Spammers Using Sender ID


Technology Review’s Simon Garfinkel picks up on an article published at Infoworld.

“Spammers have started publishing their own Sender ID records, allowing their email to speed through anti-spam filters, according to this IDG News Service article.

Sender ID works by providing out-of-band notification of what IP addresses are authorized to originate email for each domain. So what the spammers have done is sign up for $5 domains, published records saying that their machines are authorized, and then they send away.”

In the Infoworld article, Paul Judge, chief technology officer at CipherTrust says that problem is that spammers have been faster to adopt the technology than legitimate e-mail senders.

Meng Weng Wong (co-authored of both the SPF and Sender ID standards) argues SPF nor Sender ID was never intended to stop spam:

“The technology is merely a way to stop one loophole spammers use: source address spoofing. Evidence that spammers are publishing SPF records is a good sign…

Spammers are buying into a future that will wipe them out…

In theory, when all spammers are forced to publish SPF records, along with all legitimate e-mail senders, it will be easy for legitimate companies to develop e-mail reputations for Internet domains that do and do not send spam

…In the past, we assumed all e-mail was good and tried to filter out the bad stuff. In the future, we’ll assume all e-mail is bad, and filter in the good stuff. It’s a lot easier.”

So where are with Sender ID today? John Hogan at SearchWin2000 sums up the current situation.

“The open source community’s mistrust of Microsoft cuts so deep, it appears that nothing will be able to heal the wound. Not even a royalty-free protocol to help fight spam.

Currently winding its way through the standards process at the Internet Engineering Task Force, Sender ID took a slap to the face late last week when the Apache Software Foundation issued a statement that it would not support the protocol because of intellectual property concerns. The Debian project, a fellow open source organization

Apparently, the terms of the free Sender ID license are agreeable to the likes of America Online, IronPort and about 50 companies — including DoubleClick — that are part of the Email Service Provider Coalition. Yet open source proponents are adamant that the license terms are a bad deal and are against everything they stand for.

…some technology analysts say Sender ID will likely be widely adopted, even if open source doesn’t back it.”

This last sentiment is echoed by some analysts, according to Margie Semilof.

“Analysts said it doesn’t really matter whether these organizations are on board because Sender ID will be adopted anyway, and it will happen quickly. “If IBM, Microsoft and Sendmail are using it, then it’s less of an issue,” said Mark Leavitt, a research analyst at International Data Corp., a Framingham, Mass.-based market research firm….

“If [open source contingents] don’t support [Sender ID] it won’t cripple the fight against spam,” Leavitt said. “Sender ID won’t solve the fight against spam either.”

Other analysts agreed. “This thing will be adopted and major ISPs will run it — and that’s where it will have the most effect,” said Jonathan Penn, a principal analyst at Forrester Research, in Cambridge, Mass.”

“If Apache doesn’t want to implement it, fine. People will just go somewhere else.” “

Anyway, I don’t get spam, I use RSS ;-).


Comments (4)

  1. Robert says:

    How do we get rid of spamming?

    Everyday we are geeting huge spam on our websites as well as Blogs which were created for something else. Is their any tool/software to get rid of that?

    Please Suggest a solution.

    Robert

  2. Jeff Atwood says:

    RSS has absolutely nothing to do with spam. This is the same ridiculous crazy idea that Clay Shirky was promoting.

    The current approaches of bayesian filtering ( http://www.popfile.com ), human-entry-only whitelists ( http://www.spamarrest.com ), plus all the emerging SenderID/authentication stuff.. together those should provide a workable solution.

  3. A reader says:

    What does Apache have to do with implementing email sender id or spf?

    Also, Sendmail, in addition to being available as a commercial product, is released as open source as well….

    I’m not sure that "open" standards should be encumbered by ip to the point where you need a license to implement the "open" standard…