I haven’t said anything about spam in a while. I’ve stopped keeping track of my monthly intake, no longer look for false positives, and generally just don’t care. These days most of my personal mail goes to an address protected by Challenge-Response, and much of my other wanted mail has been manually whitelisted within POPFile. I rarely see a spam message and that is all that matters.
A ComputerWorld article on spammers using sender authentication (SPF / Sender ID) has gotten a lot of play but completely misses the point. SPF isn’t meant to stop spam, it’s meant to stop domain forgery and the problems that forgery causes for non-spamming domain owners. See Joe Job. From that perspective SPF is working exactly as it was intented. In theory, spammers implementing SPF is actually a good thing — they have to publish a list of their SMTP servers, making them easier to shut down. If the spammers start using wildcard SPF records that cover huge IP spaces to cover their tracks then we can start using that as a spam indicator, another good thing. In the long run spammers will be hurt by publishing SPF records and they will eventually move on to the next technique for filter avoidance.
Sender ID is also in the news because the Apache Software Foundation and Debian Project have rejected it due to Microsoft’s licensing terms (PDF). Sender ID is what the IETF’s MADRID Working Group is working on, which makes it a big deal because the IETF publishes Internet Standards like RFC 821 which started this whole mess. Sender ID merges Microsoft’s earlier Caller ID for E-mail proposal with SPF and another specification called Submitter Optimization.
This isn’t the first time that IP licensing has clashed with a standards process but it may be the most visible. The good news is that this issue can be routed around — the patent application that Microsoft disclosed applies to a portion of Sender ID that is of lesser value and easily removed. I think that the MADRID WG should move ahead with SPF and take this opportunity to send a message to Microsoft: Taking part in a standards process means playing nice with Open Source.
Core Internet standards must not be encumbered by IP licenses that threaten Open Source implementations. Microsoft deserves to take a PR hit over this, but so does the IETF for not making that their stated policy. RAND / Royalty-Free is not good enough for standards that must be widely deployed.
