Sendmail trials Sender ID

Sendmail on Monday released the first implementation of a mail filter that uses Sender ID, an anti-spam technology currently being considered by the Internet Engineering Task Force (IETF).

Sender ID is a combination of the earlier Sender Policy Framework (SPF), invented by Meng Wong of pobox.com, and Microsoft's Caller ID proposal. The system aims to reducing the quantity of spam emails sent across the Internet by checking who they claim to be from.

The plug-in mail filter, or "milter" in Sendmail jargon, works with the open source and commercial versions of Sendmail, but is still considered pre-release software at this stage.

"Sendmail's Sender ID milter is a major weapon in the war on spam," said Meng Wong in a statement.

"Now, system administrators everywhere can evaluate this promising new technology themselves and easily adapt it to their needs," Wong added.

Sender ID uses records in the Domain Name System (DNS) to authenticate the sender of an email message. Most spam and messages sent by viruses use spoofed sender email addresses, making it more difficult to trace where they're sent from. With Sender ID, you can tell which messages come from forged addresses and reject them, often before the message body is sent. While this won't stop spam entirely, it will make life more difficult for mass-mailers, and as part of a series of measures may see our inboxes get less junk mail.

Sender ID has been submitted to the IETF's awkwardly named MTA Authorization Records in DNS (marid) working group which is supervising this area of anti-spam standards, but faces competition from the similar DomainKeys system, created by Yahoo. DomainKeys uses public-key cryptography as part of its authentication, which may prevent some types of attack on the system, but makes deployment slightly harder.

DomainKeys also can't reject a message before the whole body has been received, one of Sender ID's advantages. Both systems require system administrators to publish special records for their domain that are used to authenticate messages apparently sent by that domain.

Sendmail has also released a trial milter for DomainKeys, but isn't pushing the alternative technology as hard. However, it is possible for both systems to work side-by-side.

Microsoft has already started checking incoming mail to its own servers, and those of MSN and Hotmail using Sender ID. While it's not rejecting messages that fail checking at present, it is subjecting such messages to a higher level of scrutiny than those that pass.