The fundamental difference between commercial and open-source software developments is that commercial coders have an incentive to offer proprietary systems and limit or avoid the use of entirely open standards.

They may therefore reject perfectly good things simply because they were invented by someone else. In other walks of life we call such behaviour madness.

There could already be a perfectly good way of doing things, such as the Simple Mail Transport Protocol (SMTP) for email, or the Domain Name System (DNS) for translating between numeric IP addresses and more manageable fully qualified domain names. But software vendors gain commercial advantage from doing things differently, and so when Microsoft made the Exchange mail server, it downplayed SMTP in favour of proprietary alternatives.

One consequence is that today, Microsoft Outlook has bugs, acknowledged by Microsoft and yet to be fixed, that prevent it from sending SMTP email using authentication and SSL encryption.

This is very serious because the authentication and encryption go hand in hand. Few people would send their username or password across the internet unless the data was encrypted.

Microsoft argues that the bug only affects systems that use a non-standard IP port for SMTP, but this is only a half-truth. The other half is that there is no standard IP port for encrypted SMTP.

The Internet Engineering Task Force (IETF) is currently considering such a standard - a draft version is currently available. The draft expires later this month, and its working title - draft-hutzler-spamops-01.txt - hints at the document's significance. If everyone was forced to authenticate to a mail server before using it, neither end-users nor server administrators would be plagued by spam. Without a standard way of encrypted authentication, I don't see how everyone could be forced to authenticate.

Meanwhile, in the absence of a standard, firms are left to do the best they can. Microsoft punts Exchange. Anti-spam vendors do likewise. The rest of us pick up the pieces.

Some firms run SMTP with authentication and encryption on the usual SMTP port of 25, but this gets tricky if you use a proxy server to filter spam from the front-end of your mail system. Ironically, the main reason for firms to secure their mail servers is not likely to be spam, but to comply with various rules on corporate governance and privacy.

Those that recognise the importance of authenticating users before allowing access to resources will no doubt rush to implement whatever standard the IETF eventually produces. Others might not be able to resist the desire to invent their own incompatible solution.