Open source groups revolt against Microsoft anti-spam plan

Two prominent open-source software groups have rejected the Sender ID technology standard backed by Microsoft.

Two prominent open-source software groups have rejected the Sender ID technology standard backed by Microsoft.

Sender ID would close a loophole used to send unsolicited commercial ("spam") e-mail.

Apache Software Foundation and the Debian Project said they will not be able to support the Sender ID e-mail authentication standard in their products, citing unresolved patent and licensing issues with the standard.

Debate has been growing for months within the open-source software and internet standards communities as Microsoft tries to garner support for its nascent standard, while also protecting its intellectual property rights.

As currently proposed, the Sender ID licence does not meet the standards that each group holds for software distributed with their products, making it incompatible with open-source products, the groups said.

Other open-source groups, including the Free Software Foundation, have also voiced reservations about the Sender ID patents.

Sender ID is a technology standard that closes loopholes in the current system for sending and receiving e-mail that allow senders, including spammers, to fake, or "spoof," a message's origin.

Organisations publish a list of their approved e-mail servers in the DNS (domain name system). That record, referred to as the sender policy framework (SPF) record, is then used to verify the sender of e-mail messages sent to other internet domains using Sender ID.

Tens of thousands of internet domains have published SPF records since the standard was introduced by Meng Weng Wong of

In May, Microsoft and Meng reached an agreement to merge SPF with a Microsoft-developed standard called Caller ID to form the new Sender ID standard, which Microsoft submitted to the Internet Engineering Task Force in June for approval.

At the heart of the dispute between Microsoft and the open-source community is language in the Royalty-Free Sender ID Patent Licence Agreement, which Microsoft requires those using Sender ID technology to sign, according to John Levine, a member of the Internet Research Task Force's Anti-Spam Research Group.

Open-source software advocates are uncomfortable with a prohibition against transferring or "sublicensing" Sender ID licences to others in the open-source community, and with a requirement that all licensee's contact Microsoft directly to receive a copy of the licence, Levine said.

The right to transfer and sublicense technology is common within the open-source community and is perceived as a key component , which relies on the contributions of labour and expertise from thousands of developers, who in exchange have unencumbered access to and use of open-source software.

In contrast, Microsoft's licence for Sender ID treats recipients of the licence like "end users" who have limited rights, according to a copy of an e-mail to Microsoft from Lawrence Rosen, general counsel of the Open Source Initiative, that was posted by the Apache Software Foundation on its website.

In a statement issued to the Internet Engineering Task Force, the Debian Project said the inability to freely distribute, modify and use the Sender ID technology violates the Debian Free Software Guidelines, preventing that group from distributing Sender ID with any Debian software, or even supporting Sender ID.

Beyond the dispute about sublicensing, open-source software groups are also suspicious of Microsoft's refusal to say what pending patents the company has around the Sender ID technology.

Without information on what technology Microsoft is claiming patents on, open-source groups are wary about implementing Sender ID for fear that Microsoft's patents, when finally disclosed and then granted, will be broad, according to the Apache Software Foundation.

The breakdown between leading open-source groups and Microsoft may slow the momentum behind Sender ID adoption, which Microsoft has been aggressively pushing in recent months.

Patent disagreements aside, the Sender ID technology has not proven to be as popular or as effective at stopping spam as some had hoped, Levine said.

A recent survey conducted by e-mail security company CipherTrust found that only about 5% of inbound e-mail comes from domains that have published SPF records. Of the 3%-5% of mail that does come from an e-mail domain with a valid SPF record, more is spam than legitimate e-mail, the survey showed.

With only middling performance in spotting spam and a host of legal concerns surrounding it, Sender ID may fall by the wayside, as companies look with increasing interest at competing standards, such as DomainKeys, a sender authentication standard backed by Yahoo, Levine said.

Paul Roberts writes for IDG News Service

Read more on PC hardware