The Solution to Spam

Roberta Bragg looks at Sender ID, the new anti-spam technology being developed by Microsoft.

• By Roberta Bragg
• November 01, 2004

A new anti-spam technology being developed by Microsoft, Sender ID won't keep legitimate vendors from sending you advertisements, but will allow you to distinguish between legitimate vendors and those that continually send unsolicited commercial messages. It may also help correctly identify sources of e-mail you don't want to receive at all. Once the sender can be correctly identified, filters that reject known abusers or accept only known, approved sources will work better.

Sender ID is the result of a combination of two technologies: Sender Policy Framework (SPF), developed by Meng Wong, co-founder and CTO of e-mail service provider Pobox.com, and Caller ID for E-Mail, patented by Microsoft. While it isn't the only proposed solution to the spam issue (digital signatures and rate limiting are others), I believe it's the one that can be most rapidly implemented at the least cost to individuals and organizations.

Note that efforts to standardize on a single e-mail authentication solution are in flux. In September, the Internet Engineering Task Force (IETF) working group that was trying to devise a standard sent Sender ID back to Microsoft, citing intellectual property concerns. Shortly thereafter, the working group disbanded altogether, citing "fundamental disagreements" among members. Microsoft already owns a patent on some of the technology; they offer a free license for it, but require that any users obtain a license. Some open-source folks say they don't want to have to license it, even at no cost from Microsoft.

Microsoft's efforts are continuing, though, and major e-mail services and vendors are moving forward with plans to implement Sender ID capabilities for their domains and products. For example:

• MSN has been testing Sender ID.
• Verisign has announced intended support for Sender ID in its e-mail security service.
• IronPort Systems has plans to integrate support of Sender ID in its C-series e-mail security appliances.

Both Microsoft's Caller ID and SPF check an e-mail's purported domain and its originating IP address to see if the IP address is authorized by the domain owner. Caller ID and SPF differ in how the e-mail is examined and its information extracted.

Sender ID provides an e-mail server with the ability to correctly identify who sent an e-mail and thus be able to more easily determine whether to accept or reject it. This method is different from merely determining on an organization-by-organization basis from whom you want to accept e-mail; it allows you to reject all mail that can't be identified as legitimately coming from an authorized source.

How Sender ID Works
When Sender ID is implemented, hosts or nodes will be identified in DNS records as the authorized message transfer agents (MTAs) for e-mails sent by those domains or networks. MTAs—the e-mail server software component that receives messages from and sends messages to other e-mail servers—can then identify whether incoming e-mail is coming from a legitimate source. While the process is subject to user configuration, here's how it works in general (illustrated in Figure 1):

1. An e-mail message arrives at your SMTP mail server. The server identifies the IP address from which the e-mail is received.

2. The mail server performs a check to determine whether the SMTP client—the server that sent the e-mail message to your mail server—is authorized to send the e-mail message. The server gleans the answer by:

a. Extracting the purported e-mail address (the one the message claims it comes from) from the e-mail header.

b. Extracting the purported domain address from the header.

c. Looking up the authorized mail server IP addresses for the purported domain and checking the IP address from step 1 against these addresses.

3. If the IP address in step 1 is among the authorized addresses listed for the purported domain from step 2b, the message is considered legitimate and is passed along. Messages with question marks undergo further checks:

a. If the message has a missing or malformed address or some other questionable condition, it is subject to heightened scrutiny by other means, such as spam filters or quarantining until it can be inspected.

b. If the checking function fails to operate, the e-mail may be rejected or provisionally accepted and subject to the same heightened scrutiny as in point 3a.

c. If the message definitively does not come from the authorized source for the domain from which it purports to come, it should be rejected—either deleted or quarantined until such time as it can be inspected.

Figure 1. The Sender ID Process. (Click image to view larger version.)

Counter Hacks
Every protective mechanism deployed will spawn new attacks. The following attacks might be used to attack Sender ID-based spam solutions:

• DNS attacks. Sender ID will only be as secure as DNS. Forging DNS records would be one way to make an end-run around Sender ID. Securing access to DNS servers, general DNS hardening, preventing DNS cache poisoning and securing dynamic DNS when it's deployed are ways to mitigate DNS attacks.
• Mail server compromise. If the authoritative MTA for a domain can be hacked and used to send out spam, Sender ID will be of no use. Those responsible for the security of mail servers can't expect outside security mechanisms to protect them and must use all possible best security practices to defend the mail server.
• Corruption of e-mail headers in messages. If MTAs are compliant with the IETF draft, these messages should be subject to further scrutiny as described above. It's possible that header corruption will work if that scrutiny isn't done well.

Call to Action
What should you do now, or will you be required to do in the future, to utilize Sender ID on your network? You must examine, and potentially modify, both outgoing and incoming mail processes.

Outgoing Mail Processes
In order to ensure Sender ID's success, it's important to register authorized MTAs in DNS records. The anti-spamtools.org site provides a walkthrough of the process in its Sender ID Framework DNS Record Creation Wizard. You may need to adjust this record should an IETF standard emerge.

• If you simply use your own domain name in the headers of e-mail sent by your servers, nothing is necessary for compliance. You should, however, publish a record in DNS.
• If you forward received mail to other addresses, you must add the Resent-From header that contains the authorized e-mail address.
• If you're responsible for a mailing list server, you must add the Resent-From header that contains the authorized e-mail address.
• If you're a third-party mailer and send mail on behalf of another user, you must add a Sender header to provide the authorized e-mail address.
• If you develop mail client software such as Outlook, your software should display both the responsible address and the From: address if they're different.

Incoming Mail Processes

• If you require Sender ID checks for incoming mail, you must update to Sender ID-compliant software for your mail servers.
• If you're a consumer of ISP or other e-mail services, you don't need to worry about mail server updates; the ISP must update its mail servers.
• E-mail clients may need to be updated to show information provided by Sender ID checks. Sender ID is currently in development/test mode at Microsoft, and no updates are yet available.