Modernizing Authentication — What It Takes to Transform Secure Access
SAN FRANCISCO -- In his quest to kill spam, Microsoft Chief Software Architect Bill Gates Tuesday appealed to security leadership, asking them to adopt his fledgling "Caller ID for E-mail" program.
The multi-tiered project would act much like how caller identification for telephones shows the phone number of the person calling. The proposal is part of the Redmond, Wash.-based company's Coordinated Spam Reduction Initiative (CSRI).
"Spam is both a nuisance and a security threat," Gates said to attendees at week's RSA Conference 2004 here emphasizing that using white lists or what Microsoft calls "rich safe-listing" e-mail is key. "Having e-mail come in, and not really being able to identify where it comes from, this is a huge security hole. And like so many of the standards and protocols that grew up on the Internet in the early days, we need to strengthen these in this environment where there is malicious activity."
Despite heavy industry and government involvement, however, Microsoft is moving ahead with its own plans. The company is calling for system-wide changes to the e-mail infrastructure and asking for high-volume e-mail senders to demonstrate their compliance with reasonable policies and viable alternatives for smaller-scale senders to distinguish themselves from spammers.
"We have some patents around this, we're saying are royalty free, available for everyone to use..." Gates said.
The pilot implementation of Gate's Caller ID for E-Mail is debuting on Microsoft's popular Hotmail service, which began publishing outbound IP addresses this week. The testing will be extended to check inbound addresses on some 100 million free e-mail accounts early this summer.
Gates said the project would then be extended to Microsoft Exchange systems to run filtering.
"So front-ending things with the very latest filtering and proof-type algorithms is something we think that a lot of people would be interested in, and we'll put betas of this out, and get feedback this year to make sure we're doing exactly what people want in the mail scenario," he said.
Partners like Amazon.com, Brightmail and Sendmail are helping out Microsoft with the trials.
In perhaps the most notable of these deals, Mail Transfer Agent (MTA) provider Sendmail is working with Microsoft to distribute a plug-in for its products.
This allows Sendmail MTA users to easily implement Caller ID, so both can send verifiable e-mail, and check sender identity on received e-mail. Sendmail claims over 60 percent of the world's e-mail runs on its MTA.
The proposal involves three steps to authenticate a sender:
- E-mail senders, large or small, publish the Internet protocol (IP) addresses of their outbound e-mail servers in the Domain Name System (DNS) in a format described in the Caller ID for E-Mail specification.
- Recipient e-mail systems examine each message to determine the purported responsible domain (i.e., the Internet domain that purports to have sent the message).
- Recipient e-mail systems query the DNS for the list of outbound e-mail server IP addresses of the purported responsible domain. They then check whether the IP address from which the message was received is on that list. If no match is found, the message has most likely been spoofed.
It's a bold move to be sure, as previous attempts by Microsoft to curb spam have been more reactionary. Still Gates said he felt committed as the majority of e-mail moves through Outlook or Outlook Express and executable attachments remain the leading cause of launching mass mailing worms and viruses. The company is even reallocating a massive amount of its development resources on its upcoming "Longhorn" OS upgrade to deal with the spam issue.
"There is an immense amount of work here," Gates said. "There are many partnerships and many more to come but we have a commitment to provide this secure networking."
Want to discuss the issues raised in this column? Take it over to our IT Management Forum.