HOME

TheInfoList



Click Here for Items Related To - Sender ID
OR:
Sender ID on:   [Wikipedia]   [Google]   [Amazon]

Sender ID is an historic anti- spoofing proposal from the former
MARID ''Marid'' ( ar, مارد ') is a type of devil in Islamic traditions. The Arabic word meaning ''rebellious'' is applied to such supernatural beings. In Arabic sources Etymology The word ''mārid'' is an active participle of the root ''m-r-d'' ...
IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
working group that tried to join
Sender Policy Framework Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the delivery of the email. SPF alone, though, is limited to detecting a forged sender claim in the envelope of the email, which is ...
(SPF) and Caller ID. Sender ID is defined primarily in Experimental RFC 4406, but there are additional parts in RFC 4405, RFC 4407 and RFC 4408.


Principles of operation

Sender ID is heavily based on SPF, with only a few additions. Sender ID tries to improve on SPF: SPF does not verify the header addresses (of which there can be more than one) that indicate the claimed sending party. One of these header addresses is typically displayed to the user and may be used to reply to emails. These header addresses can be different from the address that SPF tries to verify; that is, SPF verifies only the "MAIL FROM" address, also called the envelope sender. However, there are many similar email header fields that all contain sending party information; therefore Sender ID defines in RFC 4407 a Purported Responsible Address (PRA) as well as a set of heuristic rules to establish this address from the many typical headers in an email. Syntactically, Sender ID is almost identical to SPF except that v=spf1 is replaced with one of: * spf2.0/mfrommeaning to verify the envelope sender address just like SPF. * spf2.0/mfrom,pra or spf2.0/pra,mfrommeaning to verify both the envelope sender and the PRA. * spf2.0/prameaning to verify only the PRA. The only other syntactical difference is that Sender ID offers the feature of ''positional'' modifiers not supported in SPF. In practice, so far no ''positional'' modifier has been specified in any Sender ID implementation. In practice, the ''pra'' scheme usually only offers protection when the email is legitimate, while offering no real protection in the case of spam or phishing. The ''pra'' for most legitimate email will be either the familiar From: header field, or, in the case of mailing lists, the Sender: header field. In the case of phishing or spam, however, the ''pra'' may be based on Resent-* header fields that are often not displayed to the user. To be an effective anti-phishing tool, the MUA (Mail User Agent or Mail Client) will need to be modified to display either the ''pra'' for Sender ID, or the Return-Path: header field for SPF. The ''pra'' tries to counter the problem of ''phishing'', while SPF or ''mfrom'' tries to counter the problem of spam bounces and other auto-replies to forged Return-Paths. Two different problems with two different proposed solutions. However, Sender-ID and SPF yield the same result in approximately 80% of the cases, according to a billion message analysis.


Standardization issues

The ''pra'' has the disadvantage that forwarders and mailing lists can only support it by modifying the mail header, e.g. by inserting a Sender or Resent-Sender. The latter violates RFC 2822 and can be incompatible with RFC 822. With SPF, mailing lists continue to work as is. Forwarders wishing to support SPF only need to modify SMTP MAIL FROM and RCPT TO, not the mail. This concept is not new: with the original RFC 821 SMTP forwarders always added their host name to the reverse path in the MAIL FROM. The most problematic point in the core Sender ID specification is its recommendation to interpret v=spf1 policies like spf2.0/mfrom,pra instead of spf2.0/mfrom. This was never intended by all published SPF drafts since 2003, and for an unknown large number of v=spf1 policies an evaluation for ''pra'' could cause bogus results for many cases where ''pra'' and ''mfrom'' are different. This problem was the basis of an appeal to the Internet Architecture Board (IAB). In response to another prior appeal the
IESG The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
already noted that Sender ID cannot advance on the
IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
standards track without addressing the incompatibility with a MUST in RFC 2822. Various surveys performed in 2012, when SPF turned from experimental to proposed standard, showed that fewer than 3% of mail domains published specific requests for using the ''pra'', compared to some 40~50% of mail domains using SPF.


Patents

The Sender ID proposal was the subject of controversy regarding
licensing A license (or licence) is an official permission or permit to do, use, or own something (as well as the document of that permission or permit). A license is granted by a party (licensor) to another party (licensee) as an element of an agreeme ...
issues:
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
holds
patent A patent is a type of intellectual property that gives its owner the legal right to exclude others from making, using, or selling an invention for a limited period of time in exchange for publishing an enabling disclosure of the invention."A p ...
s on key parts of Sender ID and used to license those patents under terms that were not compatible with the
GNU General Public License The GNU General Public License (GNU GPL or simply GPL) is a series of widely used free software licenses that guarantee end users the Four Freedoms (Free software), four freedoms to run, study, share, and modify the software. The license was th ...
and which were considered problematic for
free software Free software or libre software is computer software distributed under terms that allow users to run the software for any purpose as well as to study, change, and distribute it and any adapted versions. Free software is a matter of liberty, no ...
implementation Implementation is the realization of an application, or execution of a plan, idea, model, design, specification, standard, algorithm, or policy. Industry-specific definitions Computer science In computer science, an implementation is a realiza ...
s in general. On October 23, 2006, Microsoft placed those patents under the
Open Specification Promise The Microsoft Open Specification Promise (or OSP) is a promise by Microsoft, published in September 2006, to not assert its patents, in certain conditions, against implementations of a certain list of specifications. The OSP is not a licence, but ...
, which is compatible with some free and open source licenses, but not with the most recent version of the GPL license, version 3.x.


See also

* :Email authentication *
E-mail authentication Email authentication, or validation, is a collection of techniques aimed at providing verifiable information about the origin of email messages by validating the domain ownership of any message transfer agents (MTA) who participated in transferring ...
overview *
MARID ''Marid'' ( ar, مارد ') is a type of devil in Islamic traditions. The Arabic word meaning ''rebellious'' is applied to such supernatural beings. In Arabic sources Etymology The word ''mārid'' is an active participle of the root ''m-r-d'' ...
(IETF WG in 2004) *
DKIM DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in email (email spoofing), a technique often used in phishing and email spam. DKIM allows the receiver to check that an email claimed ...
*
DomainKeys DomainKeys (informally ''DK'') is a deprecated e-mail authentication system designed by Yahoo to verify the domain name of an e-mail sender and the message integrity. Aspects of DomainKeys, along with parts of Identified Internet Mail, were combine ...


References

{{reflist


External links


''ASF Position Regarding Sender ID''
statement from the
Apache Software Foundation The Apache Software Foundation (ASF) is an American nonprofit corporation (classified as a 501(c)(3) organization in the United States) to support a number of open source software projects. The ASF was formed from a group of developers of the A ...

IAB appeal
about Sender ID's reuse of v=spf1 for PRA from th
SPF project
(2006).
''Debian project unable to deploy Sender ID''
statement by the
Debian Debian (), also known as Debian GNU/Linux, is a Linux distribution composed of free and open-source software, developed by the community-supported Debian Project, which was established by Ian Murdock on August 16, 1993. The first version of D ...
project
''IETF Decides on SPF / Sender-ID issue''
coverage and discussion on
slashdot ''Slashdot'' (sometimes abbreviated as ''/.'') is a social news website that originally advertised itself as "News for Nerds. Stuff that Matters". It features news stories concerning science, technology, and politics that are submitted and evalu ...

''Is Sender ID Dead in the Water? - No MARID Working Group Consensus''
coverage and discussion on
groklaw ''Groklaw'' is a website that covered legal news of interest to the free and open source software community. Started as a law blog on May 16, 2003 by paralegal Pamela Jones (''"PJ"''), it covered issues such as the SCO-Linux lawsuits, the EU ...

MARID Co-Chairs Clarify Consensus Statement


mailing list thread.
Sender ID: A Tale of Open Standards and Corporate Greed?

"SPF: SPF vs Sender ID"

"Sender Id Types in Different Countries"

"Sender Id"
Email authentication Spam filtering Microsoft initiatives