Microsoft opens Sender ID, announces plans to share virus samples

By Dennis Fisher, Executive Editor 25 Oct 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft Corp. is continuing to beat the drum on security in its long run-up to the release of Windows Vista early next year. On Tuesday, the company's top security executive said in a keynote speech at the RSA Conference Europe in Nice, France, that Microsoft is now making its Sender ID Framework for email authentication freely available and will also develop a program for sharing malware samples with its security partners.

I think this was an opportunity for Microsoft to make it even clearer to the community that this was something they wanted the community to use. Paul Judge, chief technology officer, Secure Computing Corp.

Sender ID, which Microsoft developed in conjunction with several security vendors, is now available under the company's Open Specification Promise (OSP) program . The OSP is essentially a promise from Microsoft not to sue anyone who uses Sender ID to build their own products. The framework is designed to verify that an email message originated from the mail server that it claims to have been sent from to reduce spam.

Microsoft accomplishes this by looking up the address of the sending server and checking the address against a list of authorized mail servers that the domain owner has published. The plan relies on help from ISPs, which actually perform the checks, and from domain owners, who must provide the lists of authorized mail servers. Sender ID has been deployed in a number of places for more than two years and Microsoft, of Redmond, Wash., claims upwards of 5 million domain holders have adopted it. It also has been approved as an Experimental Request for Comment (RFC) by the Internet Engineering Task Force .

By making the framework available under the OSP, Microsoft hopes to encourage vendors to build products that use Sender ID and help push it forward as a standard in the fight against spam and phishing.

Others involved in the fight against spam say that Microsoft's decision to make the Sender ID Framework available under the OSP is less about the technology itself than it is about sending a message to the rest of the security community.

"I think most vendors have deployed Sender ID in their products already because Microsoft had said in the past that it wouldn't enforce the intellectual property rights on it," said Paul Judge, chief technology officer at Secure Computing Corp., a San Jose, Calif., maker of mail security appliances.

Secure Computing, which acquired Judge's former company, CipherTrust, this summer, supports Sender ID in its offerings and Judge has been involved in the anti-spam effort.

"I think this was an opportunity for Microsoft to make it even clearer to the community that this was something they wanted the community to use," Judge said. "It's something that has a fair amount of value."

More on email security: Book excerpt: Avoid phishing with e-mail authentication: Sender ID Quiz: Do you have a firm e-mail security foundation? Opinion: It's time to fix AV warning messages Learning guide: Understanding Your Authentication Options

The Sender Policy Framework, an open standard developed by Meng Wong was merged in 2004 with Microsoft's Caller ID to form Sender ID. The merger has enabled the standards to become better understood by the community, resulting in greater use, Judge said. A separate SPF effort, Openspf.org , still operates independently. But neither of these efforts is ever going to stop spam outright, Judge said.

"There was some misunderstanding that SPF and Sender ID were a magic potion that would end spam," he said. "It's been great for stopping phishing and it's very good at what it's focused on."

In his keynote speech at the conference, Ben Fathi, corporate vice president of the Security Technology Unit at Microsoft, also announced the beta 2 release of Certificate Lifecycle Manager. CLM helps enterprises manage large infrastructures that rely on digital certificates and smart cards. Gemalto, a large smart-card provider, announced support for the new technology.

Fathi also confirmed that Microsoft will be including the CardSpace technology—formerly known as InfoCard—in Vista. CardSpace enables users to establish multiple digital identities for use in various contexts online.

Microsoft is currently not providing details about the new malware sharing program, except to say that it will outline plans in December. Mark Miller, who took over as director of the Microsoft Security Response Center in early October, said the company is working out the frequency of the sample distribution, what form it will take and how organizations that aren't members of the Microsoft Security Response Alliance can get information on it.

"We basically made the decision to do this because we have the samples and it's another way for us to help protect the ecosystem of PCs out there," Miller said.

Currently, Microsoft shares malware samples with the members of its Virus Information Alliance on an as-needed basis.

Tags: Email Security Guidelines, Encryption and Appliances,  Email and Messaging Threats (spam, phishing, instant messaging),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Email Security Guidelines, Encryption and Appliances How to confirm the receipt of an email with security protocols Best Email Security Products Can an IP spoofing tool be used to spam SPF servers? WatchGuard acquires email and Web security vendor BorderWare McAfee to acquire email SaaS vendor MX Logic What does 'invoked by uid 78' mean? How to configure firewall ports for webmail system implementation Fierce competition prompted new Cisco email security options Cisco brings email security appliances closer to SaaS Cisco offers more email security choices, but lacks vision Email and Messaging Threats (spam, phishing, instant messaging) Messaging security risks have upper hand on solutions Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Scareware report highlights successful business model How to prevent phishing attacks with social engineering tests Phishing protection begins with training, antiphishing evangelist Phishing attacks to remain a major problem, say security experts Barracuda acquires Purewire expanding Web security reach FBI raids phishing crime ring, nearly 100 arrested Massive phishing scheme affects Microsoft Hotmail accounts Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary asymmetric cryptography  (SearchSecurity.com) challenge-response system  (SearchSecurity.com) cryptographic checksum  (SearchSecurity.com) data encryption/decryption IC  (SearchSecurity.com) elliptical curve cryptography  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) MPPE  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) session key  (SearchSecurity.com) Twofish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary