Microsoft Opens Access to Its Sender ID Spec

 
 
By Peter Galli  |  Posted 2006-10-23
 
 
 

Microsoft has made the Sender ID framework specification for e-mail authentication available to users at no cost and with the guarantee that it will never take legal action against them.

The Sender ID specification will now be available to anybody wanting to use it under Microsofts Open Specification Promise.

The Redmond, Wash.-based software maker issued the promise on its Interoperability Web page Sept. 12, when the company promised not to take any legal action against developers or customers who use any of 35 Web Service specifications.

"There have been lingering questions from some members of the development community about the licensing terms from Microsoft and how those terms may affect their ability to implement Sender ID," said Brian Arbogast, the corporate vice president of Microsofts Windows Live Platform Development Group.

"By putting Sender ID under the Open Specification Promise, our goal is to put those questions to rest and advance interoperable efforts for online safety worldwide," he added.

In 2005 the Apache Software Foundation said that the licensing policies around Sender ID were not compatible with Apaches own policies, and the open-source organization decided not to implement Sender ID.

This latest Microsoft move is part of an ongoing effort to promote further industry interoperability among commercial software solutions and ISPs that utilized e-mail authentication, including open-source solutions.

"Users will now be able to implement, commercialize and modify this patented e-mail authentication technology without having to sign a licensing agreement," Arbogast said.

Over the past four months Microsoft has announced a number of key interoperability activities focused on business and technical activities, including the establishment of an Interoperability Customer Executive Council, the Open XML Translator Project, and the strategic relationship with XenSource for the development of technology to provide interoperability between Xen-enabled Linux and Windows Server virtualization.

Sender ID has been deployed worldwide to more than 600 million users over the past two years, and more than 36 percent of all legitimate e-mail sent worldwide uses Sender ID.

An estimated 5 million domains worldwide are also protected by Sender ID, Arbogast said.

One of the primary goals behind the Sender ID protocol is to try and help stop the spread of spam, phishing scams, malware and other online exploits in e-mail by helping address domain spoofing, a tactic used in over 95 percent of all exploits where the name in the "To:" line of the e-mail is forged.

Keith McCall, the CTO and co-founder of Azaleos, told eWEEK on Oct. 23 that by adding Sender ID to the Open Specification Promise, Microsoft will drive further awareness of the need for IT organizations to deploy infrastructure for e-mail authentication.

"In any implementation of security technology, though, its important to deliver multiple layers of protection. Spam-filtering companies like Cloudmark often add support for other protocols that can enable customers to use either Sender ID or an adjunct standard called DomainKeys/DKIM separately, or a combination of the two, for optimum protection," he said.

Research data from MarkMonitor, which was validated by Microsoft, on the DNS (Domain Name System) has found that there has been a threefold increase in Sender ID adoption among Fortune 500 companies to 24 percent today from just 7 percent in July 2005.

It also found that there are currently more than a dozen third-party solutions that support Sender ID, while adoption is growing among companies, including Barracuda Networks, Cloudmark, Iconix, IronPort Systems, SonicWall Microsoft, Port25 Solutions, Sendmail, MessageSystems, Symantec and Tumbleweed Communications.

Is e-mail authentication back on the radar? Click here to read more.

A number of networks that have implemented Sender ID, including Windows LiveMail, were recently able to protect their users from the threat posed by a site that spoofed the release of Internet Explorer 7 and directed consumers to a site loaded with Trojan downloader codes.

Traffic to the Web site was being driven by a spoofed e-mail message claiming to be from support@microsoft.com.

"This is an example of the deception and forgery Sender ID protects against, and highlights the importance of implementing Sender ID to protecting users and business from day zero and malicious e-mail exploits," Arbogast said.

This latest Microsoft move has been welcomed by other players in the e-mail space.

"By making Sender ID available under the OSP, Microsoft is addressing the interoperability needs of heterogeneous e-mail infrastructures. Were pleased to see this development and believe its a positive step in the fight against spoofing, phishing and other categories of unwanted messaging," said Eric Allman, the chief science officer at Sendmail.

Click here to read more about how Microsoft removed the obstacle to the adoption of its VHD specification.

Patrick Peterson, the vice president of technology at IronPort Systems, said he hopes that having the Sender ID specification under the OSP will result in widespread adoption across the industry.

Check out eWEEK.coms for Microsoft and Windows news, views and analysis.

Rocket Fuel