now that the problem is spam zombies on millions of user PCs, how will this put a dent in the problem? Sure they won't be able to connect directly to Hotmail to say they're someserver.com, but it won't stop them from sending spam through their own ISP's mail server. Since the key to spam zombies is having a lot of PCs that send relatively few spams per PC, it will be very difficult for each ISP to track down and stop each zombie.

Re:Solves the 1998 spam problem? (1)

athakur999 (44340) | more than 10 years ago | (#9781035)

If someserver.com sets up a SPF record saying that mail.someserver.com is the only host allowed to send mail using that domain, then zombies won't be able to send any messages using that domain as their IP address will not match what is specified in the SPF record.

Yes, but (3, Funny)

Anonymous Coward | more than 10 years ago | (#9780949)

Will it be SPF 15 or SPF 30?

Oblig. typical /. comment (-1, Troll)

fiannaFailMan (702447) | more than 10 years ago | (#9780959)

"This isn't going to completely eliminate all spam overnight, therefore it's pointless." (Damn this karma stuff is easy to earn!)

I want to use this on my 30+ domains... (3, Informative)

herrvinny (698679) | more than 10 years ago | (#9780964)

But they were registered using GoDaddy, with Hostway nameservers. For this to really get off the ground, the regular hosting companies have to support it as well. The only registrar that offers spf is (that I'm aware of) PairNIC [pairnic.com]
.

What scares me.... (2, Funny)

Like2Byte (542992) | more than 10 years ago | (#9780982)

What scares me is that this could be the first step to controlling email via certain companies.

What if BIG CORPORATION A decides to sell its assets running the SPF machines to BIG CORPORATION B and BIG CORPORATION B combines As and Bs machines. Eventually one BIG CORPORATION will own all the SPF machines or a very large portion there-of. Then what?

What about all the little upstarts who don't want to be bothered with figuring out SPF or understanding people's desire to use it? What if a time sensitive e-mail (yeah, yeah, e-mail should not be used for critical info..blah blah blah) is slowed from getting from its origin to its destination? How could this system be abused - aside from the computing end of things?

E-Mail tax? You know, the tax that could be enacted to pay for the cost of running the system should GOVT n decide to use it? See where I'm going?

Maybe my fears are unfounded.

{Don's asbestos suit.}

So umm (1, Insightful)

Anonymous Coward | more than 10 years ago | (#9780988)

So umm, a service that MS wants every email server on earth to access, gets slashdotted?

Yeah this will work...

Hosted DNS? (1)

autopr0n (534291) | more than 10 years ago | (#9781024)

I have a couple domains that I host myself, but those don't even have MX records, and I never use them for email.

On the other hand, the first domains I purchased were with register.com. As far as I can tell, there is no way to include SPF records using their web forms. In theory I could use my own DNS servers, but theirs are obviously more reliable :).

In my view, for this to take off, hosted DNS providers really need to get behind it.

How will this stop spamming? (5, Insightful)

mabu (178417) | more than 10 years ago | (#9781027)

I am unconvinced this scheme will make much of a difference in the spam epidemic.

If anything, the SPF idea primarily favors the big ISPs and consolidated mail services. Microsoft and others aren't doing the industry a favor at all by adopting this standard. It clearly benefits them more than it does small and medium-sized Internet hosts. I am under the impression that for any Internet operation that doesn't control all the inbound and outbound mail for domains they manage will have a much higher administrative burden than the big guys. So this scheme makes sense for large ISPs and costs more time and money for smaller ones.

And ultimately, it would only stop spam if every system on the planet adopted it. Otherwise a spammer will simply operate from a host that isn't SPF-compliant. Until the lion's share of systems adopt SPF, no ISP can afford to arbitrarily reject non-compliant systems.

This scheme seems to heavily favor the "all-in-one" Internet companies, who manage both sending and receiving. If you're having one company manage your domain and using a local ISP for SMTP, then you run into problems. As an owner of a hosting company, if this scheme were adopted, I'd probably get several phone calls a day from customers freaking out that their mail bounced, and even if I had an automated system where they could specify authorized smtp hosts, I'd still have to waste a bunch of time explaining to them that if they configure their local client to be "from" their domain, and they change ISPs, they need to update these records as well.

Ultimately, this is bad. It makes the largest ISPs, who can afford to offer SMTP and all other services, easier to work with, and the smaller guys have more of an administrative overhead to keep up with DNS management.

easyDNS or other DNS providers? (1)

ceswiedler (165311) | more than 10 years ago | (#9781044)

I send mail from my home server through my ISP as a smarthost. DNS is managed by another company (easyDNS). I assume that I would have to have my DNS provider enter the SPF information, since I don't manage it myself. Do most DNS providers allow the user to enter data like this in the TXT record?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?