• United States

Microsoft agrees to merger of anti-spam efforts

May 31, 20043 mins
DNSEnterprise ApplicationsMalware

Company's Caller ID proposal will be melded with Sender Policy Framework.

Microsoft has agreed to merge its recently announced Caller ID anti-spam proposal with another, called Sender Policy Framework.

Microsoft has agreed to merge its recently announced Caller ID anti-spam proposal with another, called Sender Policy Framework.

The company reached an agreement with SPF’s author, Meng Weng Wong, to roll the two proposals into one specification. The finished specification will be published in June and submitted to the IETF standards group for evaluation. If adopted, the specification will provide a way to close loopholes in the current system for sending and receiving e-mail that let e-mail senders fake, or spoof, the origin of their messages, Microsoft says.

The joint specification, which does not have a name, caps months of discussions between Wong, co-founder and CTO at, and Microsoft. The proposal is intended to resolve conflicts between two similar plans for stopping domain spoofing, a common tactic of those who send spam.

Microsoft Chairman and Chief Software Architect Bill Gates unveiled Caller ID in March. The proposed standard asks e-mail senders to publish the IP address of their outgoing e-mail servers as part of an XML format e-mail “policy” in the DNS record for their domain. E-mail servers and clients that receive messages check the DNS record and match the “from” address in the message header to the published address of the approved sending servers. E-mail messages that don’t match the source address can be discarded, Microsoft says.

SPF also requires e-mail senders to modify DNS to declare which servers can send mail from a particular Internet domain. However, SPF only checks for spoofing at the message transport, or envelope, level, verifying the “bounce back” address for an e-mail, which is sent before the body of a message is received and tells the receiving e-mail server where to send rejection notices.

Under the merger proposal, organizations that send e-mail will publish the addresses of their outgoing e-mail servers in DNS using XML. Companies will be able to check for spoofing at the envelope level, as proposed by SPF, and in the message body, as proposed by Microsoft. That will allow companies to use the SPF method to reject spam messages before they are sent, if spoofing is detected at the message envelope. For messages that require a deeper inspection of the message contents, the Caller ID method can be used, Microsoft says.

Roberts is a correspondent with IDG News Service’s Boston bureau.