As Microsoft shifts its spam fighting efforts from standards development to installation and adoption, the company is advising IT administrators to better understand their e-mail architectures and to take some basic steps to prevent e-mail forgery.
Large businesses need to start doing some legwork to determine their domain name system records and to know their legitimate outbound servers, said George Webb, general business manager in Anti-Spam Technology and Strategy Group at Microsoft.
The job may take some time, but it's worth it for the long-term benefit, Webb said.
IT administrators should start publishing their Sender Policy Framework (SPF) records, which checks that a sender is authorized to send e-mail from the domain they claim to be from.
Enterprises can publish these records even though a Microsoft-initiated specification at the Internet Engineering Task Force -- the Sender ID Framework -- is not yet completed, Webb said.
Ratification of Sender ID could take anywhere from a few weeks to several months. The specification will be used to counter e-mail spoofing -- using someone else's domain name to send a message. It will also offer some protection against phishing scams -- sending out e-mail that purports to be from a business but is actually an attempt to get users to turn over personal information.
Microsoft has recently created an outreach program to educate its partners about the Sender ID Framework because e-mail server software writers have to create a plug-in to enable the architecture, Webb said. At this time, only Sendmail Inc., Emeryville, Calif., is ready with a plug-in to work with its e-mail servers.
More spam-fighting initiatives
Beyond the Sender ID Framework, Microsoft has several other antispam efforts under way. Microsoft has taken a lead in terms of drafting white papers and policies for legislators to consider when drafting laws around spam, Webb said.
The company has 14 attorneys worldwide who are dedicated to tracking down spammers, he said. Microsoft also has relationships with organizations like Interpol and the FBI -- both of whom assemble evidence to pursue these cases.
"In one year there are already 100 actions in progress and $56 million in judgments," said Webb, who added that more than one-third of the cases are outside of the U.S. and most of the fines have gone uncollected.
Microsoft also helped form the Anti-Spam Technical Alliance more than one year ago to develop best practices and technical recommendations for all companies, vendors and end-user organizations alike.
And Microsoft is investing in new technology to stop spam before it reaches the enterprise edge and must be filtered from legitimate mail. "Filtering has false positives and there are storage costs, so it's a reactive approach," Webb said. "We want to move upstream to stop it before it gets sent."
Computational proof is one concept that is being considered as a way for a sender to take accountability for a message. With proof, the sender must make some sort of computational effort specific to the message or the receiver; the receiver then acknowledges that the proof was performed.
Microsoft is also working on third-party safe lists and certificates as other mechanisms of proof for legitimate senders.