Opinion: Why Sender ID is a non-starter

Implementation involves companies simply adding records to their DNS servers (of course these records won't actually do anything unless mail recipients are using SPF-aware mail client software). But not everyone is going to create SPF records. AOL announced in September that they will not use Sender ID technology. Many open-source advocates are also refusing to use SPF technology because of disenchantment with Microsoft.

I run my business out of my home and my Internet service provider will not allow me to have a static IP address. To get around this problem, I have an ISP host my mailboxes. However, I have an Exchange server in my home that downloads mail every two minutes and places it into an Exchange mailbox. I do this so I can back up my own mail and use some of the antispam products for Exchange.

The problem is that mail coming into my organization comes into a specific IP address. But mail leaving my organization is coming from whatever address my ISP has assigned me at that moment. So even if I wanted to add an SPF record to my domain I couldn't, because I never know what address will be assigned to my outbound mail server.

Granted, I do have a weird configuration so the issues that apply to me won't necessarily apply to everyone else.

The only thing that Sender ID technology does is compare the IP address that sent a message to the IP address on file for the domain from which the message allegedly came. Unfortunately, it is simple to spoof an IP address.

If spammers want to defeat the Sender ID policy framework, they can simply send e-mail messages to the company that they intend to spoof. If the company replies to a message, spammers can extract the IP address of the company's mail server from the message. They then can spoof the company's domain name and IP address. When the recipient gets the e-mail, it would appear legitimate, because the IP address the message came from matches the IP address in the spoofed company's SPF record.

This type of scenario leads me to believe that Sender ID technology will actually make messages from spammers appear more credible.

Conclusion

Sender ID technology is actually more of an antifraud mechanism than an antispam mechanism. Reducing spam is simply a byproduct of reducing fraud.

I applaud Microsoft for taking measures to eliminate phishing scams. But at the same time, I believe that Sender ID technology is flawed from the start. I think the only way Sender ID technology could ever become truly useful is if there was a widely accepted way to prevent IP address spoofing.

Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at http://www.brienposey.com.

Tags: Spam and virus protection,  Phishing and Email Fraud Protection,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Spam and virus protection How to install Forefront Security for Exchange Server Block Web beacons and protect OWA users from spam Controlling spam in Exchange 2007 at the edge transport server level How file-level antivirus software can harm your Exchange Server Problems with email spoofing on SBS 2003 Exchange Insider e-zine Securing your Exchange Server 2007 journaling archives Troubleshooting Outlook Web Access issues on a 64-bit system Microsoft Exchange Server security dos and don'ts Troubleshooting Microsoft Exchange Server Event ID error 6009 Spam and virus protection Research Phishing and Email Fraud Protection Exchange 2007 out-of-office (OOF) feature adds usability and security Microsoft Outlook and Exchange Server 2003 Email Security Guide A Microsoft Outlook email security tutorial -- 8 tips in 8 minutes Microsoft Office 2007's native security and antiphishing tools New tools fight fraud and phishing Phishing protection primer Three ways phishers are hooking you Phishing: A whale of a problem for enterprises New phishing threat outpaces Netsky-P PhishTank casts its net for malicious email

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backscatter spam  (SearchExchange.com) greylist  (SearchExchange.com) image spam  (SearchExchange.com) KnujOn  (SearchExchange.com) Sender ID  (SearchExchange.com) spam confidence level  (SearchExchange.com) spamblock  (SearchExchange.com) spim  (SearchExchange.com) tarpitting  (SearchExchange.com) Vouch by Reference (VBR)  (SearchExchange.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary