[Mimedefang] Integrating SPF...

Mark admin at asarian-host.net
Wed Mar 30 11:35:31 EST 2005 

> -----Original Message-----
> From: mimedefang-bounces at lists.roaringpenguin.com 
> [mailto:mimedefang-bounces at lists.roaringpenguin.com] On 
> Behalf Of Alan Premselaar
> Sent: woensdag 30 maart 2005 6:58
> To: mimedefang at lists.roaringpenguin.com
> Subject: Re: [Mimedefang] Integrating SPF...

> > One other thing (feel free to email me off list), what is 
> > the difference  between Sender ID and using SPF records?
> > Or are they the same thing....

Perhaps this recent letter (see below) Julian Mehnle sent to
"Der Spiegel" may explain a few things (the letter is his, I just
translated it from German).

- Mark 
 
        System Administrator Asarian-host.org
 
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx




-----Original Message-----
From: Julian Mehnle [mailto:julian at mehnle.net]
Sent: Saturday, 26. March, 2005 03:05
To: spiegel_online at spiegel.de
Cc: frank_patalong at spiegel.de
Subject: Ihre Artikel zu Spam/Absenderfaelschung
    (Authentifizierungstechnologien "Sender-ID"/"SPF")



---------------------------------------------------
Dear Mirror/Networld editors,

In the last months you have published two articles in the "Networld"
division, dealing with spam and sender-forgery:

*  Bill Gates: Change of course in the battle against spam (June 29,
   21004)
   http://www.spiegel.de/netzwelt/technologie/0,1518,306341,00.html

*  Internet security: AOL sets in on the Code-Card (September 29, 2004)
   http://www.spiegel.de/netzwelt/technologie/0,1518,319053,00.html

In the first article you report about both Microsoft's
authentication-technology "Sender-ID", based on its predeccesor
"Caller-ID", and the standardization-attempts within the framework of The
Internet Engineering Task Force, IETF.

In the second article you report that AOL and other companies "[will] not
adopt the by Microsoft promoted 'Sender-ID' initiative, which Microsoft
has filed patent for," and that AOL "[will] soon use a 'free technology'
-- read: patent-unencumbered, for which no licence fees are to be paid.
The IETF was also working on such a system."

In the following [paragraphs] I would like to add a few things, as well as
briefly outline the state of development to date.

As co-organizer of the SPF-Project[1], I would like to point out to you,
that Microsoft's "Sender-ID" technology is not based on Microsoft's
"Caller-ID", but actually in large on the free technology "SPF" ("Sender
Policy Framework"), to which AOL also refers in their second article. SPF,
in turn, is based on several earlier ideas by various Internet-experts,
but essentially exists in its current form since 2003.

As already indicated in your first article, these technologies make it
possible for domain owners to publish a record of computers that are
allowed to use these domains as sender-address. This record (the so-called
Sender-Policy) can be applied by E-mail receivers to recognize address
forgeries. Between 2003 and today already over 750,000 of such
Sender-Policies were published, based on SPF records.

In the second half of the last year, there was indeed a several months
long attempt, within the framework of the IETF, to come to a rapid mutual
Standard on the basis of several "competing" proposals (SPF, Caller-ID,
and later Sender-ID, among others). At first, everything (including the
SPF-project) was geared towards Microsoft's heavily building on SPF
Sender-ID proposal, until it became known that Microsoft had filed patent
for several further than SPF going elements of its proposal.

After considerable discord, within the responsible IETF workgroup (called
MARID), on whether such a core Anti-SPAM and E-mail authentification
standard should be patented, the whole thing was called off, and the
workgroup disbanned.

Microsoft continues to push its own Sender-ID methodoly alone, ever since,
and has arranged for it to be reviewed by the IETF again. The SPF Project
has done likewise for its (unpatented) traject. As Sender-ID,
conceptually, and 'materially' builds on SPF, Microsoft has now taken the
liberty to fall back on the many already published SPF
Sender-Policies--even though it is, because of small differences in
application, technically unsound.

Nevertheless Microsoft tries to 'cash in on' SPF, not just technically,
but also marketwise. Among other things, on the Microsft website[2], and
in a recent press release[3], the impression is given as if SPF were
nothing more than an integral part of Sender-ID, and that the 750,000
published SPF-records effectively belong to Sender-ID. The SPF Poject
expressly opposes this (mis)representation[4].

Perhaps you would now like to take the opportunity, in a follow-up
article, to examine the matter a bit further, and to shed some light on
the development to-date and the current situation. I am, of course,
readily available for further questions.

With kind regards,

Julian Mehnle.

Footnotes:
 1. http://spf.pobox.com, http://spf.mehnle.net
 2.
http://www.microsoft.com/mscorp/safety/technologies/senderid/technology.mspx
 3. http://www.microsoft.com/presspass/press/2005/mar05/03-02SIDFPR.asp
 4. http://spf.mehnle.net/Press_Release/2005-03-23.de

More information about the MIMEDefang mailing list