[Top] [All Lists]

Re: Anti-Spoofing Technology

2005-04-16 20:45:08

----- Original Message -----
From: "John P Baker" <jbaker314(_at_)earthlink(_dot_)net>
To: "IETF-SMTP" <ietf-smtp(_at_)imc(_dot_)org>
Sent: Saturday, April 16, 2005 9:51 PM
Subject: Anti-Spoofing Technology

Is there any extension to the SMTP protocol which, for a client connection
to an SMTP server, would require that all messages originating from that
client specify a return address known by the server to be associated with
that client?

John P Baker

Software Engineer

I hope this doesn't spark a useless debate.

First, there is no official SMTP "extension."  There are some proposals in

Lets talk about is available today.  Currently, there are several methods in
place by a growing number of systems that "attempts" to validate the return

1) SPF
2) Call Back Verification (CBV)
3) Challenge/Response (C/R) System


SPF attempts to authenticate the sender domain against a DNS policy defined
by the domain exposing the authorize client machine IP addressses allowed to
send mail on behalf of the domain.   see

This is done by a domain by adding a TXT DNS record defining the IP
addresses allowed to send mail for the domain.  Example:

    NSLOOKUP -query=txt

The SMTP server will do an SPF lookup for, and check the connection
IP address against the exposed SPF policy defined by


This is a small background SMTP process to verify the return path at the
moment MAIL FROM is issued to call back and check the remote RCPT TO

    250 cool!
    MAIL FROM:  foobar(_at_)foobar(_dot_)com
    [  perform callback ]
    550 Sorry, foobar(_at_)foobar(_dot_)com not valid!


C/R will accept and hold the message. It then sends a "challenge message" to
the return path. It will wait for a "Response" and use this to "authorize"
the held message to finally deliver it.

We use SPF and CBV on our SMTP product.

Hector Santos, CTO
Santronics Software, Inc. (Wildcat! Sender Authentication Protocol)  (WcSAP Anti-Spam Stats)

<Prev in Thread] Current Thread [Next in Thread>