SAN FRANCISCO — In his quest to kill spam, Microsoft Chief Software Architect Bill Gates
Tuesday appealed to security leadership, asking them to adopt his fledgling
“Caller ID for E-mail” program.
The multi-tiered project would act much like how caller identification for telephones
shows the phone number of the person calling. The proposal is part of the
Redmond, Wash.-based company’s Coordinated Spam Reduction Initiative (CSRI).
“Spam is both a nuisance and a security threat,” Gates said to attendees
at week’s RSA Conference 2004 here emphasizing that using white lists or
what Microsoft calls “rich safe-listing” e-mail is key. “Having e-mail come
in, and not really being able to identify where it comes from, this is a
huge security hole. And like so many of the standards and protocols that
grew up on the Internet in the early days, we need to strengthen these in
this environment where there is malicious activity.”
Despite heavy industry and government involvement, however, Microsoft is
moving ahead with its own plans. The company is calling for system-wide
changes to the e-mail infrastructure and asking for high-volume e-mail senders
to demonstrate their compliance with reasonable policies and viable
alternatives for smaller-scale senders to distinguish themselves from
“We have some patents around this, we’re saying are royalty free,
available for everyone to use…” Gates said.
The pilot implementation of Gate’s Caller ID for E-Mail is debuting on
Microsoft’s popular Hotmail service, which began publishing outbound IP addresses this week.
The testing will be extended to check inbound addresses on some 100 million
free e-mail accounts early this summer.
Gates said the project would then be extended to Microsoft Exchange
systems to run filtering.
“So front-ending things with the very latest filtering and proof-type
algorithms is something we think that a lot of people would be interested
in, and we’ll put betas of this out, and get feedback this year to make sure
we’re doing exactly what people want in the mail scenario,” he said.
Partners like Amazon.com, Brightmail and Sendmail are helping out
Microsoft with the trials.
In perhaps the most notable of these deals, Mail Transfer Agent (MTA) provider
Sendmail is working with Microsoft to distribute a plug-in for its
This allows Sendmail MTA users to easily implement Caller ID, so both can send verifiable e-mail, and check sender identity on received e-mail. Sendmail claims over 60 percent of the world’s e-mail runs on its MTA.
The proposal involves three steps to authenticate a sender:
- E-mail senders, large or small, publish the Internet protocol
(IP) addresses of their outbound e-mail servers in the Domain Name System
(DNS) in a format described in the Caller ID for E-Mail specification.
- Recipient e-mail systems examine each message to determine the purported
responsible domain (i.e., the Internet domain that purports to have sent the
- Recipient e-mail systems query the DNS for the list of outbound e-mail
server IP addresses of the purported responsible domain. They then check
whether the IP address from which the message was received is on that list.
If no match is found, the message has most likely been spoofed.
It’s a bold move to be sure, as previous attempts by Microsoft to curb
spam have been more reactionary. Still Gates said he felt committed as the
majority of e-mail moves through Outlook or Outlook Express and executable
attachments remain the leading cause of launching mass mailing worms and
viruses. The company is even reallocating a massive amount of its
development resources on its upcoming “Longhorn” OS upgrade to deal with the
“There is an immense amount of work here,” Gates said. “There are many
partnerships and many more to come but we have a commitment to provide this
Want to discuss the issues raised in this column? Take it over to our IT Management Forum.