RyanHamlin,GeneralManager,SafetyTechnologyStrategyGroup

TodayMicrosoftandothersintheindustrytookthenextstepinthatfightbypublishingtherevisedSenderIDFramework(SIDF)specificationtotheInternetEngineeringTaskForce(IETF)standardsbody。

Aspartoftheannouncement,PressPasssatdownwithRyanHamlin,generalmanagerofMicrosoftsSafetyTechnologyandStrategyGroup,tofindoutmoreaboutSIDFandhowitfitsinwiththeindustrysoveralleffortstocounterspam。

PressPass:Firstofall,whatarephishingandspoofing?

Hamlin:Phishingandspoofingreallygohandinhand。

Spoofingisthecommonspammerpracticeofalteringthee-mailsFromaddressandmakingitappeartocomefromalegitimatesender。

Phishingisthepracticeofattemptingtotricke-mailrecipientsintodivulgingpersonalinformation,suchascredit-cardnumbersoraccountpasswords,bysendinge-mailpretendingtobefromalegitimatesource,suchasausersbank,credit-cardcompanyoronlineWebmerchant。

Thevastmajorityofphishingattackscomefrome-mailinwhichtheFromaddresshasbeenspoofed。

Aspoofedaddressmakesthephishede-maillookevenmoreauthentic。

PressPass:WhatisSenderID,andhowdoesitworktocounterthoseattacks?

Hamlin:SenderIDisaroyalty-freee-mail-authenticationtechnologythathelpsaddresstheproblemofspoofingandphishingbyverifyingthedomainnamefromwhichthemailissent。

SenderIDvalidatestheoriginofane-mailbyverifyingtheIPaddressofthesenderagainstthepurportedownerofthesendingdomain。

Itisafairlystraightforwardapproach,andwhileitdoesnotexplicitlypreventspamorphishingscamsfrombeinginitiated,itdoesmakethemmucheasiertodetectbecauseitprovidesamorereliableanswertothequestionWhoactuallysentthemessage?

However,Microsoftandtheindustryrecognizeveryclearlythatthereisnosinglesolutiontothespamproblem。

Thisisnottheendofthejourney,butitisasignificantstepforwardintakingawaythebiggesttrickthatspammersandphishersusetodeceiveendusers。

SenderIDisonepieceoftheoverallpuzzle,butacriticalpiece。

WehopeitwillhelpprovideafoundationforalargersolutiontocreateaneffectivedragnetthatstopsspammersandInternetconartistsfromclaimingmorevictims。

PressPass:Whathasbeenchangedtoimprovethisrevisedspec?

Hamlin:Aftersittingdownwithotherindustryleaders,criticsandcompaniesintheopen-sourcecommunitytogettheirfeedback,werevisedthespecificationtoensureitscompatibilitywithanyonewhohaspublishedpreviousSenderPolicyFramework,orSPF,records,andtoprovidetheseorganizationswitharangeofchoices。

Thisrevisedspecificationnowacceptsthe60,000orsodomainsouttherethathavealreadypublishedtheirrecords,andallowscompaniestochoosebetweenthesimpleFromaddressverificationorwhatiscalledaPRA(PurportedResponsibleAddress)verification,whichsomecompaniesprefer,includingMicrosoft。

Soweseethisrevisedspecificationasabigstepforward,andonethatisreallygoingtohelpfacilitatedeploymentbyallowingmailreceiverstochoosethemethodtheywouldliketouse。

PressPass:WhohastakenanactiveroleintheSenderIDFramework?

Hamlin:Fortunately,manyintheindustryhavejumpedonboardfromthebeginning。

AOLinparticularhashelpedusworkthroughsomeissuesthatwereaconcernforthem。

SendMail,oneofthelargestprovidersofopensourcee-mailsoftware,hasalsogiveninputintothenewspecification。

Inaddition,weareseeingnumerousotherleadingorganizationstakestepstosupportandimplementSenderIDaswell,includingBarracudaNetworks,CipherTrust,Cloudmark,ConstantContact,theE-mailServiceProviderCoalition,GoDaddy。

com,Interland,IronPort,Metamail,Port25Solutions,Sendmail,TRUSTe,TumbleweedandVeriSign,tonameafew。

PressPass:HowcanorganizationsgetstartedusingSenderID?

Hamlin:ThecalltoactionisreallyforcompaniesfirsttopublishtheirSenderIDrecord。

Thereisatoolonoursite(www。

microsoft。

com/senderid)thatwillhelpcreatethatrecord。

Oncecreated,companiesneedtopublishthatinformationinthetextrecordinDNS。

Forsenders,thisistheonlythingtheyneedtodo。

Mailreceivers,includingInternetserviceproviders(ISPs)andmailtransportagents(MTAs)haveonemoresteptocomplete。

Theyneedtomakesurethattheirsoftwareiscompliantandhasbeenupdated。

ManyoftheMTAsandISPshavealreadymadethischangeorareintheprocessofmakingthechangefortheircustomers。

PressPass:HowisMicrosoftimplementingSenderID?

Hamlin:WearealreadypublishingourrecordsandwillberollingoutaPRAchecklaterthisyearforMSNmailandHotmail。

Oursystemwillcheckthesenderdomain,toseeifthereisanSPFrecord,andperformthePRAcheckonit。

TheresultsofthePRAcheckwillgointoourSmartScreenfilter,whichisourmachine-learningtechnologythatwillgivethee-mailascore。

IfthedomainhasaSenderIDrecord,thee-mailislesslikelytobejudgedasspam。

Ifitdoesnt,therewillbeahigherprobabilityitwillbejudgedasspam。

Overtime,asthedeploymentofSenderIDgetswider,theweightingassociatedwiththePRAcheckwillchange。

PressPass:WhyisMicrosoftmakingthedecisiontodothePRAcheckinsteadofthemailfromcheck?

Hamlin:Well,thereareprosandconsofcourse,whichiswhythespecificationallowsforthechoice。

WebelievethePRAcheckprovidesamorereliableindicationofwherethemailiscomingfromandreallyhelpstosolvethephishingproblem。

Theotherreasonisthat10percentofmailislegitimatelyforwarded,andPRAprovidesaneasierdeploymenttoallowforthoseforwardede-mails。

PressPass:Youmentionedthatthisspecificationisonlyonepieceofthepuzzle。

Whatothertechnologiesoutthereareshowingpromisetohelpcombatspammers?

Hamlin:Thereareotherauthenticationtechnologies,suchassigningtechnologies,thatwillcomplementandenhancethisspecificationandprovideamorecomprehensivesolution,andwesupportthedevelopmentofadditionalauthenticationtechnologiesthatcanbeusedinconjunctionwiththeSenderIDframework。

Wevebeenworkingwithtwopromisingproposalsinparticular,Yahoo!

sdomainkeysandCiscosIdentifiedInternetMail。

Webelievethesesolutionscombinedwillprovideastrongerlevelofauthenticationwhileofferingarangeofdeploymentalternatives。

Whatsimportanttounderstandisthatthereisnoonesinglesolution。

SenderIDisnotthebe-allend-all。

Webelieveandhopethatarangeofalternativesandtechnologieswillevolveovertimethatwillcomplementandinsomecasereplaceothers。

Noonecompanycandothisalone。

Itrequiresanintenseamountofcollaboration,probablyunsurpassedintheindustry。

Theotherpartisthatnotechnologycansolvethisproblemaloneeither。