Sender ID Finds Followers Ahead of Approval Software Vendors Jump the Gun on Implementing the Anti-Spam Protocol Jim Wagner
As a new Sender ID specification for beating back spam wends its way through the Internet Engineering Task Force (IETF), some e-mail software vendors are not waiting around for its final approval before implementing the system.
They could be taking a gamble. Or they could be acting in confidence that the IETF will eventually bless a specification that will be used on e-mail
systems throughout the world.
One of the contributors to the Sender ID specification, Microsoft, has patents pending on certain components of the Sender ID technology it has donated to the IETF's efforts. Microsoft has repeatedly said that — even if it is granted a patent on the technology — it would "make licenses available on reasonable and non-discriminatory terms."
But the issue has some in the open source world talking.
The drive in the business community to press ahead with Sender ID comes at a time when some in the open source community are claiming the licensing stipulations around Sender ID don't interoperate with the most popular open source license variant, the General Public License (define).
The finalized version of Sender ID, a combination of Microsoft's Caller ID for E-Mail specification and Meng Weng Wong's popular Sender Policy Framework (SPF), is expected to move on to the IETF's steering group (following the close of comments in this round) for further approval as a proposed standard within the IETF. From there, perhaps by the fall, the IETF is expected to bless the new proposed standard as a way to combat the ever-rising spam and phishing (define) attempts that bedevil so many e-mail servers today.
Early Adopters Include CipherTrust, Symantec, and Sendmail
That may explain why some companies are moving ahead with Sender ID deployments now to cut down on the number of phishing and spoofing (define) attacks that are holding large companies hostage.
"It's getting to the point where they cannot even send legitimate e-mails out anymore," said Paul Judge, chief technology officer at CipherTrust, a
secure messaging software vendor. "So, you think that you're one of the most powerful organizations in the world and you've been crippled so that you simply cannot send out e-mails to your customers; think of the damage phishers can do to disable a brand like that."
CipherTrust is one of several vendors that signed onto the Sender ID bandwagon. It said Tuesday it would support the specification in the next version of its IronMail e-mail authentication application, due out in October. Others moving to the Sender ID specification with application
support include Symantec, VeriSign, and IronPort.
Also adopting Sender ID is Sendmail, which makes a commercial version of the venerable open source Sendmail message transfer agent (define), a project that predates the other popular open source MTAs — qmail, postfix,
and exim.
Officials from the vendor announced an open source plug-in module as part of their Messaging Integrity Pilot Program, in order to test and assess its implementation of Sender ID in the wild.
Dave Anderson, Sendmail's CEO, said the plug-in will be available under its Sendmail Open Source License, which lets users modify the original source code as long as the modifications are donated back to the open source community. If customers decide they would rather work the code how they see fit and not contribute the changes under the open source license, they can buy a license from Sendmail, Anderson said.
Anderson is also part of a group of companies not concerned that the Microsoft-sponsored specification could one day be awarded patents by the U.S. Patent & Trademark Office (USPTO). Right now, the technology is patent pending, which means no company is under obligation to sign a license to use Sender ID.
"If you read the Microsoft license it grants you some rights but you also accept some obligations," he said. "What you get [with the license] is the ability to use the software for free, and if you don't get a license what you get is the ability to use this software for free — so we've
decided there really is no reason for us to get a license."
Microsoft's FAQ sheet on the Sender ID license states that because the company is not aware of any issued patents on the technology, no license is required. And even if Microsoft should win its patent claim through the USPTO, "Microsoft has disclosed that if such claims are granted, Microsoft will make licenses available on reasonable and non-discriminatory terms."
Plus, several individuals posting to the IETF's MARID (MTA Authorization Records in DNS) working group discussion contend Microsoft's claims for its
patent are part of "prior art" and, as such, not eligible for patent.
Anderson said that while he doesn't want people to take his company's decision not to sign a license agreement as an indicator that other companies shouldn't, he said Sendmail's decision should allay some fears.
"Why would I want to get a license that has some additional constraints in it if it's already free? To me, that's a pretty simple business decision."
