ietf-smtp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Anti-Spoofing Technology

2005-04-16 20:45:08
from [Hector Santos] [Permanent Link] 


----- Original Message -----
From: "John P Baker" <jbaker314(_at_)earthlink(_dot_)net>
To: "IETF-SMTP" <ietf-smtp(_at_)imc(_dot_)org>
Sent: Saturday, April 16, 2005 9:51 PM
Subject: Anti-Spoofing Technology



Is there any extension to the SMTP protocol which, for a client connection
to an SMTP server, would require that all messages originating from that
client specify a return address known by the server to be associated with
that client?

John P Baker

Software Engineer


I hope this doesn't spark a useless debate.

First, there is no official SMTP "extension."  There are some proposals in
place.

Lets talk about is available today.  Currently, there are several methods in
place by a growing number of systems that "attempts" to validate the return
address.


1) SPF
2) Call Back Verification (CBV)
3) Challenge/Response (C/R) System

SPF

SPF attempts to authenticate the sender domain against a DNS policy defined
by the domain exposing the authorize client machine IP addressses allowed to
send mail on behalf of the domain.   see http://spf.pobox.com

This is done by a domain by adding a TXT DNS record defining the IP
addresses allowed to send mail for the domain.  Example:

    NSLOOKUP -query=txt aol.com

The SMTP server will do an SPF lookup for aol.com, and check the connection
IP address against the exposed SPF policy defined by aol.com.

CBV

This is a small background SMTP process to verify the return path at the
moment MAIL FROM is issued to call back and check the remote RCPT TO
response.
Example:

    HELO blah.com
    250 cool!
    MAIL FROM:  foobar(_at_)foobar(_dot_)com
    [  perform callback ]
    550 Sorry, foobar(_at_)foobar(_dot_)com not valid!


C/R:

C/R will accept and hold the message. It then sends a "challenge message" to
the return path. It will wait for a "Response" and use this to "authorize"
the held message to finally deliver it.

We use SPF and CBV on our SMTP product.

----
Hector Santos, CTO
Santronics Software, Inc.
http://www.santronics.com
http://www.winserver.com/wcsap (Wildcat! Sender Authentication Protocol)
http://www.winserver.com/spamstats  (WcSAP Anti-Spam Stats)
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Anti-Spoofing Technology, Dave Crocker
Next by Date:  Re: Anti-Spoofing Technology, Hector Santos
Previous by Thread:  Re: Anti-Spoofing Technology, Frank Ellermann
Next by Thread:  Inconsistency? (was: Anti-Spoofing Technology), John P Baker
Indexes:  [Date] [Thread] [Top] [All Lists]