[Top] [All Lists]

RE: Anti-Spoofing Technology

2005-04-17 00:01:58

At 1:39am -0400 17/4/2005, John P Baker wrote:
However, it seems to me that when a message first enters the mail system
(i.e., an ISP SMTP server receives a message from a client of that ISP),
validation of the return address could be required.  Specifically, the
"From" mailbox specified in the message header could, pursuant to an SMTP
extension, be validated against a list of mailboxes allocated by the ISP to
the client with whom the SMTP server is in session.

There may already be something in the RFCs that I have yet to find.

I am just beginning my research into this.

If you haven't yet, have a look at RFC 2554 (SMTP Service Extension for Authentication) and RFC 2476 (Message Submission).

An ISP or organization wanting to enforce a policy like you describe would force all clients to use SMTP AUTH, by doing something like blocking client IPs from using port 25 and requiring SMTP AUTH on a Message Submission port. Then credentials supplied via SMTP AUTH can then be used to decide what MAIL FROM, From, etc. addresses that client is allowed to use.

SMTP AUTH and the ability to change the port used for SMTP are already widely supported in clients, so it is basically a case of supporting those and implementing suitable policy at the server side.


<Prev in Thread] Current Thread [Next in Thread>