spf-discuss
[Top] [All Lists]

Re: Simple method to prevent cross-customer forgery on shared MTAs

2005-05-17 06:35:58
On Tue, 17 May 2005, Alex van den Bogaerdt wrote:

Ooops.  Typo.  That should be:

    moe._using_.curly._at_.service.com._smtpauth_.example.com

which would mean that example.com would trust service.com to
authenticate users __and__ example.com would allow moe to emit
mail from service.com (as moe(_at_)example(_dot_)com), but only when logged
in as user "curly(_at_)service(_dot_)com", right?

Exactly.  It avoids an SMTP service provider having to maintain a
database of which domains are allowed with which SMTP AUTH logins
for cross customer forgery prevention.  It uses DNS for the database
so that it can be maintained by the domain owners - who set the policy anyway.

The main users of such a service would be domain owners who want to 
send authenticated email from their own domain from dynamic IPs (laptop, PDA),
but don't want to maintain their own email server.  This includes
many small businesses with dynamic IP cable or DSL at the office and
roaming salesmen or technicians.  Another solution is webmail - 
but the laptop offers potentially much better security (if the
salesman can be trained not to download random crap).

I am a home user with dynamic IP cable and my own domain.  I don't
want to pay an extra $25/mo for static IP, so I would like to use
such a service.  I currently use the servers where I work, but I
don't want to be dependent on that.

There are lots of quality, inexpensive DNS service providers, so
maintaining a domain without a static IP is not a problem.
I use dnsmadeeasy.com.

Almost all current SMTP AUTH service providers have a reactive policy.
They investigate and hopefully respond to complaints about spamming
or forgery.  Tracking the party responsible is much easier thanks
to SMTP AUTH.  However, there is no mechanism to prevent forgery in
the first place.  If the mechanism is simply and automatic enough,
it should not raise the cost of SMTP AUTH service.  My proposal requires
zero maintenance or storage by the service provider.  The provider
simply adds a DNS lookup to verify MAIL FROM. 

Someone suggested that the service provider could check SPF,
but that only helps if there were a macro for the SMTP AUTH username,
and it would have to have a good default value for the most common case
where there is no SMTP AUTH.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.