By Derek Iwasiuk
June 20, 2006
Ann Arbor, Michigan – Despite a renewed and aggressive PR campaign by Microsoft, statistical analysis demonstrates that “Sender ID” is ineffective as an anti-spam solution.
Research conducted by OnlyMyEmail, Inc. during the last 60 days clearly reveals that emails sent by a domain without a published SPF record are actually slightly less likely to be spam than those sent by domains that publish Sender ID information in their DNS records; opposite to the promoted value of Sender ID.
Further, emails that return a positive match for Sender ID (a “pass” result) are not significantly more likely to be legitimate emails than those without a published SPF record; again contrary to the perceived benefits of implementing Sender ID.
Finally, if Sender ID were relied upon for the blocking emails, (based on a SPF result of “fail”) this would result in a false-positive rate of nearly 8.6%.
Combined, these results qualify Sender ID as being one of the most ineffective and least accurate anti-spam tools available anywhere, producing results no better than first-generation anti-spam filters now a decade out of date.
-- Sender ID Analysis Results:
The data amassed during the last months reveal the spam-probability of emails based on SPF results:
SPF Fail 0.914 Sender fails to match SenderID
Softfail 0.885 IP addresses not specified
- - - - 0.500 Spam/Not-Spam midpoint
None 0.495 SenderID not published
SPF Pass 0.174 Positive Sender ID match
Translated into real-world terms the implications are both surprising and of significant importance to all email administrators:
* An email that fails Sender ID verification only has a 91.4% chance of actually being spam. If relied upon to accept or reject an email, 8.6% of emails rejected would be “false-positives” – causing a great deal of legitimate email to be blocked.
* On the other end of the spectrum, 1 out of 6 emails that “pass” Sender ID verification will actually be spam.
* The spam probability of an incoming email from a domain that does not publish Microsoft’s Sender ID data is almost a coin-flip, at 49.5% just slightly favoring the probability that it is actually not spam.
* This means that non-compliant domains are actually less likely to be sending spam than those networks who do publish SPF records within their DNS, though by an insignificant measure.
* Because the spam probability for emails sent by servers without SPF records is only 49.5% but rockets to 88.5% for those that return “softfail’ results, administrators who publish Sender ID/SPF records that are not specific regarding their sending IP addresses are increasing the likelihood that their outbound email will not be delivered by almost 79%.
These results translate into exceptionally bad news for email administrators who are actively relying on Sender ID in order to make decisions on whether or not to accept or reject inbound emails as even older “first-generation” spam filters were considerably more accurate than Sender ID is today.
Further, it’s clear that publishing SPF records for domains you manage could be disastrous to your outbound deliveries, unless you are specific regarding permitted sending IP addresses for your domains.
-- Why Sender ID Failed
In what is very much a Judo-like technique, spammers now commonly publish SPF entries for their sending domains. In effect, spammers are using Sender ID as a weapon to increase spam delivery rates, made effective because of email administrator’s over-reliance on Sender ID.
For the spammer, the only shortcoming of publishing Sender ID information is that the spammer will have to abandon the domain within a few days as filters begin to correctly identify their sending domain as being one used for distributing spam.
This limitation is easily overcome by spammers who register thousands of “throw-away” domains for less than $10 a piece at Godaddy.com (where we observe that a great deal of these Sender ID compliant spam domains have been registered) and then aggressively rotate through these domains, discarding any domains whose rejection rate becomes too high.
Additionally, those spammers who rely on the use of infected and compromised personal computers and internet servers to send their spam messages won’t typically have any difficulties in passing SPF checks as those machines are quite often sending from their own network without any deception of the sending domain.
On the other hand, the problem of exceptionally high false-positives is exacerbated by two main factors:
* First and foremost, end-users do not understand Sender ID and will commonly have their email software configured to claim to be sending from their work or home addresses, even when they are not actually connected to those networks, causing their perfectly legitimate email to fail an SPF check.
* Additionally, many email administrators publish inaccurate SPF records without taking all possible legitimate sending servers (including business partners) for their domain into consideration; or they fail to update their domain’s Sender ID information when new servers or locations are added to their systems.
As a recent example, a mass mailing sent on the behalf of Network World failed SPF checking because the sending server was actually one belonging to a third-party business partner (mBlast.com) and their servers were not included in Network World’s published SPF records.
While these obstacles can be overcome in theory, doing so would require a vast amount of effort and expense, and substantially more end-user diligence than can be expected given the number of users who are still infected by obvious viruses, fall for internet get-rich-quick cons, and are too often duped by countless Phishing fraud emails.
How Sender ID Could Work
Sender ID has two Achilles’ heels that will continue to prevent this standard from being effective as an anti-spam solution.
First, because complying with Sender ID is not required, checking a sender’s SPF record does not provide the type of consistent data necessary in order to be reliable. As a pre-requisite to being effective, the Sender ID standard would need to be mandatory.
However, making Sender ID compulsory is not necessarily
desirable for the Internet, and is unlikely to occur given that it would require vast agreement throughout the world; would require substantial capital investments and would also cause disruptive change to the way many users and networks currently send email.
Secondly, because there is no cost or fee associated with publishing Sender ID information, spammers can obviously afford to send email that is fully SPF compliant, and many already do so today. In addition to requiring mandatory compliance, Microsoft, (who maintains patent rights to Sender ID and has existing licensing requirements) or some other entity, would need to establish a fee that is high enough to be prohibitive to the spammer’s business model.
While an annual Sender ID registration fee of perhaps as little as $100 per domain might be sufficient in this regard, it would have significant consequences.
Such a fee structure would no doubt drive a great number of domains off the Internet as many personal, family, hobby and activist related sites would be lost; and a great part of what makes the Internet so valuable to so many would cease to exist
Further, such pricing could create the potential for monopolistic domain registration practices. For example, if a dominant technology company were in a position to bundle free domain name registration while at the same time collecting compulsory “Sender ID Registration Fees” then competitors selling only domain registrations could be put at substantial business risk.
Despite the obvious appeal of a promise to solve spam with a simple and relatively easy to implement standard, Sender ID is not such a solution.
Sender ID’s ability to filter is bested by practically every other known anti-spam solution and it’s false-positive potential far exceeds what consumers and business alike are willing to tolerate.
While Sender ID could theoretically mature into a more competent solution, it would require costs, compromises and a centralization of power that are so extreme that there is almost no chance that it could succeed.
Notice: Statistics were collected for domains protected by OnlyMyEmail's Corporate MX-Defender as well as though individual addresses protected through our Personal anti-spam solution and cannot be warranted to be identical for all Internet domains.
OnlyMyEmail's spam research and reports are also available to technology editors and reporters by request.
www.OnlyMyEmail.com is a anti-spam service requiring no installation or maintenance of software, and offers solutions for individuals, small-businesses, enterprises and Internet Service Providers (ISPs).