- Related Stories
-
Apache, open-source groups wary of Sender ID
September 2, 2004 -
Sendmail searches for antispam testers
August 30, 2004 -
Stopping spam at the source
August 23, 2004
The author of the study, e-mail services provider MX Logic, analyzed nearly 10 million bulk e-mail messages that it had filtered on behalf of its clients in late August. The company found that nearly a sixth of the sources of the junk messages used a protocol known as Sender Policy Framework (SPF) to certify that the e-mail addresses used in the messages were real.
While SPF has been touted as a way to stop spam, the data has shown that the true value of the protocol is more about preventing fraud, said Scott Chasin, chief technology officer of the Denver company.
"Authentication (with SPF) by itself is not a spam cure-all," Chasin said. "SPF--as it relates to having an impact on spam--will hurt only those who spoof domains. You are still going to need content filtering to see if the message was unsolicited."
SPF is one of two technologies currently being considered as part of a hybrid method, dubbed Sender ID, for certifying the source of e-mail messages. Another technology, Microsoft's Caller ID for E-mail, makes up the other half of the proposed standard. Because it used technology that Microsoft is attempting to patent, Sender ID may require that users sign a license from the software giant, which has angered many project groups in the open-source world.
That debate has caused many Internet engineers and mail administrators to take another look at SPF, created by Meng Wong, the founder of e-mail service firm Pobox.com.
The Internet Engineering Task Force, the technical committee creating the standard, debated the issues extensively over its e-mail list during the last two weeks.
MX Logic's Chasin argues that SPF does not really solve the problem of spam--at least not until there are supporting services to provide a measure of the reputation of the various e-mail senders.
"SPF is great at combating fraud such as phishing," he said. Phishing is the Internet scam that usually uses e-mail designed to look as if it came from an official organization, such as a bank or government agency, to elicit personal data. "Phishing attacks are all about spoofing someone's domain name."
The majority of the SPF users found that spam was coming from "gobbledygook" domain names, not from legitimate companies, he said.
Chasin argues that new services are needed to give e-mail recipients a measure of the reputation of the sender. Such services would basically certify that certain servers belong to "good" e-mail senders, allowing message-filtering software to classify such e-mail as legitimate.
"The e-mail filters could then let through legitimate e-mail," he said. "It would be 'guilty until proven innocent.'"
Their main purpose are to protect the reputation of businesses, in enabling receivers of email to verify that an email with a corporate return address came from a source authorised to send by that business. That way it prevents some kind of fraud where email sent is made to look as if it was sent from a well known corporation.
To use a snail-mail analog: SPF and sender ID require the sender to use the address of the post office from where a letter is sent as the return address. This is acceptable only in corporate settings. If an individual sends a letter when away from home, the return address used should still be the individual's address, not the post office address. Even whaen one sends from one's home town, the return address is still the home street address and not the post office's street address.
SPF can also be used by service providers to limit their customers, who can now send email from anywhere and receiving replies in their accounts. A service provider might use SPF to prevent its users from using their own software to send email to receipients who use SPF to filter email. For instance, a Gmail user can configure OutLook express to send email using the user's ISP SMTP server, and with Gmail return address ("From:" header) and the reply would be received in the user's Gmail account. But if the recipient's email system uses SPF for rejecting email, the message would be rejected, since Gmail's SPF records say: "v=spf1 a:mproxy.gmail.com a:rproxy.gmail.com -all", so only email sent through the two listed Gmail servers would pass through. Currently this doesn't create a big problem for Gmail users, but when SPF or SenderID is deployed by more recipients, it would become a problem to some users. The solution is of course that Gmail should change the "-all" in the end of the SPF record to "+all", since it has no knowledge on the list of possible sources it users might use to send mail. Any email service that provides service to individuals should use "+all". "-all" is suitable only for cororate domains that are only used to send email by employees, where the business knows exactly what are the email servers its employees may use to send email representing their employer.
SPF and other such schemes are individual-unfriendly: they give advantage to email services that limit their users from legitimately using their email addresses. Theoretically it allows a service to use "+all" to give its users to send email from anywhere, but eventually this might mean that some recipients would classify any service using "+all" as a spammer, even if that service is very spammer-intolerant, and on the other hand would let any spammer who spent a few bucks on a disposable domain to look very legitimate.
We too know those "make money fast", "buy medications" or "(censored)" junk sent with some hotmail, yahoo or other freemail address as sender. You may like Microsoft or not, they do have a pretty restrictive SPAM policy, much like every other service provider I know of. However they can only enforce their policy if the sender uses their service. The same is probably true with most company mail services. There too certain usage policies will apply.
Nothing could keep me from sending a mail that looks like originating from bill.gates@microsoft.com to convince innocent recipients about my honorable reputation :-)
Btw, you may OWN an email address, if you have control over the respective domain - where you easily can configure the SPF record to fit your needs. In every other case you may USE a certain address if you accept the terms of the service provider. This may well be that you are forced to use their web interface in case of some freemail service or that you send your mails using the mail server of your provider if you use "his" domain for your address.
Though it will not reduce SPAM by any measurable ammount, I like the idea that I can trust the sender address in the future and I urge every domain owner to update their records as soon as possible as it costs nothing.
Only people who love to cheat with their mail address can loose with this technology.
...a light, reliable way for an inbound email server to query a "reputation" service and receive a useful response. Because an IP/domain pair is included in SIQ protocol queries, the response may score the IP network, domain ownership, and the quality of the relationship (denied, affirmed, inferred, undetectable) between the IP and domain.
A variety of anti-forgery techniques have been proposed in recent years. However, many proposals require the domain owner to announce which outbound servers he authorizes, without third-party verification. This leaves open the possibility for abusive senders to achieve the same status as non-abusive senders, by making use of their own domains. Most of these proposals foresee the need for external reputation systems to close the abuse loophole. The SIQ protocol is put forth as a protocol for inbound servers to use in communicating with such reputation services or systems.
http://www.ietf.org/internet-drafts/draft-irtf-asrg-iar-howe-siq-00.txt
With or without SPF, in practice I find that there are enough facts about the sending domain and sending server IP pair to determine if the message is a malicious forgery, a non-malicious forgery (ie greeting card, send a friend an article, I'm using the hotel outbound server, etc), or sent from a server with a business relationship to the sending domain.
Forwarding is an issue for any system which utilizes domain and ip pairing; I am working on another promising and simple answer to this issue which will be submitted as an internet draft shortly, dubbed VARA - Verified and Recipient Authorized. http://wiki.outboundindex.net/VarA
My emphasis is on simple; I prefer SPF over Sender ID for at least the reasons of simplicity, among others.
Or will this just drive the problem back to domain registrars that accept bogus listings? In that case, prosecute *them* as accessories.
> spammers to their true addresses, why not
> simply prosecute them under CAN-SPAM?
THere's no need for these protocols just to find the sender's address. It's in the "Received" headers of the email. SpamCop.net does a very good job in reading those headers for you and notifying the correct abuse departments of the spammer's ISP. And if you use it a few times with the spam you receive you would know why the senders cannot be prosecuted under CAN-SPAM: they are not located in the USA, so they CAN SPAM!
SenderID and SPF and similar scheme are not tools to find out who sent the email: this is known. What they do is verify that the domain in the email address that is claimed to be the author's address has allowed sending from the server who sent the email message, whose IP address is known by the recipient.
- Spam is worse than viruses, trojan horses
- by pentium4forever September 9, 2004 9:33 AM PDT
- Boy is spam getting worse and worse as time goes by. Filters aren't enough unless you want to spend time configuring them. Spam is smart. The nasty spammers out there have their tricks and hopefully they are caught and put in jail. It's easier to get a new email account when spam is the problem.
- Like this Reply to this comment
-
-
- Have you
- by royc September 10, 2004 11:35 AM PDT
- ever had a virus or trojan horse?
- Like this View reply
Processing -
(10 Comments)I bet not. They really cause trouble, like slowing down you system, deleting files or formating your hard disk.
Spam is trying to sell you something. And since it's so cheap to send 1,000,000 emails they can make big money if they get a sucker, opps, I mean customer, for each 10,000 emails sent.