spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[spf-discuss] Getting around MS patent issues associated with SenderID: A better SenderID!

2006-08-08 14:22:31
from [Julian Mehnle] [Permanent Link] 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This was originally sent to spf-council, Meng, and to me personally (among 
others), but I think it belongs on spf-discuss.  If you reply to it, 
remember to CC: Chris Colman <chrisc(_at_)stepaheadsoftware(_dot_)com>.

Julian.

- ----------  Forwarded Message  ----------
Subject: Getting around MS patent issues associated with SenderID: A better
    SenderID!
Date: Tuesday, 8. August 2006 00:57
From: "Chris Colman" <chrisc(_at_)stepaheadsoftware(_dot_)com>
To: rfc-editor(_at_)rfc-editor(_dot_)org, 
spf-council(_at_)v2(_dot_)listbox(_dot_)com,
    julian(_at_)mehnle(_dot_)net, brc(_at_)zurich(_dot_)ibm(_dot_)com, 
hardie(_at_)qualcomm(_dot_)com,
    ietf-mxcomp(_at_)imc(_dot_)org, mengwong(_at_)dumbo(_dot_)pobox(_dot_)com

To whom it may concern,

I've been using the internet since starting my EE degree in 1984 but
lately it's becoming unusable! Spam is really getting out of hand.
Lately I've been getting more "Sorry address not found" messages from
spammers who are spoofing my mail server domain name than I am getting
from regular spam. That's when you know things are getting really bad!

I had an idea but I don't know how viable it is.

SenderID has a couple of issues:

1. MS Patent issues (even though it doesn't look like the patent should
be granted with at least 2 cases of prior art - not that this ever stops
the patent office though!)

2. The need to set up the SPF record with your domain name hoster.


Reason 1 is bad as we all know.
Readon 2 is actually a problem for me and probably many others. My
domain name is with Network Solutions and they don't allow clients to
set up SPF records!!!! So to get senderID to work I'd need to change my
domain name hosting provider - bad.

I thought of an idea that may fix 1 and 2:

Instead of querying the DNS to get the list of IP addresses of valid
mail servers simply acquire this list from the web server instead. Given
that 99.9% of mail servers would have a corresponding web server why not
just query the web server instead!!! The HTTP request could simply
request a static file sitting on the server which *ANY* web
administrator could set up in 5 minutes. This file would be text (not
HTML) and contain a list of the IP addresses of servers that are deemed
to be allowed mail senders for that domain name.

Eg.,

antispoof.txt

This contains:
Version mxips { ip1 ip2 ip3 .... Ipn }

Where:
version indicates the version of the format: initially 1 but we will be
incremented if changes to the format are necessary
spaces in the above format represent any white space: space, tab,
newline etc.,


Eg.,

1 mxips { 203.41.1.55  203.41.1.56  216.117.134.156 }

Or

1
mxips
{
        203.41.1.55
        203.41.1.56
        216.117.134.156
}



Process of validating incoming email:

Take email address and remove username/account name

    joe(_at_)abc(_dot_)com

to leave

    abc.com

now add www. And perform a HTTP request for the server list

http://www.abc.com/antispoof.txt

This will return the list of valid mail servers for the abc.com domain
name. If the sender's IP does not match any of them then the email is
deemed to be spoofing the mail server and therefore junked.

This system would be very simple to implement in a mail server's code
base and would be much easier to configure for domain administrators as
it does not rely on the DNS hoster to provide configuration utilities
for SPF records.

Option to gather spoof statistics

There is another option which I believe could be very useful:

The IP address of a server sending  email should be added as a query
parameter to the HTTP request. Web logs will track this information and
it will be possible for web adminstrators to gather statistics on the IP
address from which spoofed emails are coming from:

http://www.abc.com/antispoof.txt?senderip=223.33.23.51

This data could be aggregated in centralized "spoofing statistics"
gathering servers and could be used to notify an ISP that if they do not
control spammers from using their infrastructure to generate spam then
their entire IP range could be temporarily black listed.


Chris Colman
Step Ahead Software

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFE2QBSwL7PKlBZWjsRAqrFAJ47ufw9iPwhWTUgdcQhlsDIH9FjBgCeNv5F
Gn3AIOO4TIRq8+jlhGkZgzw=
=EBRL
-----END PGP SIGNATURE-----

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Summary of the policy discussion on the ietf-dkim list?, Scott Kitterman
Next by Date:  [spf-discuss] Re: Getting around MS patent issues associated with SenderID: A better SenderID!, Andy Bakun
Previous by Thread:  Re: [spf-discuss] Re: Summary of the policy discussion on the ietf-dkim list?, Scott Kitterman
Next by Thread:  [spf-discuss] Re: Getting around MS patent issues associated with SenderID: A better SenderID!, Andy Bakun
Indexes:  [Date] [Thread] [Top] [All Lists]