Microsoft is launching a Coordinated Spam Reduction Initiative (CSRI) that includes technical specifications for the establishment of Caller ID for E-mail, said Bill Gates in a keynote address at the RSA Conference 2004 in San Francisco. Microsoft’s “Caller ID for E-Mail” proposal aims to eliminate domain spoofing and increase the effectiveness of spam filters by verifying what domain a message came from — much like how caller ID for telephones shows the phone number of the person calling. The proposal involves three steps to authenticate a sender:
1. E-mail senders, large or small, publish the IP addresses of their outbound e-mail servers in the Domain Name System (DNS) in a format described in the Caller ID for E-Mail specification.
2. Recipient e-mail systems examine each message to determine the purported responsible domain (i.e., the Internet domain that purports to have sent the message).
3. Recipient e-mail systems query the DNS for the list of outbound e-mail server IP addresses of the purported responsible domain. They then check whether the IP address from which the message was received is on that list. If no match is found, the message has most likely been spoofed.
In a pilot implementation of Caller ID for E-mail system, Microsoft’s Hotmail will begin publishing outbound IP addresses today and will begin checking inbound addresses early this summer.
As outlined in its CSRI proposal, Microsoft supports the development of reasonable behavior policies for sending commercial e-mail, similar to the policies of behavior that organizations such as TRUSTe. Microsoft believes independent e-mail trust authorities (IETAs) should be established to certify and monitor high-volume e-mail senders for compliance with such policies. For small organizations that might be able to afford the services of IETAs, Microsoft proposes that noncertified organizations pay a few seconds in computer cycles instead of cash for each message sent. http://www.microsoft.com
