Microsoft Should Open-Source Anti-Spam TechnologyMicrosoft Should Open-Source Anti-Spam Technology

If Microsoft is serious about using sender authentication to block spam, phishing and viruses, the company needs to release its Sender ID technology into open source.

Sender ID is Microsoft technology for identifying the sender of an e-mail message. According to advocates fo the technology, spam, viruses, and phishing work because the senders of an e-mail messages can put whatever address they like in the "from" line of a message. The recipient has no way of knowing if the message really came from [email protected], [email protected] or whatever address the message appears to be from.

Sender authentication alone won't stop spam, viruses and phishing, but it's a start. It'll enable users to reliably identify messages from known, good senders, and then put the others aside into a queue of potential spam and other bad mail, to be managed accordingly. Some users will run the questionable mail through filters, others will simply delete it unread.

In order for Sender ID to work, it has to see widespread adoption and, in order for that to happen, Sender ID has to be integrated into all the common e-mail server platforms. And that's the problem.

The open-source Apache Software Foundation said last week it won't support Sender ID because the licensing terms set by Microsoft are too strict.

According to the report by TechWeb News: "The foundation said the 'nontransferable' language in Microsoft's license, as well as its prohibitions on sub-licensing of the technology, made the software maker's terms unacceptable to the open-source development process." Apache projects include the web server of the same name, as well as the popular open source spam filter SpamAssassin.

For Sender ID to be successful, the technology needs the support of all e-mail software makers, not just the vendors of proprietary software. Microsoft needs to work with open source software creators to get Sender ID incorporated into open source e-mail packages.

That's not the only problem with Sender ID.

Identifying the domain that e-mail comes from is nice, that doesn't tell you who actually sent the mail. Sender ID would stop phishers from sending e-mail that appears to come from citibank.com. But what's to stop phishers from registering variations on the CitiBank name and trapping victims that way? If you got an e-mail from citibank-customer-service.com, how would you know whather it's legitimate?

And I've heard it said that Sender ID doesn't really solve any problems at all, that e-mail recipients can already identify the sender of a message using clues in the message headers and envelope. I have to admit I don't quite understand those points; if someone can explain it to me in small words, suitable for a small child, idiot, or a journalist, I'd appreciate it.