Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Spoofed From: Prevention

timothy posted more than 10 years ago | from the web-of-trust dept.

Spam 532

An anonymous reader writes "It looks like the next promising advance in the war on spam is here! Introducing SPF: Sender Permitted From. A draft RFC is still being written, but the idea is simple: we can prevent forged emails by having domain owners publish a list of IP addresses authorized to send mail from their domain. It's no silver bullet, but how much spam can we eliminate by preventing forged mail from spoofed domains? Maybe we really don't need anti-spam legislation after all? The SPF site is chock-full of juicy info for our reading enjoyment. Bon appetit!" Interestingly, the to-do list mentions the possibility of seeking a defensive patent on this scheme, too.

cancel ×

532 comments

Sorry! There are no comments related to the filter you selected.

I don't understand... (-1, Offtopic)

dbleoslow (650429) | more than 10 years ago | (#7140418)

What's this got to do with SCO???

great idea... (4, Interesting)

AmigaAvenger (210519) | more than 10 years ago | (#7140420)

Good idea, but the problem is the same as saying spam would go away if all the open relays were taken offline. In theory, it works great, in practice, there are admins who WANT spam moving...

())====+D (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7140490)

Penis bird is dying!

ok it might not cure spam but... (0)

Anonymous Coward | more than 10 years ago | (#7140509)

I hate spoofed from-fields just as vicerally. At least it fixes that.

IRAQ WAR JUSTIFIED! with bbc link- (-1)

Fecal Troll Matter (445929) | more than 10 years ago | (#7140567)

Weapons inspectors in Iraq today uncovered "a small vial of botulinum toxin..." and were reportedly "...looking for a similar suspect vial of anthrax."
Proof of Weapons of Mass Distruction. Before this discovery I have adamantly put-down the Bush Aministration. Today, I sing a new tune. I am glad to see that our tax dollars have been well spent.
Thank you, George W. Bush and friends. [bbc.co.uk]

Re:great idea... (1)

civilengineer (669209) | more than 10 years ago | (#7140586)

pray, what might be the reasons for admins to have spam moving? To increase their job security?

Re:great idea... (1, Interesting)

Anonymous Coward | more than 10 years ago | (#7140591)

So here is an instresting question, can perhaps a option be put in to DNS requeries to ask a domain if its an authorized mail server. Requests would have to be non cached of course.

This poses a couple of problems. If a spammer starts spoofing email from a domain all over will this create a secondary DDoS by making massive requests on a legit host?

And assuming one were to piggy back it on DNS or some existing service, how would something like Verisign sitefinder fuck it up?

Re:great idea... (4, Insightful)

marnanel (98063) | more than 10 years ago | (#7140647)

It doesn't solve the whole problem of spam, no. It's one possible way to deal with one particular aspect of the problem: forging From addresses will become harder. This is a major annoyance and it'd be good to have the hole closed.

Another problem: (3, Insightful)

BrokenHalo (565198) | more than 10 years ago | (#7140702)

I am a bit wary of that patent mentioned in the ToDo. I can forsee some ugly situations arising as a result of a select number of powerful corporations hijacking the protocol.

I would be happier if he GPL'ed it.

Actually, that brings something important to mind: Here in Australia a very large proportion of mail servers are Debian boxes. If that patent idea gets taken up, I can't see Debian including SPF; it'll be poison.

Won't work unless everyone implements this (3, Insightful)

neonstz (79215) | more than 10 years ago | (#7140429)

As far as I understood, unless everyone with a domain uses this, the spammers can just adjust their scripts/programs to just generate fake emails from domains without SPF. (or did I miss something?)

Re:Won't work unless everyone implements this (3, Informative)

donnz (135658) | more than 10 years ago | (#7140533)

Sort of not. All we need are a few of the big ones to sign up to see significant impact.

In fact, other /.ers can explain this much more clearly. [slashdot.org]

Re:Won't work unless everyone implements this (2, Insightful)

damiam (409504) | more than 10 years ago | (#7140545)

True. But, if you implement it, you can be sure that no spammer will forge your domain, which can save a lot of headaches.

I don't like that idea. (3, Insightful)

ixt (463433) | more than 10 years ago | (#7140430)

I have cable. I also run my own mail server. If that's implemented, then no mail server will receive my mail because my residential cable IP won't be allowed to send mail from my ISP's netblock. Thus we all need to pay just to run our mail domains, which is too expensive.

Re:I don't like that idea. (1)

AmigaAvenger (210519) | more than 10 years ago | (#7140450)

way too expensive? what is it up to, $4.95 /year at godaddy?

this just leads to other things... (-1)

after (669640) | more than 10 years ago | (#7140513)

4 bux here and there. Sure, $4 dolla a year for some domain is cheep - but it will be a requirement if you want to own your own mailserver. How many of us use our own mailservers? I know I do, and I dont want my money (along with the thousands other geek's) going to corperations that exploit the fact that spam has to be stoped using brute force meathods sutch as pure blockage (is that eaven a word?).

Re:I don't like that idea. (1)

jollis (691129) | more than 10 years ago | (#7140483)

An acceptable price to pay for a pretty effective measure, in my opinion. Just buy a domain, or use your ISP's mail servers. DUL lists are already employed by various companies, to kill spam from end-user ranges and viruses using their own smtp engine. It may by annoying, but it sure is effective.

Re:I don't like that idea. (1)

Croaker (10633) | more than 10 years ago | (#7140485)

Er... do you have a domain already that's mapped to your home server? IF so, then you'll just have to publish your home IP as the proper one for your domain. If not, well, maybe free DNS services (such as Dyndns) will be set up so that they'll maintain a list of authorized IP's. Of course, this could be troublesome, since that would make these DNS services instantly targets of spammers who want to set up their own spamming systems. If neither of those two options work... what's wrong with using the SMTP of your ISP? You could still recieve mail... you'd just have to set up your outgoing mail to relay through the approved SMTP.

"business account" (2, Insightful)

exhilaration (587191) | more than 10 years ago | (#7140504)

Or instead of probably violating your provider's Terms of Service by running a server (as I do too), you could just pony up the extra cash for a business account that will let you do anything you want.

Hey man, I love abusing my cable connection too, but since I'm not willing to pay $100 instead of the $40 I'm paying now, I don't expect being able to do everything I want to.

Re:I don't like that idea. (1)

CitizenJohnJohn (640701) | more than 10 years ago | (#7140511)

Running your own email server from a retail ISP's service is becoming less useful as admins tighten up the places from which they are prepared to recieve mail. There are already lists of IP ranges allocated to customers of retail Internet services, and these are being blocked because the odds are that a mail server at one of these addresses is a virus pumping out garbage and not a clueful home user running a properly configured server.

Yes, this is not fair, but it's the way things are, and there's no sense railing against it. Considering how inexpensively you can get mail hosting, it's not hard to deal with, much as I too would like to put on my control-freak hat and run my own mail server.

Re:I don't like that idea. (1)

HeelToe (615905) | more than 10 years ago | (#7140538)

Where you can get inexpensive mail hosting that is also suitable for personal interest mailing lists you wish to host?

This hard reality sucks. The internet used to be a collaborative thing. Now it is consumption only. :(

I'm now paying quite a bit per month for a virtual freebsd jail to handle my needs. This is after 8 years online with residential broadband being an acceptable solution.

I wish I had enough people interested that I could just get a T1 drop as a business venture and write it off.

Re:I don't like that idea. (2, Informative)

bigberk (547360) | more than 10 years ago | (#7140612)

I have cable. I also run my own mail server. If that's implemented, then no mail server will receive my mail because my residential cable IP won't be allowed to send mail from my ISP's netblock

Not really. First, mail servers likely won't accept/reject mail solely on this criteria. This SPF compliance metric will just join many other anti-abuse metrics already employed.

Second, if you run your domain there is no problem to begin with. The receiving mail server will look up your personal domain name and probably find no SPF record to begin with. End of story.

The only problem might be if you want to use your mail server to send messages using your ISP's domain as the sender's field. Now that might indeed look like abuse. The solution would be to send mail carrying your ISP's domain name through your ISP's mail server.

Your server really *isn't* authorized, though. (3, Insightful)

Fiery (21015) | more than 10 years ago | (#7140650)

Purchasing server from a provider does not imply in any way that, as a customer, you have a right to represent that provider in any form. They're providing a service to you: connectivity.

One of the ways they do this is by providing inbound and outbound email services, through legitimate servers published through DNS. As a customer of the ISP, you're given rights to use those services, and they're responsible for ensuring your access to same -- that is, they're the responsible party for any given email address at their domain name(s).

You wish to configure your home mail server to appear as a legitimate server for outbound mail coming from another party's domain name(s); as a customer and not an administrator, I don't understand your presumption that you have a right to do so.

This is one of the key points of SPF that is going to start a lot of debate: if you purchase an email address from a provider other than yourself, you are not responsible for the outgoing mail servers for that address. Setting up and running your own mail server does not change this situation; there is no software you can run that will make your personal server the responsible party for someone else's domain name.

Since you're already running mail services, it's just a short step away to activate DNS services, available at no cost to you on virtually any platform that your own mail server will run on.

I currently host my domain with Domain Discover, at $35 a year; there's registration servers out there for as cheap as $7 a year. My $35/year domain is cheaper than a $5/month ($60/year) email account with a local Internet provider.

The primary purpose of SPF is to provide a positive authentication check for messages, to confirm that they have been sent through the outgoing mail server listed as a responsible party for the email address in question. It is inconceivable to me that any provider would bestow upon end-users the power to be a responsible party; partners, perhaps, but not individuals. While exceptions may occur, I don't feel that your situation should be one of them.

Re:I don't like that idea. (1)

WolfWithoutAClause (162946) | more than 10 years ago | (#7140711)

I suspect you would still be able to send email through the smtp server of your cable provider. That way your cable provider can put filters in to trap any customer's spam mail.

Re:I don't like that idea. (3, Interesting)

jhealy1024 (234388) | more than 10 years ago | (#7140727)

You're screwed already anyway....

Many large ISPs (such as AOL) have already started filtering mail based on the IP of the relaying server. So if your SMTP server talks directly to AOL, then AOL may reject your mail simply because you're *likely* to be a spammer relay (even though you're not).

Meanwhile, cable companies like Cox have already implemented a total blackhole on *outgoing* SMTP. Not only is this annoying for people who run servers, but it also sucks for those of us with POP/IMAP accounts... if I'm connected from home I have to set my outgoing SMTP to Cox, and when I come in to work I have to flip it back to my company's mail server. (I've since set up an automatic ssh tunnel to get around Cox, but the average joe has no hope of doing that for themselves.)

Either way, this new idea isn't going to make sending mail from your own domain any harder than the cable companies are going to make it anyway...

BAD Idea (3, Insightful)

thedillybar (677116) | more than 10 years ago | (#7140431)

This is a BAD idea. What happens when I have 3 different email accounts that I use for different things, and I want to send mail from each of them from my home ISP? Sure, each email provider can provide a secure SMTP for me to log into, but this sounds like a lot of work.

This is going to make a LOT of people's lives worse, and spammers will get around it anyway. After all...they can still send from another username@theirisp.com. The accounts they're sent from are garbage anyway, because many people notify the proper abuse@ based on the headers (as they should) and not the From address. Forging the from doesn't provide any cover for spammers anyway.

Re:BAD Idea (4, Insightful)

sgifford (9982) | more than 10 years ago | (#7140491)


Sure, each email provider can provide a secure SMTP for me to log into, but this sounds like a lot of work.

Running a mail server is a lot of work; providing SSL and SMTP AUTH isn't much more.

I'm not sure this would work very well, but having more ISPs support SSL and SMTP AUTH doesn't sound like a terrible thing even if it doesn't.

Re:BAD Idea (0)

Anonymous Coward | more than 10 years ago | (#7140629)

http://www.courier-mta.com made it very easy. With spamassassin, amavisd, maildrop, mysql, blah blah it makes a great virtual domain mail machine for customers. SMTP AUTH, SSL, integrated everything. even the local mail delivery agent queries mysql, (i want user unknowns ;) ).

Re:BAD Idea (3, Informative)

monsterlemon (713644) | more than 10 years ago | (#7140623)

> This is a BAD idea. What happens when I have 3
> different email accounts that I use for different
> things, and I want to send mail from each of them
> from my home ISP? Sure, each email provider can
> provide a secure SMTP for me to log into, but this
> sounds like a lot of work.

Actually it's a very good idea.

A lot of work? For the ISPs? Or for you?

Setting up an authenticated SMTP server is not hard, and the cost -- compared to the costs that ISPs are forced to incur to deliver spam, would be small.

For you? Just go into your Outlook (or whatever) preferences and edit the outgoing server. Big deal.

As for spammers getting round it, sure they can forge their mail as if it were from someone else at the same domain. But the admins of that domain will have their server logs and will know who to go after.

And the fact that the spammer will only be able to post from a domain he (any "she" spammers out there feeling hard done by, do speak up) controls will greatly reduce the number of bounces you and I get from spam that pretends to be from us.

So, overall, while SPF won't stop spam, it will help, and it will introduce a lot more accountability into the email process -- which can only be a good thing.

Re:BAD Idea (1)

thedillybar (677116) | more than 10 years ago | (#7140712)

I have to disagree.

>Setting up an authenticated SMTP server is not hard, and the cost -- compared to the costs that ISPs are forced to incur to deliver spam, would be small.

So ISPs will no longer have to deliver spam? Please. I doubt it will even make a dent in the number of unsolicited bulk messages.

>For you? Just go into your Outlook (or whatever) preferences and edit the outgoing server. Big deal.

What about for companies and schools that need to update 2,000 Outlooks? Sure they've got scripts to do it...but it's time and money. Not to mention more overhead everytime an SMTP connection is made.

>As for spammers getting round it, sure they can forge their mail as if it were from someone else at the same domain. But the admins of that domain will have their server logs and will know who to go after.

This is just ridiculous. When I send mail to abuse@ they have logs and know who to go after too. How would they suddenly be able to identify spam themselves if it were authenticated? They would have nothing more than they do now. Tracing an IP/time to a username is a very minimal amount of time.

>And the fact that the spammer will only be able to post from a domain he (any "she" spammers out there feeling hard done by, do speak up) controls will greatly reduce the number of bounces you and I get from spam that pretends to be from us.

Assuming you're not on the one of many ISPs that is known for spammers (giving out trial accounts, etc). But okay, this probably helps MOST of us.

>So, overall, while SPF won't stop spam, it will help, and it will introduce a lot more accountability into the email process -- which can only be a good thing.

NO. SMTP servers now only allow IPs from within their controlled subnet to send messages. If the sysadmins OWN YOUR IP, then it makes NO difference whether or not they have your USERNAME, because they can look it up in NO TIME.

Another satisfied user of authenticated SMTP. (1)

Fiery (21015) | more than 10 years ago | (#7140692)

You need to be using authenticated SMTP, regardless of who's responsible.

If your provider is responsible for an email address, then they must provide you with a reasonable means of using their service to send mail, either by POP-validated SMTP or by authenticated SMTP.

If you're responsible for an email address, then you have no excuse whatsoever not to be using authenticated SMTP. Repair your outgoing mail server immediately.

But *everyone* would have to do it (3, Interesting)

doomdog (541990) | more than 10 years ago | (#7140432)

if you wanted this to succeed -- otherwise, you'd end up blocking mail from those domains that hadn't upgraded yet to the new techology... What are the chances of everyone upgrading at the same time? And how much mail would be lost during the transition?

Re:But *everyone* would have to do it (1)

Hamstaus (586402) | more than 10 years ago | (#7140494)

That's being kind of short-sighted. Obviously not everyone would upgrade at the same time. If a domain didn't have a published list, then you simply would not be able to verify the sending IP, and could not filter based on this. As domains upgraded their mail software over time, this would become more useful.

And if Hotmail did it... well, just think how much spam uses spoofed hotmail addresses. It's not a permanent solution, but it's a useful stop-gap. It would be easy to implement for mail administrators, and make life for spammers a little harder.

Re:But *everyone* would have to do it (1)

ComputerSlicer23 (516509) | more than 10 years ago | (#7140526)

There, is a difference between, it's registered and no one is allowed to send, and it's not registered at all (I haven't read the article or the RFC's, this is just the Engineer in me thinking of the obvious solution). I would say, that the default for a non-registered e-mail is to say: "E-mail can come from any IP in the world". Then people who get hit by nasty spoofing, will lookup how to deal with the problem. Come across a site the references this RFC, and will register. Thus, I believe you concern can be mitigated.

However, I have two concerns, I can't obviously solve. First, how widely distributed is this, and how much load can it afford to take? Clearly somebody who has an interest in anti-spam utilities not working has taken to DDos'ing them off the net. I'd be concerned about this.

Second, how much "identity theft" will happen? It's relatively easy to steal a block of IP's or a domain name by faking headers/company stationary/company letter head. Actually authenticating the user is authorized to send from.

Ahhh, okay, I see, it's a DNS hack essentially. You set some txt into a DNS records.

I can see some issues with this. I send mail from all over the place, with my from address not from any given SMTP. I have from time to time been stuck on a college campus that won't allow me to send mail thru my SMTP host on the internet. However, it will let me send mail as them. However, I don't see how I can my foobar.com domain, so that it will allow mail to be sent from goofy_college.edu. It seems odd to me either way. Not sure if I like it or not. I wish it was "built from the ground up", not a hack onto a DNS server. It also means I have to VPN back to my home network to send mail, rather then use the handy SMTP, or run my own on my machine.

Kirby

Re:But *everyone* would have to do it (1)

Geek of Tech (678002) | more than 10 years ago | (#7140657)

> However, I have two concerns, I can't obviously solve. First, how widely distributed is this, and how much load can it afford to take? Clearly somebody who has an interest in anti-spam utilities not working has taken to DDos'ing them off the net. I'd be concerned about this.

Well, if I understood right, before the mail gets accepted, a query is run from the DNS server. I would assume that if they did DDoS a DNS server, no mail would go through. Kinda sure that would qualify as a felony. And then websites would start disappearing off the net.

> Second, how much "identity theft" will happen? It's relatively easy to steal a block of IP's or a domain name by faking headers/company stationary/company letter head. Actually authenticating the user is authorized to send from.

Stealing a block of IP's by forging documents should definately count as a felony. Computer crime, forgery, theft. I really don't think that even spammers are that stupid. If they are, they won't be for long.

Re:But *everyone* would have to do it (1)

wayne (1579) | more than 10 years ago | (#7140703)

Read the website. Everyone will *not* have to do it. Only those domain owners that want to restrict who is allowed to send email using their domains will have to add SPF DNS entries. Only those people who want to obey the requests of domain owners will have to check the SPF DNS entries.

Maybe we really don't need anti-spam legislation (1)

TroyFoley (238708) | more than 10 years ago | (#7140440)

It's my understanding that when something is a hot-button issue with a lot of people, the lack of legislation against it leads a gigantic door open for legislation propogating it.

anyone setting up a mail server would have to (0)

Anonymous Coward | more than 10 years ago | (#7140441)

register with this. Will become a pain in the neck.

Thumbs up (3, Insightful)

Hamstaus (586402) | more than 10 years ago | (#7140443)

That seems like a really good idea. If the major MTA's adopted this and made it a part of the configuration files, then new installations would be easily configurable.

If the big email services such as Hotmail and Yahoo adopted it, spammers would suddenly find that they have to spend more effort to send out spam by finding domains that didn't opt to use these rules. Even so, it would be a lot easier to filter a specific domain in China or Nigeria than worrying about every piece of mail from Hotmail.

The near perfect spam solution exists.... (2, Insightful)

dnotj (633262) | more than 10 years ago | (#7140446)

http://www.tmda.net/

Working wonders here.

Re:The near perfect spam solution exists.... (1)

gnarled (411192) | more than 10 years ago | (#7140604)

I don't know much about challenge/response type filtering, but I am curious. What happens when one person using challenge/response emails someone else using it? What about mailing lists you want to be on?

Re:The near perfect spam solution exists.... (1)

dnotj (633262) | more than 10 years ago | (#7140630)

Essentially, it is a whitelist. You can manually add entries (and wild cards). Or the challenge/ response allows the sender to add themselves to your whitelist. If a spammer actually replies, and gets on your white list, it's easy to move them to the blacklist. No troubles with mailing lists. (Even though I'm on very few).

Re:The near perfect spam solution exists.... (1)

shepd (155729) | more than 10 years ago | (#7140661)

>What happens when one person using challenge/response emails someone else using it?

If the sender's C/R system has any smarts, any _outgoing_ addresses are automatically whitelisted. Which means:

User #1: Mail sent to xyz@example.org. All incoming mail from xyz@example.org is now accepted.
User #2: Mail received for xyz@example.org -- Account unrecognized. C/R email sent.
User #3: C/R Mail from xyz@example.org accepted. User replies to this, and everything runs smoothly. :-)

HTH!

>What about mailing lists you want to be on?

Whitelist the mailing list domain before subscribing. One you have started receiving the list, tighten it up on that domain to limit it to now known mail addresses only.

Re:The near perfect spam solution exists.... (1)

monsterlemon (713644) | more than 10 years ago | (#7140654)

Do behave. TMDA is a ridiculously bad idea.

I, and many others I know, will practically never bother to respond to TMDA challenges.

Oh, and in case you were wondering, many of the people I'm talking about are the kind who spend hours of their precious time helping people out and answering questions on mailing lists. When you spend half an hour trying to help someone out only to be presented with a TMDA challenge, the last thing you feel like doing is responding to it.

Unless you can configure TMDA (or whatever other dodgy challenge-response system you choose) so that it will always let responses to your outgoing messages in without challenging (and very few people seem to get this right), DON'T DO IT.

It's just rude.

Seriously, google around for a while and you'll see what I mean.

Dear Spammers, (1, Funny)

Letter (634816) | more than 10 years ago | (#7140449)

Dear Spammers,

I have SPF 45. Your UV rays stand no chance against me.

Sincerely,
Letter

There's another problem this could help with. (2, Interesting)

rock_climbing_guy (630276) | more than 10 years ago | (#7140451)

Although I would agree with the posters that this will not solve the problem of people who own a domain that they want spam sent from, let me point out something else.

Perhaps this could stop spammers from spoofing the addresses of other internet users. However, I don't know if this will stop spammers from using whatever return address they want to regardless of what domain they send their spam from. Would it?

Re:There's another problem this could help with. (4, Insightful)

PhoenixRising (36999) | more than 10 years ago | (#7140500)

Presumably, the body responsible for the domain would be responsible for authenticating users to ensure that they are not spoofing before it comes out of their domain. Unfortunately, this would lead to even more ISPs taking the AOL-esque tactic of stopping anyone from setting up a mail server, forcing all outbound mail to pass through the ISP's servers.

This would also cause serious problems for mobile users -- if I'm on the road, who knows what ISP I'll be connecting to. However, I probably want my From: address to stay the same no matter where I'm connected.

This solution doesn't seem likely to make a serious dent in the flow of spam, and would likely add unwanted restrictions to the actions of users. As such, it seems unwise.

Re:There's another problem this could help with. (2, Interesting)

bob_calder (673103) | more than 10 years ago | (#7140512)

Maybe. If I put your email address on my spam, it would come back as good if someone queried your mail server. Your mail server would have to keep track of what it sent in order to validate properly.

pink contracts (2, Insightful)

bob_calder (673103) | more than 10 years ago | (#7140453)

How can this help with so many pink contracts?
Look at Bellsouth and OptIn.com for heaven's sake!

Spammers... (0)

Anonymous Coward | more than 10 years ago | (#7140456)

...should have their lower horn removed.

I love America. (2, Insightful)

focitrixilous P (690813) | more than 10 years ago | (#7140459)

am considering taking out a defensive patent on this architecture for exactly one reason: I don't want to get sued for infringing someone else's patent, bogus or not. Patent it, then declare it public domain, and we sidestep a a quagmire of Intellectual Property issues. A patent will cost approx USD$10,000. If we can get ten major ISPs to contribute $1,000 each, we can jointly own the patent and guarantee there will be no legal liability. Contact me if you can help with this.
Only in America do you have to patent something to put it into the public domain. Shouldn't that be free?

Re:I love America. (1)

Kevinv (21462) | more than 10 years ago | (#7140557)

Once a patent is taken out, the patent is good for 20 years. Period. The patent owner can state licenses will be available for no cost/no royalties, but that won't put it in the public domain. Once the time limit expires the patent will be in the public domain.

The public domain means NO PROPERTY RIGHTS AT ALL exist. No copyright, no patent, no trade secret.

Re:I love America. (0)

Anonymous Coward | more than 10 years ago | (#7140649)

That doesn't sound right. If "public domain" meant "no patent", then they'd save $10,000 by making it public domain without patenting it.

To be truly liberated, an idea should be public domain and patented as well.

Relay host spoofing (1)

lkaos (187507) | more than 10 years ago | (#7140472)

All one needs to do to defeat these schemes is set up a relay host that spoofs the originating exchange.

STMP is inherently untrusted. You could simply claim that you don't accept relayed mail but wth, why even bother using STMP anymore if you do that..

not the perfect solution (2, Insightful)

dhuv (241988) | more than 10 years ago | (#7140474)

the problem with this is the following, most users are told to use their isp as the relay for outgoing mail. this would mean that if the users travels somewhere else where their relaying server is not in the list of ips, their email would be marked as spam and be trashed.

a solution like this would be all or none, either everyone uses it and follows those rules, or no one will use it.

besides you now have to get all the people who own domains to get a list of ips together, not the most trivial thing for non technical people.

No good. (1)

Pig Hogger (10379) | more than 10 years ago | (#7140476)

I have my own domain, and I send mail "from" it through my ISP's SMTP server which isn't remotely connected with my incoming server.

So, that thing isn't gonna work for me.

Re:No good. (2, Informative)

chromatic (9471) | more than 10 years ago | (#7140570)

Add a TXT record in your domain's DNS saying that senders are permitted from your ISP's SMTP server. See Setting up SPF [pobox.com] .

Re:No good. (1)

tsg (262138) | more than 10 years ago | (#7140644)

RFTA [pobox.com]

legislation is not the answer (0)

Anonymous Coward | more than 10 years ago | (#7140480)

In the Information Age that is.

The major concern of the legislators is that spamming will somehow contribute to the downfall of our f*&*ing civilization - that insists on polluting and clawing our way to the top no matter what the cost - and the loss of their control on power (you know, THE MAN.)

For some reason the technologists out there seem to think of these things a little too late.. this is an absolute natural.

My website blocks all but a certain few blocks of IPs - those of my friends, family and collegues that I know will be hitting the site on a regular basis. I just completed a system whereby it e-mails me the information of an IP address that attempts to access the site that is not on the list (auto whois (multi-layered), portscan, etc) so that i have two emails: one from my buddy vacationing in taiwan, and one from my system telling me i blocked his access from a computer owned by a taiwanese internet cafe.

I hate spam. This solution is much better than 'only allowing email from people on your contact list' such as my Microsoft Hotmail account allows.. a discussion for another day.

Where do I get the source?

|-|

Won't work. (1, Insightful)

Anonymous Coward | more than 10 years ago | (#7140499)

Like all the other final ultimate spam solutions, this one is broken. The designers assume that spammers will not have domains of their own - as we've observed, spammers have many domains, and $6.95 will hardly break them. They can register thousands of domains, set up perfectly legitimate SPF records on them, and forge mail from those domains. This scheme would slow spam down for about a week, after which spammers would all be using throwaway domains.

That's what the patent is for... (1, Offtopic)

herrvinny (698679) | more than 10 years ago | (#7140666)

Get the patent, then start licensing it. Get a lawyer to write up a contract that says if you use this system, you agree not to send more than x amount of emails, not spam, etc. Require everyone who uses the scheme to sign it (PGP/GPG) and then when spammers sign the contract and spam anyway:

PROFIT!!!

Re:That's what the patent is for... (1)

herrvinny (698679) | more than 10 years ago | (#7140689)

I forgot to say, you can recoupe the $10,000 fairly quickly too. How much is the typical patent infringement verdict?

A better idea... (0)

Anonymous Coward | more than 10 years ago | (#7140503)

The answer is getting rid of the evil smtp protocol altogether and rethinking email.

Not effective (-1, Troll)

merlin_jim (302773) | more than 10 years ago | (#7140507)

This won't prevent spam at all...

It'll just force all spam to be joe jobs [everything2.com] .

Read the link. This is not an improvement. For the poor victim of a joe job becomes a casualty in the war on spam...

Re:Not effective (1)

chromatic (9471) | more than 10 years ago | (#7140581)

How will making it easier to detect and to reject spoofed e-mail force more spoofing?

Re:Not effective (0)

wayne (1579) | more than 10 years ago | (#7140594)

It'll just force all spam to be joe jobs.

This is incorrect. RTFA. The SPF, and other designated sender systems, are all about preventing joe-jobs and forging of the mail-from addresses. (and no, not all forged mail-froms are joe-jobs, theyare not the same thing.)

Re:Not effective (1)

hab136 (30884) | more than 10 years ago | (#7140606)

This won't prevent spam at all...

It'll just force all spam to be joe jobs.

You have it exactly backwards.. this will *prevent* all joe jobs. You have SPF records for your domain, then anyone who sends mail as your domain will be rejected, because it's not coming from your SPF-listed servers. It doesn't prevent non-spoofed-domain spam, true. But it's a step in the right direction.

Re:Not effective (1, Informative)

merlin_jim (302773) | more than 10 years ago | (#7140637)

Retraction: I did not RTFA...

I was completely wrong :(

hmm (2, Interesting)

slobarnuts (666254) | more than 10 years ago | (#7140514)

I dont know whether the registry part would be such a good idea. Say your company is dealing with hardcore negotiation by email, and that company has not registered on this list, no email get through.

I did not anywhere read that it would free either.

Sorry to plug my own warez but we are working on a totally Distributed RBL [spammerhunters.com] (GPL"ed of course) but we need help with coding.

FALSE (0)

Anonymous Coward | more than 10 years ago | (#7140652)

There is no central registry. Each domain's own DNS servers detail which servers are allowed to send mail on the domain's behalf.

Fully distributed, fully *free*.

way too complicated... (3, Insightful)

3Suns (250606) | more than 10 years ago | (#7140517)

This seems WAY to complicated as an answer to a problem that's solved much better by PGP/GPG... Wouldn't it be smarter to get encryption and signing, a proven and implemented technology, merged into more email clients instead?

Re:way too complicated... (1)

e9th (652576) | more than 10 years ago | (#7140576)

But don't we then need a signing authority somewhere? Spammers can have keysigning parties, too.

Re:way too complicated... (2, Informative)

wayne (1579) | more than 10 years ago | (#7140640)

The SPF system is far less complicated than GPG in almost every way.

That being said, the SPF system is not intended to be the only tool that will help create a more trustworthy mail system. I haven't heard anyone involved in the SPF system argue against using all appropriate tools.

There is also the point that SPF is designed to help determine if someone is authorized to use a domain name, while GPG is designed to authenticate who is sending the email. These are different problems, so SPF and GPG complement each other.

Re:way too complicated... (1)

tsg (262138) | more than 10 years ago | (#7140655)

I'm having a hard time thinking of a system where PGP is the simpler solution.

How Much? (0)

tsanth (619234) | more than 10 years ago | (#7140518)

It's no silver bullet, but how much spam can we eliminate by preventing forged mail from spoofed domains?

Probably not much; spammers would likely just find/use throwaway accounts with providers who don't mind the spam. Then again, that may make filtering out spammers easier, but as has been mentioned, everyone will have to implement it.

I'm waiting for that pending RFC.

Better patent it quickly... (1, Troll)

herrvinny (698679) | more than 10 years ago | (#7140534)

Better patent it quickly, before a spammer sees this and sends the paperwork in. The braindead US patent office will grant it, and then how will anyone be able to disprove the patent wasn't the spammers idea?

RMX? (3, Insightful)

Goonie (8651) | more than 10 years ago | (#7140536)

Isn't this just like RMX [ietf.org] ?

If not, what are the key differences?

Re:RMX? (2, Informative)

marnanel (98063) | more than 10 years ago | (#7140625)

Section 6.1 of their RFC [pobox.com] covers this.

Briefly:

RMX allows the recipient to look up information using a greater range of possible keys than just the sending IP address;

SPF reuses a pre-existing part of the DNS (TXT records) rather than adding a new RR type as RMX does;

the design of SPF lets the spoofed domain's admins know who's spoofing their address (because the spoofer's IP address is part of the lookup).

Re:RMX? (4, Interesting)

wayne (1579) | more than 10 years ago | (#7140677)

I have looked at quite a few of the various "designated sender" systems, and I think that the SPF system is by far the best thought out system. There is a reasonable good comparison of SPF vs RMX vs DMP [pobox.com] available on the SPF website.

Basically, RMX has to critical flaws. First, it requires a new DNS resource record type, which is going to require everyone to upgrade their name servers if they want to use it. Secondly, there is a limit to how many resource records can be sent in a UDP packet and many important ISPs such as AOL, MSN, Yahoo, etc., have far to many. If I recall correctly, there are several thousand(!) IP addresses that Yahoo will send email from.

Isn't this what MX is for? (1)

forevermore (582201) | more than 10 years ago | (#7140561)

I mean, how hard would it be to just check to see if an ip is listed as a valid MX record for a particular domain? For the hobbyists, it's easy enough to add an mx record for your home mail server, and for the big companies, they wouldn't exactly be changing their mail servers very often.

The only thing we're not doing now is forcing that mx is the "only" server, just that it's the incoming server.

Making things worse (1)

jmv (93421) | more than 10 years ago | (#7140563)

This will only make e-mail in general worse. First, I'm pretty sure spammers will find a way around it, so it'll probably end up useless before it's even widely implemented. The worst however, is that it prevents important legitimate use of e-mail: always sending e-mail with the same "From:" field regardless of where you are. A couple more "great ideas" like that and e-mail will end up being useless because everything will be restricted for spam reasons.

*sigh* people with good intentions... (1)

Quintar (31018) | more than 10 years ago | (#7140577)

but only a loosely working knowledge of the systems they're hoping to use to implement things...

"_" isn't a valid character to use in DNS.. sure many nameservers support it, but it's an RFC violation.

Wildcard DNS records aren't supported by all nameservers either....

Nice idea... when it first popped up with the DUL lists.. this is barely an expansion on that RBL-style list. Guess it's time for to patent this now!

Re:*sigh* people with good intentions... (1)

dmadole (528015) | more than 10 years ago | (#7140660)

Actually "_" is legal in DNS and always has been.

It used to be, though, that "_" was not legal in hostnames. Since these are not hostnames that are being put into DNS, this is a valid usage.

However, it's still a bad idea as some name resolver libraries and other software do assume, through misunderstanding, that "_" is not legal in DNS and fail responses that contain it.

The fault here is with the resolvers, not this scheme, but since the underscores don't add value here, why not make things more compatible with existing broken implementations and just not use underscores?

Myself, I am not wild about the loose use of the TXT resource record type.

my idea is still better (1)

mOoZik (698544) | more than 10 years ago | (#7140582)

Simply, a federal law should be passed to disallow businesses from purchasing unsolicited email advertisement, which is the big chunk. You would still be allowed to send mail to previous customers, a la what Amazon does to make you aware of new products or services, but not to unknown parties. Those who break the law would be fined. Plain, simple.

WAR on SPAM?? (0)

Anonymous Coward | more than 10 years ago | (#7140583)

get over bush's propaganda, you morons!

Nice, but hope it's dynamic-IP friendly (1)

bigberk (547360) | more than 10 years ago | (#7140585)

I remember reading about this system "back in the day" when it was just a gleam in some nerd's eye. It is a good idea, from the perspective of protecting YOUR OWN domain from being abused. Doesn't mean you still won't get spam that abuses other domains that don't use this technology.

As someone who hosts my sites from a dynamic IP address, I certainly hope this system can be dynamic-IP friendly... I would like to protect my own little domain as much as I can.

Wait, you can spoof 'from' headers?? (1)

r_glen (679664) | more than 10 years ago | (#7140598)

So that note to re-enter my credit card number WASN'T from ebay?
Oh, shi...

Bad Idea (1)

OverlordQ (264228) | more than 10 years ago | (#7140600)

Hate to see what Hotmails DNS will look like with a few million: 1.7.168.192.in-addr._smtp_client.hotmail.com. TXT "spf=allow"
entries in it . . .

A Problem? (1)

matth (22742) | more than 10 years ago | (#7140601)

One problem I see is one that I would run into. I have a domain somethingblah.com I use my ISP's mail server to send mail out, but I send it out from myself@somethingblah.com. This would result in all this e-mail being rejected... yes?

I-D appears expired Expired (1)

daveb (4522) | more than 10 years ago | (#7140605)

The Internet Draft mentioned on their site [pobox.com] appears to be expired. I cannot find any reference to it on the IETF I-D site [ietf.org] . If anyone spots it then please post a URL. And as a real nit-pick ... I-D's are not "draft RFC's", they are internet-drafts [ietf.org]

This type of approach doesn't sound totally rubbish - but I'd be happier if ISP's would ALL impliment anti-spoofing filters on their routers as in RFC2827 [rfc-editor.org] .

Re:I-D appears expired Expired (2, Insightful)

monsterlemon (713644) | more than 10 years ago | (#7140732)

Don't worry, it's still being actively worked on. In fact I believe there is work going on with the IETF's ASRG (Anti-Spam Research Group) to integrate some of the various proposals (SPF, DMP, RMX, whatever) together.

Hummmm (0)

Anonymous Coward | more than 10 years ago | (#7140614)

The SPF RFC includes an extension to RFC2822 reserving the Received-SPF header.

I Propose an extension to RFC2822 which reserves the Evil-Bit-Set header . . . . it'll solve the problem in an alot easier way.

ActivatorMail.com (1)

mcbridematt (544099) | more than 10 years ago | (#7140634)

For anything that I can't trust I simply use my @activatormail.com . The free version allows 50 messanges or 1 Meg, whatever comes first.

ActivatorMail [activatormail.com]

SPF doesn't really do anything (1)

xoxer (713650) | more than 10 years ago | (#7140648)

Congratulations, you've just broken SMTP! As with the recent Verisign debacle, it's becoming quite clear that people who don't know much about the internet are trying to fix it. There are a number of problems with the proposed "solution". The most obvious being that it has holes biggest to drive a truck through. Take for instance the following from RFC 821:
One way to prevent loops in error reporting is to specify a null reverse-path in the MAIL command of a notification message. When such a message is relayed it is permissible to leave the reverse-path null. A MAIL command with a null reverse-path appears as follows: MAIL FROM:
So now I (Joe Spammer) connect to your SMTP server and deliver you some SPAM dressed up as a helpful undeliverable notification (i.e. a bounce). Good luck trying to lookup my domain's SPF record. So you now have the choice: (a) block bounce messages (your user's will really appreciate that) (b) block my IP (I'll get another one) (c) accept the message and let the end user's filters deal with it. I'm not sure that the SPF scheme does much given the constraints of life on the real internet.

putting an end to fraudulent spam (0)

Anonymous Coward | more than 10 years ago | (#7140663)

implement DNSSEC extentions and this new method, and I think we got a good deal going on.

Not realistic, and not a complete solution. (4, Insightful)

Elias Israel (182882) | more than 10 years ago | (#7140672)

Yes, having information on which SMTP servers are the expected and typical mail "emitters" for a given domain would help reduce (not eliminate) spam.

But the number of cases where users "forge" their from lines for perfectly innocent reasons is huge. Everyone here can probably think of a few cases. Here's one to get you started: "I'm working from home today about I don't want replies to my business email sent to my home account."

Of course, they've covered that in their FAQ. Their answer boils down to: "Tough noogies. You have to suffer the inconvenience and change your behavior because I don't want to suffer the inconvenience of spam."

This, alas, it typical of the disdainful, anti-user mentality that one finds in too many anti-spam efforts.

Here's a clue: want an anti-spam solution to work? Then start from the idea that it needs to make the life of the end user easier, not harder.

Of course, I'm biased. See my sig.

Mail Relays (1)

oolon (43347) | more than 10 years ago | (#7140686)

This still has the problem with mail relays and hosts not visable on the internet, just listing the IP address of good hosts isn't really good enough, IPs can be spoofed too. Servers need there own public/private key, every message they send on behalf of a domain is then signed with that key, relays don't touch the signing, but can still transfer the message, at the other end the signature is checked against the valid keys for that domain (which could be stored in the DNS or some other method). If the message is tampered with the signature will not match the body of the message. If your server gets its key stolen, you can just generate another one. The main problem is, lots of people produces mail server software, getting them all on board is a problem, which is why people suggest lame ideas like using just the IP, spam will only be defeated when we "replace" SMTP, I say replace, because an Improved SMTP could use many of the features, but if it supports a legacy SMTP server that one could be used to abuse the whole system.

James

Get DSPAM (0)

Anonymous Coward | more than 10 years ago | (#7140693)

From www.nuclearelephant.com/projects/dspam

Of course, it requires a tiny amount of effort on the user's part, so maybe it's not a universal solution in our world of the congenitally, terminally lazy and complacent. But for those who can be bothered to use it, DSPAM more or less permanently ends the spam problem.

*sigh* (2, Insightful)

werdna (39029) | more than 10 years ago | (#7140694)

Yes, this measure, by itself, will not remove all spam from the face of the Earth.

Yes, this measure will operate to make e-mail somewhat less convenient and require authenticated SMTP servers and the like.

But YES, Spam is awful and a serious problem, and if we wait for the silver bullet, we will accomplishn nothing ever at all.

We need to take steps, a few at a time, that will help, a bit. Steps, a few a t a time, that will help a bit, even if it means some inconvenience.

Eventually, the problem will be better.

Eventually,m the problem will be much better.

And maybe, the dollars will start moving to other ways to annoy us.

Web Hosting Companies, Cable, DSL servers... (1)

nuintari (47926) | more than 10 years ago | (#7140707)

What about all the web hosting companies that suggest you use your isp's outgoing mail server for all your sending mail needs, even for accounts they provide? And what of the people who do their mail off of a dynamically allocated IP, such as from a DSL or Cable line.

This assumes that all mail from a domain comes and goes from a central point of authority, but because of smtp's untrusted nature by design, people don't need to operate along those principles.

The one way for this to work is for all of those dsl and cable modem mail servers to go away, and all pop3 accounts also have to provide their users with the ability to send mail from the same, or a server with the same authority ion command. But if that were the case, it would probably be because smtp was designed with trust in mind. Since it wasn't this cannot work without fubar'ing a whole hell of a lot.

Not worth it. Just replace smtp, it neeed to be doen years ago, so about a decade from now.... maybe.

8llllD ( o( ASCII GOATSE, LOLLIES! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7140725)

I have a bird sitting on my cock. # Try to reply to other people's comments instead of starting new threads. # Read other people's messages before posting your own to avoid simply duplicating what has already been said. # Use a clear subject that describes what your message is about. # Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>