Staff Writer, CNET News.com
Microsoft has revised its antispam specification Sender ID following the spec's near-death in the technical community.
The software giant said Monday that it has rewritten Sender ID—a specification for verifying the authenticity of e-mail with Internet Protocol records—to address criticisms of the spec's earlier incarnation. Among other changes, Microsoft removed language in its pending patents for SenderID that could have included claims to Sender Permitted From, or SPF, a widely used system for e-mail authentication that was merged with Microsoft's CallerID for Email to create Sender ID, according to Microsoft's Ryan Hamlin.
"We wanted to complete what we started," said Hamlin, general manager for Microsoft's safety technology and strategy group. Microsoft has resubmitted the specification to the Internet Engineering Task Force, a technical standards body.
Last month, the IETF shut down the working group that was charged with building consensus for Sender ID and turning it into an industry standard. Consensus became impossible after some people in the open-source community said Microsoft's patent claims could enable the software company to eventually charge royalties. Others were critical of the system's inability to work with previously published records in SPF.
As a result, America Online and open-source groups pulled their support of Sender ID. And Meng Wong, the architect of SPF, said he would retrench on his technical specification alone.
Microsoft's Hamlin said Monday that the company has revised Sender ID by making it backward-compatible with 100,000-plus SPF records already published. He also said Sender ID will give e-mail providers a choice to publish records in SPF, which verifies the "mail-from" address to prevent fraud, or in PRA—purported responsible address.
PRA records let an e-mail provider check the "display address" of an e-mail in its headers against the numerical IP address of the sender. That process can prevent so-called phishing attacks by spammers who forge the display address.
E-mail providers and senders now have the ability to publish in and check the authenticity of e-mail with both methods in Sender ID.
"We've been trying to make it as user-friendly as possible. We've got the spec to the point where you only have to publish one record for two purposes. I see that as a little victory," said Wong.>
Still, some people in the open-source community are concerned about Microsoft's other pending patent over Sender ID, which prevents users of the specification from sublicensing it.
AOL said Monday that it has renewed support for Sender ID in its current form.
The IETF has granted Sender ID "experimental" status so that the industry can test it, along with competing e-mail authentification proposals, and build consensus that way.