----- Original Message -----
From: "John P Baker" <jbaker314(_at_)earthlink(_dot_)net>
To: "IETF-SMTP" <ietf-smtp(_at_)imc(_dot_)org>
Sent: Saturday, April 16, 2005 9:51 PM
Subject: Anti-Spoofing Technology
Is there any extension to the SMTP protocol which, for a client connection
to an SMTP server, would require that all messages originating from that
client specify a return address known by the server to be associated with
that client?
John P Baker
Software Engineer
I hope this doesn't spark a useless debate.
First, there is no official SMTP "extension." There are some proposals in
place.
Lets talk about is available today. Currently, there are several methods in
place by a growing number of systems that "attempts" to validate the return
address.
1) SPF
2) Call Back Verification (CBV)
3) Challenge/Response (C/R) System
SPF
SPF attempts to authenticate the sender domain against a DNS policy defined
by the domain exposing the authorize client machine IP addressses allowed to
send mail on behalf of the domain. see http://spf.pobox.com
This is done by a domain by adding a TXT DNS record defining the IP
addresses allowed to send mail for the domain. Example:
NSLOOKUP -query=txt aol.com
The SMTP server will do an SPF lookup for aol.com, and check the connection
IP address against the exposed SPF policy defined by aol.com.
CBV
This is a small background SMTP process to verify the return path at the
moment MAIL FROM is issued to call back and check the remote RCPT TO
response.
Example:
HELO blah.com
250 cool!
MAIL FROM: foobar(_at_)foobar(_dot_)com
[ perform callback ]
550 Sorry, foobar(_at_)foobar(_dot_)com not valid!
C/R:
C/R will accept and hold the message. It then sends a "challenge message" to
the return path. It will wait for a "Response" and use this to "authorize"
the held message to finally deliver it.
We use SPF and CBV on our SMTP product.
----
Hector Santos, CTO
Santronics Software, Inc.
http://www.santronics.com
http://www.winserver.com/wcsap (Wildcat! Sender Authentication Protocol)
http://www.winserver.com/spamstats (WcSAP Anti-Spam Stats)