Bill Gates Outlines Technology Vision to Help Stop Spam
By Mike Hanlon
June 4, 2004
In his keynote address at the RSA Conference 2004 in February 2004, Microsoft Chairman and Chief Software Architect Bill Gates announced a detailed vision and proposals on how technology can be used to help put an end to spam, including outlining the company's Coordinated Spam Reduction Initiative (CSRI) and technical specifications for the establishment of Caller ID for E-Mail.
"Spam is our e-mail customers' No. 1 complaint today, and Microsoft is innovating on many different fronts to eradicate it," Gates said.
"We believe that Caller ID for E-Mail and the Coordinated Spam Reduction Initiative will help change the economic model for sending spam and put spammers out of business.
"To be more effective in the fight against junk e-mail, filters need additional information that is not available in e-mail messages today.
Microsoft believes some relatively simple but systemwide changes to the e-mail infrastructure are needed to provide greater certainty about the origin of an e-mail message and to enable legitimate senders to more clearly distinguish themselves from spammers.
CSRI is Microsoft's long-range industry plan for dramatically reducing spam through technology. It is based on three proposals to better enable effective filtering:
-- Establish a verifiable identity in e-mail through a caller-ID approach
-- Enable high-volume e-mail senders to demonstrate their compliance with reasonable e-mail policies
-- Create viable alternatives for smaller-scale e-mail senders to distinguish themselves from spammers
Caller ID for E-Mail
Existing spam filters look at an e-mail message's origin to determine whether it is spam. However, there is currently no guarantee that an e-mail message came from whom it says it did. "Spoofing," or sending e-mail purporting to be from someone it's not, is an increasingly common and relatively simple way for spammers to trick filters.
In addition, this practice can pose a security risk when used to deliver e-mail viruses.
Microsoft has developed the Caller ID for E-Mail proposal to help eliminate domain spoofing and increase the effectiveness of spam filters by verifying what domain a message came from - much like how caller ID for telephones shows the phone number of the person calling.
The proposal involves three steps to authenticate a sender:
1. E-mail senders, large or small, publish the Internet protocol (IP) addresses of their outbound e-mail servers in the Domain Name System (DNS) in a format described in the Caller ID for E-Mail specification.
2. Recipient e-mail systems examine each message to determine the purported responsible domain (i.e., the Internet domain that purports to have sent the message).
3. Recipient e-mail systems query the DNS for the list of outbound e-mail server IP addresses of the purported responsible domain. They then check whether the IP address from which the message was received is on that list. If no match is found, the message has most likely been spoofed.
Microsoft is moving ahead with plans for a pilot implementation of Caller ID for E-Mail in its Hotmail(R) service. Hotmail will begin publishing outbound IP addresses today and will begin checking inbound addresses early this summer. In addition, the company continues to work with others in the industry to test this proposal, including Amazon.com Inc., Brightmail Inc. and Sendmail Inc.
"Amazon.com is working aggressively to combat spoofing on several fronts, and we are committed to collaborating with others in the industry to find effective solutions for the problem of spam," said Larry Hughes Jr., senior manager for IT Security at Amazon.com. "We look forward to working with Microsoft and others in the industry to test their proposals."
"Most spammers disguise the source of their e-mail to evade spam filters and detection," said Enrique Salem, CEO and president of Brightmail, a leading provider of anti-spam technology. "We are excited to join Microsoft in testing this new Caller ID for E-Mail technology to help promote the establishment of verifiable identity in e-mail. We believe that by combining verifiable identity with our Reputation Service, we will improve our best-of-breed anti- spam technology to help legitimate e-mail get delivered while helping keep spam out of users' inboxes."
"Authenticated sender technologies like Microsoft's caller ID are essential to help address fraud and spam in Internet e-mail," said Eric Allman, CTO at Sendmail. "The key to ensuring that these types of technologies are successful is widespread adoption. Sendmail's millions of users -- including more than 70 percent of the Fortune 1000 -- substantially increase the deployment of such technologies. We are excited to work with Microsoft in promoting the acceptance of caller ID as an open standard on the Internet."
Best Practices for Legitimate High-Volume Senders
Not all commercial e-mail is junk. Many regulated businesses including banks, brokerage firms and insurance companies rely on e-mail to contact their customers and provide information about their services. Other organizations such as airlines, news media and a variety of online retail services send legitimate e-mail to their customers. However, today there is no easy way for these businesses to distinguish themselves from spammers.
As outlined in its CSRI proposal, Microsoft supports the development of reasonable behavior policies for sending commercial e-mail, similar to the policies of behavior that organizations such as TRUSTe and others have helped establish in the area of electronic privacy. Microsoft believes that once agreed-upon policies have been developed, independent e-mail trust authorities (IETAs) should be established to certify and monitor high-volume e-mail senders for compliance with such policies.
It is also Microsoft's view that organizations certified by an IETA as complying with good e-mail behavior policies should be easily recognizable by both filtering software and end users via safe lists or digital certificates. Spam filters can interpret possession of a certificate or membership on a safe list as strong evidence that the sender of the message is not a spammer, thus enabling the technology to better distinguish legitimate e-mail from spam.
Alternatives for Smaller SendersSmall organizations need an alternate and inexpensive method to avoid having their e-mail classified as spam, since e-mail policy compliance would necessarily be costly. To address this issue, Microsoft proposes that noncertified organizations pay in computer cycles instead of cash.Spammers send millions of messages every day to be profitable because response rates are so low, so their computers spend only a small fraction of a second processing each message.
In a spammer's economic model, spending even five or 10 seconds per message could be prohibitively expensive. Smaller organizations, however, that send low volumes of e-mail generally have an abundance of computer processing power available. Although they can't afford to spend cash for a certificate, they can afford to spend a few seconds on each message.
Microsoft has developed a way for noncertified senders to prove that they have indeed spent a few seconds of computer processing time on each message. Spam filters can then recognize that a sender is not a spammer because the sender has demonstrated behavior that would put a spammer out of business.
Microsoft continues to invest heavily in anti-spam research and development and to look at innovative ways that technology can contribute to helping solve the spam problem for users worldwide. On a broader scale, Microsoft believes it will take a coordinated approach that includes advanced technology, industry self-regulation, consumer education, effective legislation and targeted enforcement against illegal spammers to solve the spam problem. The company remains committed to working with customers, partners, industry, government and law-enforcement agencies around the world to help put an end to spam.
More information on Microsoft's overall anti-spam approach can be found at http://www.microsoft.com/presspass/events/antispam/ .
Detailed technical specifications for the CSRI and Caller ID for E-Mail proposals are available for public review and comment at http://www.microsoft.com/spam/ .