Microsoft Joins Bonded Sender Program to Stem Spam

IronPort Systems' program certifies e-mail senders as legitimate and requires them to post a financial bond guaranteeing their continued good behavior; it now will handle more than 30 percent of all e-mail traffic.

Searching for a way to stem the tide of spam flooding its customers inboxes, Microsoft Corp. on Wednesday will announce that it has joined a program that certifies e-mail senders as legitimate and requires them to post a financial bond guaranteeing their continued good behavior.

The program, known as Bonded Sender, is the brainchild of IronPort Systems Inc., a maker of mail security products. Microsoft has been participating in a pilot phase of the program with its Hotmail and MSN services for five months.

Bonded Sender is a twist on the old concept of authenticating mail senders, which many experts say is the best hope for stopping the majority of spam. One of the main reasons that spam is so prevalent is that SMTP, the protocol by which most mail messages are transferred, allows for anonymous sending. This has given spammers the ability to hide behind spoofed e-mail addresses, obscuring the real location of the machine sending the unwanted messages.

/zimages/6/28571.gifSMTP authentication is hitting the standards track. Click here for Security Center Editor Larry Seltzers take on the development.

IronPorts program relies on both the sender and the recipients for help in solving this problem. In order to join Bonded Sender, high-volume e-mail senders, such as ISPs and online businesses like eBay Inc. and Inc., must submit to a certification process.

The sender must be able to demonstrate a track record of responsible mailing practices and ownership of the sending IP addresses for a considerable period of time. TRUSTe, an independent organization, looks at the senders history and mailing patterns—as well as complaint rates from recipients—to see whether the company qualifies as a trustworthy sender.

/zimages/6/28571.gifFor insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

If accepted into the program, the sender then has to post a financial bond, which is held in trust by a bank. IronPort will debit the bond if the sender runs afoul of the programs guidelines by sending messages on behalf of a known spammer, sending unwanted mail to subscribers or other similar violations. The amount of the bond is determined by the volume of mail sent and the nature of the organization; for example, nonprofits can post much smaller bonds than large, international ISPs.

IronPort depends on recipients to complain if they begin getting unwanted messages.

"Spam isnt a business done at low volumes, and there are only a couple of legitimate reasons to be sending e-mail in large quantities. If youre not an ISP or a large marketer like eBay, chances are youre a spammer," said Scott Weiss, CEO of IronPort, based in San Bruno, Calif. "The best way to separate the wheat from the chaff is through customer complaints."

Microsofts participation in the program means that Hotmail and MSN users likely will begin seeing far less spam in their inboxes. Depending on how the Redmond, Wash., company decides to implement the program, Microsoft could choose to accept mail only from bonded senders, of which there are thousands, and treat all other messages as spam.

With the addition of Microsoft to Bonded Sender, the program will touch more than 30 percent of all of the e-mail traffic on the Internet, IronPort officials said.

"The promise to the ISP is much less spam," Weiss said.

/zimages/6/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis. Be sure to add our security news feed to your RSS newsreader or My Yahoo page: /zimages/6/19420.gif