IETF Approves SPF and Sender-ID 220
NW writes "According to the records in the IETF's database (here and here), both the SPF and Sender-ID anti-spam proposals were tentatively approved by the IESG (the approval board of the IETF) as experimental standards. It remains to be seen whether any of them will actually put a dent into spam." At the same time, the FTC has opened a central site about email authentication.
I'm not sure about a dent in spam (Score:3, Informative)
Not getting joe jobbed will be a huge step forward. Not to say that everyone's going to instantly adopt these standards but it won't hurt that these are Official now.
Re:I'm not sure about a dent in spam (Score:2)
I run a personal mail server and am getting hit with up to 100,000 bounces per day because some spam gang decided they like my domain (might be due to the fact that I also report *all* spam I receive through Spamcop [spamcop.net].
Fortunately they use random sender account names and don't hit my account and my server easily blocks the bounces, but this could be a disaster if they instead chose valid account names.
Re:I'm not sure about a dent in spam (Score:2)
Not about spam, it's about joe-jobs. (Score:5, Informative)
Of course, only the admins with a clue will correctly implement either of these so
Re:Not about spam, it's about joe-jobs. (Score:5, Informative)
For those wondering.
Re:Not about spam, it's about joe-jobs. (Score:2)
I don't use it for mail myself, so I have put bogus MX records on it. This yielded an rfcignorant listing, but the joejobbing continued.
Then I put an SPF record up and restored a valid MX record. The number of bounces was as before, and did not decrease noticably over several months.
My conclusion is that adoption of SPF and other DNSblock checks is far to little to make any dent into the spam, and certainly not enough to make the spammer remo
Re:Not about spam, it's about joe-jobs. (Score:2, Interesting)
I think this is about spam. I block spam using SPF all the ti
Did IETF change their mind? (Score:5, Interesting)
Re:Did IETF change their mind? (Score:5, Informative)
Yes, they did, and they did not change their mind. They labelled these documents as "experimental". See here [slashdot.org] for details.
Re:Did IETF change their mind? (Score:2)
Unless MS have pressured them into it, so they can get a crack at declaring Sender-ID as the de facto standard and thereby sidestepping the standards process, of course. That might explain it.
Re:Did IETF change their mind? (Score:3, Informative)
They aren't, "conducting an experiment". The draft was submitted as "experimental".
Re:Did IETF change their mind? (Score:2)
Oh, well, silly me then.
They aren't "sidestepping" the standards process. An "experimental" designation is part of The Internet Standards Process, but is not on the standards track.
Useful link, thank you. Everything is now much clearer. Apart from the use of the word "approved" in the OP, anyway.
It's funny though. Since MS are presumably not going to make Sender-ID FOSS friendly, the factors that blocked adopti
Re:Did IETF change their mind? (Score:2)
Sure, no problem. The word "approved" in this case means that the, "IESG has approved the document for publication". The documents will now be sent to the RFC Editor Queue for publication.
I wonder why they didn't release this as "Historic". It would have made their position clearer. Wouldn't it?
These documents were submitted as "experimental". If the IESG doesn't find them compe
Re:Did IETF change their mind? (Score:2)
Re:Did IETF change their mind? (Score:2)
Re:Did IETF change their mind? (Score:2)
But it's all just jerking off now because Domain Keys has won the authentication battle in the market [eweek.com].
Zombies anyone? (Score:2, Interesting)
Re:Zombies anyone? (Score:4, Informative)
Earthlink owns earthlink.net. Therefore, they get to set the policy for who gets to send mail originating from the earthlink.net domain. I can't set up an SPF record claiming to control who can/can't send e-mail from earthlink.com, because I don't own that domain.
Now, the BIGGER problem is not "faking" an SPF record. It's users who set up their own domain and publish a valid SPF record that includes spammers or zombies. So, I can set up spamdomain.com, and have my SPF record include ZOMBIE1234.earthlink.com as an allowed sender. This means mail COULD come from this zombie that claims to be from spamdomain.com. It's even possible for spamdomain.com to set up an SPF record that says EVERYONE is an allowed sender, and so anyone could send e-mail from spamdomain.com.
So, this won't actually prevent people from spamming. What it WILL do is keep spammers from imitating existing domains in their "from" headers. Which doesn't sound like a lot, but will help with impersonation. It will also make it fairly easy to tell the spam domains. Anyone with an SPF record of "every sender is OK" probably should be blocked as a probable spammer. And anyone claiming to be from a reputable domain actually is. It will also make it harder for viruses that go through your address book for "to" and "from" headers to work.
Re:Zombies anyone? (Score:2)
If it works, that's plenty. If you've ever had one of your domains placed in the "FROM" field of a spam campaign, you'll know what I mean.
It's not going to work %100 though - TFA (microsoft's site) indicates the recipient would do the DNS lookup for the SPF record before accepting the SPAM, so I'm guessing anyone who's mail client doesn't support this will get the spam even if I add SPF to my DNS entries..
Re:Zombies anyone? (Score:2)
I believe that is the problem with forwarding. (Score:5, Informative)
So, this is implementation specific, but it seems that it will compare published SPF record of the domain in the FROM: or the return path with the fully qualified domain name of the sending machine (zombie123.earthlink.net yields "earthlink.net").
So, if the incoming email claims to be from/return-path taco@slashdot.org and slashdot.org publishes an SPF record, that SPF record had better list zombie123.earthlink.net as a legitimate mail server or it will fail.
What, specifically, happens when it fails is also up to the implementation.
The problem appears when taco@slashdot._org sends an email to my old college which offers forwarding services for alumni.
taco@slashdot._org sends to khasim@example._com
mail.example._com forwards that message to my gmail account.
mail.gmail._com checks the From:/return of slashdot._org and checks their SPF record for slashdot._org.
slashdot._org does not list any example._org boxes as a mail server so the message fails the SPF check.
Again, what happens at this point depends upon the implementation of SPF that is being used. It can range from increasing the SpamAssassin score to dropping the connection attempt.
Anti Spam Measures (Score:2, Informative)
The best thing I have come across so far is Incredimail, but even that is a pain in the ass t
Parent is OVERRATED (Score:4, Informative)
There is ample documentation available. Try this [pobox.com] if you've got a PDF viewer.
Re:Please don't "bounce to sender". (Score:2)
Microsoft related? (Score:4, Interesting)
Why aren't we hearing from the backbones? (Score:2)
Re:Why aren't we hearing from the backbones? (Score:2)
You don't think spammers are going to look at this and think "fuck that, I'll sell my stuff some other way" do you? They'll just try sending even more messages to counter its effects.
Read what ASF had to say... (Score:4, Informative)
Example from ASF [apache.org]
I'd love to see an Apache Project mailserver. (Score:2)
Re:I'd love to see an Apache Project mailserver. (Score:3, Informative)
Obviously this guy has not heard of Postfix, a truely awesome mailserver
Re:I'd love to see an Apache Project mailserver. (Score:2, Interesting)
Postfix is fast, flexable and easy to use. In my mind, there is no better mail server for Unix and Unix like platforms.
Re:I'd love to see an Apache Project mailserver. (Score:2)
netqmail(mysql or ldap)+vpopmail+courier was a winning combination.
Postfix (enabled maildir and courier) was much slower when comparing it to qmail.
The only problem with qmail is probably its license (source only, binary redistribution is not allowed)
Re:I'd love to see an Apache Project mailserver. (Score:2)
They have. It's called James, it's written in Java, and no doubt it works well with Tomcat. SpamAssassin is also an Apache project -- no idea whether it works with James or not. Apache is a family of OSS products that includes apache httpd, not one single group of developers.
Spam is a systemic network usage policy and security problem, and not something one single product can overcome. Apache is ill-suited to comb
Re:I'd love to see an Apache Project mailserver. (Score:2)
Stuck with Windows servers?
BSD I'm sure has a couple as well (I have no idea about BSD)
I think there is plenty of mail servers out there
Re:I'd love to see an Apache Project mailserver. (Score:2)
Um, you mean like Sendmail, qmail, Exim, postfix, etc? They aren't specific to Linux. Sendmail precedes Linux by many years in fact.
You might also be interested to know that lots of Apache (httpd) development is done on FreeBSD.
Re:I'd love to see an Apache Project mailserver. (Score:2)
It's one SMALL step (Score:5, Interesting)
That's a problem that needs to be solved, but it doesn't account for a lot of spam, and spammers will just stop faking domains in their mass emails.
What we need, and what will NEVER happen, is a central database of mailservers. If you aren't in the "registry" of legit mailservers, then other mailservers won't accept your mail. To get in the registry, you'd have to pay a fee, and prove that your server are secure, and that you aren't a spammer. Obviously, each "legit" server would have to append some kind of digital signature to outgoing emails, so that the verification coudl take place.
In other words, a total revamp of the mail system protocols.
A central database is open to abuse. (Score:5, Insightful)
There's nothing to stop spammers from infiltrating such a system, via legitimate and illegitmate means. So it just plain won't work.
Between the fact that it is easy to abuse, it just won't work and it won't provide any benefits over existing systems, your system is just a bad idea (no personal offense meant, of course).
Re:A central database is open to abuse. (Score:2, Funny)
Re:A central database is open to abuse. (Score:2)
Re:A central database is open to abuse. (Score:2)
Re:A central database is open to abuse. (Score:2)
See: Verisign [slashdot.org] many additional items are available; finding them is left as an exercise for the reader).
Re:A central database is open to abuse. (Score:2)
Re:A central database is open to abuse. (Score:2)
Re:A central database is open to abuse. (Score:3, Funny)
Re:A central database is open to abuse. (Score:2)
Re:It's one SMALL step (Score:2, Insightful)
Who would run this registry? Why do you need to pay to get on it
Re:It's one SMALL step (Score:3, Interesting)
Exploiting the weaknesses of such a scheme is left as an excercise for the reader.
Re:It's one SMALL step (Score:2)
Re:It's one SMALL step (Score:2, Interesting)
Better is to allow your approval to be revoked, if you are initiating spam.
Plus, the cost of such a system would be prohibitive to say the least.
Who would be resposible? A US company? And I assume all the other countries are just dying to subscribe to that system!
I think a protocol change is in order. Instead of sending the message via SMTP, only send a notification that an email is waiting to be picked up, and it's location. When your email is ch
Re:It's one SMALL step (Score:2)
You need to work out some kind of public key authentication so that nobody else can swipe your email from the server, but you don't have to exchange unique keys with every mail server on the internet.
Clean u
Re:It's one SMALL step (Score:3, Insightful)
This has the following benefits:
1. The cost is on the sender. It would be prohibitively expensive to send millions of messages - you'd have to host all the clients!
Huh? You'd still only transfer the same amount of data, it would just become unpredictable how much you would t
Re:It's one SMALL step (Score:2)
Zombie PC's will still be the preferred senders.
You will still be able to host messages on any machine and send out receipts from other machines.
As the parent said, you're just providing verification of the reciever's address. Your notion seems to solve nothing.
Re:It's one SMALL step (Score:2)
This is entirely true. But they get more incoming traffic, with extra overhead.
Not buying it. The incoming request is trivial, right? "Give me the message for receipt: BLAH". That is not meaningfully more than SMTP HELO junk. What's more, you could send 1000's of phishing receipts "joebloe@hoser.com" and only have to feed the ones that come back for the message. This makes phishing easier. And by easier, I mean trivial - imagine 1000 zombies s
Re:It's one SMALL step (Score:5, Funny)
( ) technical (x) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
(x) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(x) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
(x) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(x) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid person for suggesting it.
Most of the spam I get uses impersonation... (Score:2)
Admittedly I don't get a lot of spam by most people's measures, but all the spam I get uses at least some form of impersonation.
Re:It's one SMALL step (Score:2)
Re:It's one SMALL step (Score:2)
Prozac ® is a registered trademark of Eli Lilly and Company.
There is no "Experimental Standard" (Score:5, Informative)
There is no such thing as an "experimental standard". The term "experimental" is a "non-standards track maturity level".
See "The Internet Standards Process" [ietf.org]:
The IETF has NOT approved either SPF or Sender-ID as an Internet Standard.
Re:There is no "Experimental Standard" (Score:2)
Thank you for adding a dose of sanity to these proceedings.
Both of these so-called "standards" are harmful at best. SPF breaks email forwarding, and Sender-ID has Microsoft patent issues.
Re:There is no "Experimental Standard" (Score:3, Informative)
The intended status of both documents is "Experimental".
Both documents are in the "Approved-announcement to be sent" state. This means that:
After the approved announcements are sent, both documents will go to the RFC Editor Queue for publication.
What this means basically me
Reduce spam? (Score:3, Informative)
As it happens, a couple of my bosses have been having email rejected recently by the receiver's ISP because we are SPF compliant.
SPF breaks email forwarding, and most mailing lists. It's a bad idea, poorly conceieved, and poorly implemented.
No matter what we do, SPF will cause some of our email to be rejected.
That is a way to help spammers, not hinder them.
Um, no. (Score:3, Insightful)
Which means your bosses' machines are misconfigured. It's lame to try to lay the blame for that on SPF, which, while imperfect, should never lead to cases like this.
Re:Um, no. (Score:2)
Also note that if I subscribe to any mailing lists -- e
Re:Um, no. (Score:2)
In fact, if you weren't illiterate, and bothered to read what I said, one of those situations matches exactly.
Our email is being rejected by at least one virtual domain host because we are SPF compliant.
Re:Um, no. (Score:2)
Of course, you can blame the problem on me for using a forwarding server that doesn't support SRS. Unfortunately, there are so many setups like this out there that you can't possibly rely on everyone updating. Hell, I'm trying to figure out how to make my server complian
Re:Um, no. (Score:5, Interesting)
We are 100% SPF compliant. Tested and everything. The server we send through is on the only IP address allowed in our SPF record.
The address we send to is a virtual domain that does not offer POP3 mailboxes, only forwarding service. This is not under our control. It forwards to a third domain, also not under our control, that rejects based on SPF, because the second server - the forwarding service - does not rewrite the MAIL FROM address (and is not supposed to, so far as I know, under the RFCS).
All three machines are 100% compliant wit the RFCs, and the two using aspects of SPF are 100% compliant with those specs. And yet, legitimate email is being rejected.
And the only way around it is to misconfigure the server not using any aspect of SPF to violate the RFCs regarding how email is supposed to work.
Or, even better, use -all on our SPF, and thus explicitly enable precisely the kind of forgery that SPF is supposed to prevent.
That is the very definition of a broken system.
Re:Um, no. (Score:2)
But it is under the control of the recipient.
So we have a sender sending to the recipient's forwarder sending to the recipient.
Reci
Re:Um, no. (Score:2)
That's the problem with SPF. It breaks forwarding on virtual domains, because this is how virtual domains are done. And there are a lot of virtual domains, especially for hosted web sites.
Consider the hosted web site, for a moment. The owner of the domain does not run any of his
Re:Reduce spam? (Score:2)
Patent? (Score:2)
SPF in the real world (Score:5, Interesting)
Re:SPF in the real world (Score:5, Insightful)
Re:SPF in the real world (Score:3, Informative)
I stopped answering my telephone yesterday. So far nobody has called and complained.
Mods are on crack. You're closer to funny than insightful, and it's "funny" as in "so far misguided that it's amazing you're not a Darwin Award recipient." The OP's point is that for domains that already offer an SPF record, checking that record allows them to reject a fair number of messages. Your analogy is like rejecting by default, whereas they are accepting by default and rejecting if verification information i
Worthless for me (Score:2)
That's right, I can't. Because I have no fucking idea what IP or domain name my email is going to be coming from when I send it, and Verizon can change it anyhow.
Re:Worthless for me (Score:2)
v=spf1 include:verizon.com -all
If verizon doesn't have an SPF record, then it's a wash. When they publish one, then it will immediately be able to cover your domain as well.
Re:Worthless for me (Score:2)
I'm pretty sure I already knew that.
Re:Worthless for me (Score:2)
PS: You might want to avoid casual use of profanity - swear words are "power" words and excessive use reduces their power to create an effect. The end result? They fail to add power to your words, and make you look like low-class scum, or at the very least, just a kid who hasn't figured this out, yet.
I mean, go
Re:Worthless for me (Score:2)
Thanks for the fucking suggestion, though.
Pay To The Order Of (Score:4, Informative)
something about babies and bathwater... (Score:2)
That is not the Internet.
There are far simpler ways to lessen our problems with spam [im2000.org] that don't damage the basic relational nature of the medium.
I should not be required to be validated by a third party to send mail...regardless of the spam problem.
Re:something about babies and bathwater... (Score:2)
Re:something about babies and bathwater... (Score:2)
If you had that choice, I'd have already sided with you, but you don't. This isn't about whether I want to send it or you want to receive it, but whether your ISP is going let you receive it. They want to block it before it ever reaches you and toss it as spam, regardless of your preferences. Thus, we, as two valid endpoints on the Internet, get a validity downgrade.
I hate spam as much as the next guy, but these kinds of decisions belo
The benefits of SPF without patents of Sender-ID (Score:2)
For those of you wanting
IETF approves only now? (Score:2)
Want to stop spam? (Score:5, Insightful)
Like most crime, the laws exist to stop the small criminals, and have no ability to nail the true sources. Technology is always used to try to fix this problem, and always fails.
Re:Sender ID = Caller ID = Worthless (Score:3, Insightful)
Not at all. If I get a phone call and the CallerID says "unavailable", "out of area" or "private" then I don't even bother to answer it.
If my incoming e-mail doesn't have SPF headers then it bumps up the scores in SpamAssassin. If the score gets too high then the e-mail gets filtered & I never see it.
Re:Sender ID = Caller ID = Worthless (Score:3, Informative)
I've only had the pleasure of one telemarketer bold enough to get through that and my "no solicitation warning". After I got them to give me their information I informed them that my number is on the Fed/State do not call list and I reported them.
It has only happened once. My phone is now forever dead quiet
Re:Sender ID = Caller ID = Worthless (Score:2)
Only because caller ID allows telemarketers and the like to come up as UNAVAILABLE. If they had to show an actual number where, when you dial it back, you get a person (probably at his or her home), caller ID would succeed wonderfully. Those telemarketers would receive plenty of callbacks when they're trying to sleep, eat, or might otherwise be involved in some kind of recreational activity. The phone company claims it's because they're behind their own PB
Re:It won't work for long (Score:3, Informative)
Do you even understand how SPF works? It sure sounds like you don't. It's meant to prevent spammers from forging domains, not to put an end to all spam. If you own your own domain then something like SPF can be a HUGE help if your domain name is used to forge spam.
Re:It won't work for long (Score:3, Insightful)
putting up SPF records has not made any noticable difference in the spam abuse from one of my domains.
obviously, spammers do not (yet) check of a domain they use for joejobs has an SPF listing. this means that little or no receivers are bouncing the spam because of SPF.
Re:What's wrong with this? (Score:5, Insightful)
Currently I receive lots of unsolicited mails from people that I want to hear from. Let's call these people "customers".
Your scheme would have me polling only people I have already talked to.
John.
Re:What's wrong with this? (Score:2)
Re:What's wrong with this? (Score:2)
Specifically the parts that said that we have two types of email, and where I said that 1) we have what we have today.
In other words, I'm not proposing a replacement for current email - just an additional system with improved trust.
Maybe two parallel systems is unworkable, but I don't think so.
On the other hand, if you've already established communications with someone, you can just use public key cryptography to verify their emails... So, yeah... My idea is probably pretty point
Re:What's wrong with this? (Score:2)
Nowadays??? Just how do you figure you as admin can tell all the servers you're pulling mail from (I seriously hope you didn't think of *). I guess you're either type very fast or you still live on the ARPANET.
p.s. Doesn't matter that I don't agree with you. SPF still sucks.
Re:What's wrong with this? (Score:2)
*shrug*
Polling them would hardly take any time at all.
Thanks for the response. But I should probably just officially retract my idea from discussion - since public key cryptography does all that I want and more...
Re:What's wrong with this? (Score:2)
1. Personally maintaining that contact list will be really annoying. Even I, a card-carrying slashdot geek, have enough email correspondants to make that prohibitive.
2. People don't necessarily always use the same email address. Any time someone changes, uses a different address, or whatever, you have to update your polling list.
3. You've just exponentially raised network traffic: everyone polling everyone else for m
Re:What's wrong with this? (Score:2)
3. I responded to this - the sender sends two emails - one a "I've got an email for you" through normal means, and a "trusted email" is kept on the sender side. *shrug* Public key crypto is still better than my idea.
4. I don't see how I've *harmed* the signal to noise ratio, but I guess I agree that I haven't improved it for people who routinely accept unsolicited email.
Meh. Like all lame ideas, they seem really great
Re:What's wrong with this? (Score:2)
But before you burn me in effigy, consider that the system that I just described is basically an RSS feed on my Slashdot mail.
Re:SPF versus Multiple Sites? (Score:4, Informative)
Authenticated is the key word here. Anybody who's roaming uses the company's relay. Hell, use it internally too and you don't have to change any settings while away. I've yet to come across a mail client that doesn't support SMTP AUTH, and many allow you to "use the same password that I do for checking mail" for convenience.
The mail relay should run on the submission port (587), or better yet over SSL (port 465). This gets around the port 25 blocks and transparent redirects that many brain-dead ISPs and hotels have.