It's been a
bad month for Microsoft's efforts to promote their
visions of trustworthiness and authentication in Internet
commerce.
Just as the ground began to crumble beneath Microsoft's "Sender
ID" email authentication proposal, it was discovered that
the
Redmond, Wa.-based software giant was considering acquiring
Claria, one of the world's most notorious adware and spyware
companies.
Let's look first at the email authentication wars. As I've
discussed previously, the battle over email authentication has
been raging for several years. Among the many proposals being
considered by the email industry and Internet standards community
is Microsoft's Sender ID and its closely related cousin, the
"Sender Permitted From" or SPF standard.
Both SPF and Sender ID use text records entered into a domain's
DNS entry that define what IP addresses should be permitted to
send email for that domain. These definitions embedded in the
sender's DNS records are then queried and parsed by the receiving
server to determine whether to accept or reject a particular piece
of email.
As I reported back in October, Microsoft's Sender ID proposal
became the subject of much scorn when it was discovered that,
at
the same time they were promoting Sender ID as a global standard,
they were trying to patent the technology surrounding Sender ID.
In the intervening months, numerous major service providers
participating in the Messaging Anti-Abuse Working Group, an
industry consortium that is promoting the development of new email
authentication standards, have continued to test Sender ID. Their
recently released findings are not good news for Microsoft.
According to the technical committee's white paper :
"At best, SPF and Sender ID are comparable to a license
plate
issued by a foreign country: they show that the vehicle is
permitted to drive in that country, but make no indication as
to
whether that country's regulations are similar to yours - and
we
can only assume that the driver inside is permitted to use that
vehicle."
But the committee went on to explain that along with these dubious
benefits, there were some significant downsides to implementing
Sender ID.
These include:
* Forwarded or re-sent mail will fail authentication without
changing email systems to re-write return addresses and add new
headers;
* Those sites publishing authentication records must ensure that
their records permit mail from all possible points of origination
or risk having legitimate email mislabeled as spam;
* This method of authentication does not provide protection against
forgery of the most common user-visible mail headers;
* Receivers must be aware that performing some checks in accordance
with Sender ID and SPF may yield inaccurate authentication
results due to misinterpretation of the Sender's authorization.,
and
* If your operation provides email services to roaming users,
you
may need to forge or add certain headers in order to ensure
successful authentication.
As a result, several major service providers have removed their
Sender ID and SPF statements from their DNS records in order to
avoid potential confusion and lost email.
But just as the industry is backing away from Sender ID, Microsoft
rekindled fears of monopolistic bullying tactics by unilaterally
declaring that all email sent to MSN and Hotmail would be scanned
for Sender ID compliance. Resistance is futile. If your company's
email doesn't pass a patent-pending Sender ID check, it might
be
labeled as spam and consigned to the dreaded Spam folder.
Just as the world was trying to digest what Microsoft was
attempting to shove down its collective throat, word leaked out
that Microsoft was in talks to buy Claria, formerly known as Gator
-- one of the world's most notorious peddlers of spyware and adware
-- which I will call malware hereafter for the sake of brevity.
According to several news reports, Microsoft has been eager to
compete in the online advertising markets dominated by companies
like Yahoo and Google. Experts suggest that buying Claria would
give Microsoft a jumpstart in the market because of Claria
advertising network consisting of more than 40 million souls who
receive Claria annoying pop-up ads.
As one commentator wrote, this move "underscores just how
eager
Microsoft is to catch up with Google, the search and advertising
giant."
Eager? How about desperate?
In my opinion, picking up Claria for its advertising network
is
like buying a former nuclear bomb testing site because the lack
of
anything standing gives you such great views in all directions.
Just don't touch anything, ignore the three-headed rabbits
populating the poisoned ground, and you'll be fine.
There are plenty of other ad networks out there, most of which
got
to be successful without engaging in deceptive, unfair, and
lawsuit-provoking activities.
Some might say Microsoft and Claria have been unwittingly working
together for a long time. Claria advertising reach is directly
tied
to its years of distributing malware and long history of its paid
"affiliates" taking advantage of security holes in Microsoft's
operating system to install the software surreptitiously and without
end-users permission.
In its defense, Claria claims to be migrating its business model
to
one focused on more legitimate forms of business. But like the
Gotti
family and their garbage hauling business, I have a feeling that
it
is going to take them some time to stop living off their other
gigs.
More recent reports suggest that an acquisition of Claria is
never
going to happen because Claria reputation is too tarnished for
even
Microsoft's tastes. But that didn't stop Microsoft from giving
Claria
a pre-engagement gift just last week -- downgraded threat rating
in
Microsoft's anti-spyware utility!
According to Eric Howes of SpywareWarrior.com:
"Several sources have now confirmed that Microsoft downgraded
its
detections of Claria's adware products in the latest update (#5731)
to Microsoft AntiSpyware released today. Where Microsoft AntiSpyware
used to detect Claria's products and present users with a Recommended
Action of 'Quarantine, following today's update Microsoft AntiSpyware
now presents users with a Recommended Action of 'Ignore[.] Users
can
still change the action to "Quarantine" or "Remove."
In the end, though, this is nothing new. As I've noted before
, other
security software makers have gone soft on malware. Microsoft's
is only
the most recent, and to my way of thinking, the most unprincipled
and
morally corrupt.
So the next time you hear pronouncements from Microsoft about
their
efforts to make your computing experiences safer and more secure,
a
deeper look may suggest that Microsoft's effort to be part of
the
solution includes taking a bigger stake in the problem.
