Sender ID
Encyclopedia
Sender ID is an anti-spoofing
proposal from the former MARID
IETF working group that tried to join Sender Policy Framework
(SPF) and Caller ID. Sender ID is defined primarily in Experimental RFC 4406, but there are additional parts in RFC 4405, RFC 4407 and RFC 4408.
, with only a few additions. These differences are discussed here.
Sender ID tries to improve on a principal deficiency in SPF: that SPF does not verify the header addresses that indicates the sending party. Such header addresses are typically displayed to the user and are used to reply to emails. Indeed such header addresses can be different from the address that SPF tries to verify; that is, SPF verifies only the "MAIL FROM" address, also called the envelope sender.
However there are many similar email header fields that all contain sending party information; therefore Sender ID defines in RFC 4407 a Purported Responsible Address (PRA) as well as a set of heuristic rules to establish this address from the many typical headers in an email.
Syntactically, Sender ID is almost identical to SPF except that v=spf1 is replaced with one of:
The only other syntactical difference is that Sender ID offers the feature of positional modifiers not supported in SPF. In practice, so far no positional modifier has been specified in any Sender ID implementation.
In practice, the pra scheme usually only offers protection when the email is legitimate, while offering no real protection in the case of spam or phishing. The pra for most legitimate email will be either the familiar From: header field, or, in the case of mailing lists, the Sender: header field. In the case of phishing or spam, however, the pra may be based on Resent-* header fields that are often not displayed to the user.
To be an effective anti-phishing tool, the MUA will need to be modified to display either the pra for Sender ID, or the Return-Path: header field for SPF.
The pra tries to counter the problem of phishing,
while SPF or mfrom tries to counter the problem of spam
bounces and other auto-replies to forged Return-Paths. Two
different problems with two different proposed solutions.
mailing lists can only support it by modifying the mail header,
e.g. insert a Sender or Resent-Sender. The
latter violates RFC 2822 and can be incompatible with RFC 822.
With SPF, mailing lists continue to work as is. Forwarders
wishing to support SPF only need to modify SMTP MAIL FROM
and RCPT TO, not the mail. That's no
new concept; with the original RFC 821 SMTP forwarders always
added their host name to the reverse path in the MAIL FROM.
The most problematic point in the core Sender ID specification
is its recommendation to interpret v=spf1 policies like
spf2.0/mfrom,pra instead of spf2.0/mfrom.
This was never intended by all published SPF drafts since 2003,
and for an unknown large number of v=spf1 policies an
evaluation for pra could cause bogus results for many cases
where pra and mfrom are different.
This technical problem — in fact only four characters ,pra
in the core Sender ID specification — was the base of an appeal to
the Internet Architecture Board (IAB)
.
In response to another prior appeal the IESG already noted that
Sender ID cannot advance on the IETF standards track without
addressing the incompatibility with a MUST in RFC 2822.
licensing issues: Microsoft
holds patent
s on key parts of Sender ID and used to license those patents under terms that were not compatible with the GNU General Public License
and which were considered problematic for free software
implementation
s in general. On October 23, 2006, Microsoft placed those patents under the Open Specification Promise, which is compatible with free and open source licenses, but not with the most recent version of the GPL license, version 3.x.
E-mail spoofing
Email spoofing is email activity in which the sender address and other parts of the email header are altered to appear as though the email originated from a different source. Because core SMTP doesn't provide any authentication, it is easy to impersonate and forge emails...
proposal from the former MARID
MARID
MARID was an IETF working group in the applications area tasked to propose standards for E-mail authentication in 2004.The name is an acronym of MTA Authorization Records In DNS.- Background :Lightweight MTA Authentication Protocol...
IETF working group that tried to join Sender Policy Framework
Sender Policy Framework
Sender Policy Framework is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF...
(SPF) and Caller ID. Sender ID is defined primarily in Experimental RFC 4406, but there are additional parts in RFC 4405, RFC 4407 and RFC 4408.
Principles of operation
Sender ID is heavily based on SPFSender Policy Framework
Sender Policy Framework is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF...
, with only a few additions. These differences are discussed here.
Sender ID tries to improve on a principal deficiency in SPF: that SPF does not verify the header addresses that indicates the sending party. Such header addresses are typically displayed to the user and are used to reply to emails. Indeed such header addresses can be different from the address that SPF tries to verify; that is, SPF verifies only the "MAIL FROM" address, also called the envelope sender.
However there are many similar email header fields that all contain sending party information; therefore Sender ID defines in RFC 4407 a Purported Responsible Address (PRA) as well as a set of heuristic rules to establish this address from the many typical headers in an email.
Syntactically, Sender ID is almost identical to SPF except that v=spf1 is replaced with one of:
- spf2.0/mfrom - meaning to verify the envelope sender address just like SPF.
- spf2.0/mfrom,pra or spf2.0/pra,mfrom - meaning to verify both the envelope sender and the PRA.
- spf2.0/pra - meaning to verify only the PRA.
The only other syntactical difference is that Sender ID offers the feature of positional modifiers not supported in SPF. In practice, so far no positional modifier has been specified in any Sender ID implementation.
In practice, the pra scheme usually only offers protection when the email is legitimate, while offering no real protection in the case of spam or phishing. The pra for most legitimate email will be either the familiar From: header field, or, in the case of mailing lists, the Sender: header field. In the case of phishing or spam, however, the pra may be based on Resent-* header fields that are often not displayed to the user.
To be an effective anti-phishing tool, the MUA will need to be modified to display either the pra for Sender ID, or the Return-Path: header field for SPF.
The pra tries to counter the problem of phishing,
while SPF or mfrom tries to counter the problem of spam
bounces and other auto-replies to forged Return-Paths. Two
different problems with two different proposed solutions.
Standardization issues
The pra has the disadvantage that forwarders andmailing lists can only support it by modifying the mail header,
e.g. insert a Sender or Resent-Sender. The
latter violates RFC 2822 and can be incompatible with RFC 822.
With SPF, mailing lists continue to work as is. Forwarders
wishing to support SPF only need to modify SMTP MAIL FROM
and RCPT TO, not the mail. That's no
new concept; with the original RFC 821 SMTP forwarders always
added their host name to the reverse path in the MAIL FROM.
The most problematic point in the core Sender ID specification
is its recommendation to interpret v=spf1 policies like
spf2.0/mfrom,pra instead of spf2.0/mfrom.
This was never intended by all published SPF drafts since 2003,
and for an unknown large number of v=spf1 policies an
evaluation for pra could cause bogus results for many cases
where pra and mfrom are different.
This technical problem — in fact only four characters ,pra
in the core Sender ID specification — was the base of an appeal to
the Internet Architecture Board (IAB)
Internet Architecture Board
The Internet Architecture Board is the committee charged with oversight of the technical and engineering development of the Internet by the Internet Society ....
.
In response to another prior appeal the IESG already noted that
Sender ID cannot advance on the IETF standards track without
addressing the incompatibility with a MUST in RFC 2822.
Intellectual property
The Sender ID proposal was the subject of controversy regarding intellectual propertyIntellectual property
Intellectual property is a term referring to a number of distinct types of creations of the mind for which a set of exclusive rights are recognized—and the corresponding fields of law...
licensing issues: Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
holds patent
Patent
A patent is a form of intellectual property. It consists of a set of exclusive rights granted by a sovereign state to an inventor or their assignee for a limited period of time in exchange for the public disclosure of an invention....
s on key parts of Sender ID and used to license those patents under terms that were not compatible with the GNU General Public License
GNU General Public License
The GNU General Public License is the most widely used free software license, originally written by Richard Stallman for the GNU Project....
and which were considered problematic for free software
Free software
Free software, software libre or libre software is software that can be used, studied, and modified without restriction, and which can be copied and redistributed in modified or unmodified form either without restriction, or with restrictions that only ensure that further recipients can also do...
implementation
Implementation
Implementation is the realization of an application, or execution of a plan, idea, model, design, specification, standard, algorithm, or policy.-Computer Science:...
s in general. On October 23, 2006, Microsoft placed those patents under the Open Specification Promise, which is compatible with free and open source licenses, but not with the most recent version of the GPL license, version 3.x.
See also
:Category:Email authentication- E-mail authenticationE-mail authenticationEmail authentication is the effort to equip messages of the email transport system with enough verifiable information, so that recipients can recognize the nature of each incoming message automatically...
overview - MARIDMARIDMARID was an IETF working group in the applications area tasked to propose standards for E-mail authentication in 2004.The name is an acronym of MTA Authorization Records In DNS.- Background :Lightweight MTA Authentication Protocol...
(IETF WG in 2004) - DKIM
- DomainKeysDomainKeysDomainKeys is an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity. The DomainKeys specification has adopted aspects of Identified Internet Mail to create an enhanced protocol called DomainKeys Identified Mail...
External links
- Sender ID Framework Microsoft CorporationMicrosoftMicrosoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
- http://www.microsoft.com/senderid " SIDF resources and tools including SPF wizard.
- ASF Position Regarding Sender ID statement from the Apache Software FoundationApache Software FoundationThe Apache Software Foundation is a non-profit corporation to support Apache software projects, including the Apache HTTP Server. The ASF was formed from the Apache Group and incorporated in Delaware, U.S., in June 1999.The Apache Software Foundation is a decentralized community of developers...
- IAB appeal about Sender ID's reuse of v=spf1 for PRA from the SPF project (2006).
- Debian project unable to deploy Sender ID statement by the DebianDebianDebian is a computer operating system composed of software packages released as free and open source software primarily under the GNU General Public License along with other free software licenses. Debian GNU/Linux, which includes the GNU OS tools and Linux kernel, is a popular and influential...
project - IETF Decides on SPF / Sender-ID issue coverage and discussion on slashdotSlashdotSlashdot is a technology-related news website owned by Geeknet, Inc. The site, which bills itself as "News for Nerds. Stuff that Matters", features user-submitted and ‑evaluated current affairs news stories about science- and technology-related topics. Each story has a comments section...
- Is Sender ID Dead in the Water? - No MARID Working Group Consensus coverage and discussion on groklawGroklawGroklaw is an award-winning website covering legal news of interest to the free and open source software community. Started as a law blog on May 16, 2003 by paralegal Pamela Jones at Radio UserLand, it has covered issues such as the SCO-Linux lawsuits, the EU anti-trust case against Microsoft, and...
- MARID Co-Chairs Clarify Consensus Statement
- MARID to close mailing list thread.
- Sender ID: A Tale of Open Standards and Corporate Greed?
- Use Sender ID or we'll junk you, says Microsoft HotmailHotmailWindows Live Hotmail, formerly known as MSN Hotmail and commonly referred to simply as Hotmail, is a free web-based email service operated by Microsoft as part of its Windows Live group. It was founded by Sabeer Bhatia and Jack Smith and launched in July 1996 as "HoTMaiL". It was one of the first...
and MSNMSNMSN is a collection of Internet sites and services provided by Microsoft. The Microsoft Network debuted as an online service and Internet service provider on August 24, 1995, to coincide with the release of the Windows 95 operating system.The range of services offered by MSN has changed since its...
to 'JunkSpam (electronic)Spam is the use of electronic messaging systems to send unsolicited bulk messages indiscriminately...
' mail without Sender ID - "SPF: SPF vs Sender ID"