Microsoft Opens Send

Company promises not to sue users of e-mail authentication spec

Microsoft is making the Sender ID framework specification for e-mail authentication available to users at no cost and with the guarantee that the company will never take legal action against them.

The Sender ID specification is now available to anybody wanting to use it under Microsofts OSP (Open Specification Promise), Microsoft said Oct. 23. The Redmond, Wash., software maker issued the promise on its Interoperability Web page Sept. 12, when it said it will not take legal action against developers or customers that use any of 35 Web services specifications.

"By putting Sender ID under the Open Specification Promise, our goal is to put [lingering questions about licensing terms] to rest and advance interoperable efforts for online safety worldwide," said Brian Arbogast, corporate vice president of Microsofts Windows Live Platform Development Group.

In 2005, The Apache Software Foundation said the licensing policies around Sender ID were not compatible with Apaches own policies, and the open-source organization decided not to implement Sender ID.

This Microsoft move is part of an ongoing effort to promote further industry interoperability among commercial software solutions and ISPs that use e-mail authentication, including open-source solutions.

Over the past four months, Microsoft has announced key interoperability initiatives focused on business and technical activities, including the establishment of an Interoperability Customer Executive Council, the Open XML Translator project, and the strategic relationship with XenSource to develop technology to provide interoperability between Xen-enabled Linux and Microsoft Windows Server virtualization.

Sender ID has been deployed worldwide to more than 600 million users over the past two years, and more than 36 percent of all legitimate e-mail sent worldwide uses Sender ID. About 5 million domains worldwide are protected by Sender ID, Arbogast said. One of the key goals behind the Sender ID protocol is to help stop the spread of online exploits in e-mail by helping address domain spoofing, a tactic used in more than 95 percent of all exploits where the name in the "To:" line of the e-mail is forged.

Keith McCall, chief technology officer and co-founder of Azaleos, also in Redmond, said that by adding Sender ID to OSP, Microsoft will drive further awareness of need for IT organizations to deploy infrastructure for e-mail authentication.

"In any implementation of security technology, though, its important to deliver multiple layers of protection. Spam-filtering companies like Cloudmark often add support for other protocols that can enable customers to use either Sender ID or an adjunct standard called DomainKeys/DKIM separately, or a combination of the two, for optimum protection," McCall said.

Research data from MarkMonitor, which was validated by Microsoft, on the DNS (Domain Name System) has found that there has been a threefold increase in Sender ID adoption among Fortune 500 companies to 24 percent in October 2006 from just 7 percent in July 2005.

The research also found that there are more than a dozen third-party solutions that support Sender ID, while adoption is growing among companies, including Barracuda Networks, Cloudmark, Iconix, IronPort Systems, SonicWall, Microsoft, Port25 Solutions, Sendmail, Message Systems and Symantec.

A number of networks that have implemented Sender ID were recently able to protect their users from the threat posed by a site that spoofed the release of Microsofts Internet Explorer 7 and directed consumers to a site loaded with Trojan downloader codes.

A Timeline for Microsoft Openness

* Sept. 12 Makes OSP; says it will not take legal action against anyone who uses any of 35 Web services specifications

* Oct. 17 Makes its Virtual Hard

Disk image format specification available under OSP

* Oct. 23 Makes Sender ID framework specification for e-mail authentication available to users at no cost

Source: eWEEK reporting