ParanoiaInc
join:2002-08-28
Tucker, GA
| Why no revision to SMTP to include authentication?
I've wondered about this for years, but why do we see a need to authenticate only on the POP-side and not on the SMTP-side? Also, why are there no new email protocols using a new POP/SMTP that affords not just authentication but security features as well.
I would think a company in a business for email servers could go long ways (with free clients) in this area. |
|
keyboard5684
join:2001-08-01
Youngsville, PA
 ·Teliax VOIP
 ·WestPAnet Inc.
 ·WestPAnet Inc. CA..
| Re: Why no revision to SMTP to include authenticat
The problem is not authenticating clients that use SMTP, the problem is authenticating email servers. For example, a client sending mail can authenticate with there ISP's mail server to send mail but how do we authenticate that ISP's mail server when it send to the remote domain.
We could not possibly make up logins for every single mail server in the world so they all could communicate.
SPF addresses this in a good way. This way the domain provider themselves says what specific mail servers are allowed to send email with that from address. |
|
fantomposter
Phantom Poster
Premium
join:2002-09-21
Independence, OH
| said by keyboard5684  :
The problem is not authenticating clients that use SMTP, the problem is authenticating email servers.
Exactly. And SPF does not stop spam, it stops forged from addresses. Nothing more. |
|
Megladon13
join:2003-09-05
Minneapolis, MN | ...and right now thats about 99% of the spam we are all getting. |
|
ParanoiaInc
join:2002-08-28
Tucker, GA | reply to keyboard5684
I would think that by only allowing subscribers to send out email through the ISP's authenticating-email servers (block port 25), and disallowing subscriber-centered email servers, this could help address the problem. |
|
jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ | This would mostly be an inconvenience for people who don't send SPAM. A lot of people use 3rd party email services because we don't want to use the one provided by our ISP for various reasons. |
|
jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ | Here's a good solution for filtering
Nearly all of the SPAM that I receive contains a URL for a domain that is not hosted in the US - at least this is what SPAMCOP tells me.
If this filter criteria were applied by default by US based ISPs, then a lot of SPAM would be eliminated. |
|
gecho XXX
join:2004-06-02
Muscatine, IA
| Why Auth Won't Work Without Subscriber Level
If subscriber 1 gets a virus that sends SPAM, they send it through their server A which authenticates to other servers B, C, etc. and delivers the SPAM to their subscribers because the from is server 1's domain. But which subscriber?
Suppose you block port 25 and subscriber 1 had to authenticate specific from addresses to server A to send. Then only the allowed and authenticated from address could be included. Now you have accountability to the subscriber level where it belongs. If subscriber 1 has a different domain email address they want to use they need to register (authenticate) it with server A or they can't use it. Authenticate does not mean just be server 1,s normal network IP address. It means associate joe@serverA.com to subscriber joe and joe@differnetdomain.com also to subscriber joe so if it is sent through server A it has to have been approved as a real userid allowed through server A and it has to have come from subscriber joe.
Then you insure that server A is a registered mailserver. Non-registered servers can't play. Servers that do not use subscriber auth cannot register. Total subscriber accountability. SPAM would become a thing of the past. |
|
Goldengamego
Premium
join:2004-02-22
Okemos, MI
1 edit |  OMFG
This is like the 5 time I have had to say this.
AOL did NOT create SPF, they just implemented it in their mail system.
Also SPF stands for 'Sender Policy Framework' not 'Sender Permited Form' 
»spf.pobox.com more info about SPF.
--
Because Goldengamegod won't fit:p |
|
Goldengamego
Premium
join:2004-02-22
Okemos, MI
1 edit | reply to gecho XXX
Re: Why Auth Won't Work Without Subscriber Level
Most viruses use their own SMTP engine, in which case they don't use your ISP's mail server. If it does use your ISP's mail server then they will spot you quickly and cut off your access.
--
Because Goldengamegod won't fit:p |
|
xv920
join:2002-08-27
Campbell, CA
1 edit | limit the number of outgoing emails
Legit users don't send tons of email per minute. Let
the SMTP server limit the number to, say, 1000 emails
per user per month with a per-day max of 100? You will
not be negatively affected unless you are a spammer.
If you run a business and you want to send more than
1000 emails, why don't you buy the credit from
your ISP that allows you to send out another 1000 emails
for just $9.95 per month? |
|
coward
@pacbell.n | reply to jjoshua
Re: Why no revision to SMTP to include authenticat
tough - i'm sick of spam, and i'm even more sick about spam from bogus email addresses. true, some jerks have ruined it for the rest of us, but we all learned to deal with things like that when we were 6 years old.. |
|
fantomposter
Phantom Poster
Premium
join:2002-09-21
Independence, OH
1 edit | reply to ParanoiaInc
Spammer sets up his throw away domain. Puts up DNS for it at a place where it can be changed easily and quickly.
He finds a trojaned Comcast machine to use. He changes his DNS file to show the proper SPF record for that Comcast machines IP addy.
Then he fires his spamm off from that machine and SPF stops nothing because he controls the domain and the SPF records.
Rinse-Lather-Repeat. SPF only stops someone from using my or your address as a forged from, and it stops the virus that use forged froms.
It will not stop spam nor will it slow it down much. |
|
keyboard5684
join:2001-08-01
Youngsville, PA | reply to Goldengamego
Re: OMFG
Right, but it used to be Sender permitted from, they changed it during development. It is documented on the very bottom of there FAQ... »spf.pobox.com/faq.html . You read that, correct? |
|
gecho XXX
join:2004-06-02
Muscatine, IA
| reply to Goldengamego
Re: Why Auth Won't Work Without Subscriber Level
Exactly. But if, as I said, port 25 is blocked they would, and from my logs still do by the way, try to use the ISP mailserver.
So if we just auth mailservers they just rewrite viruses to use the domain server and SPAM still flows, even though now isolated to from within the server domain. Still doesn't address who though, so you need subscriber accounting to finally close and lock the door. Otherwise whole ISPs get shut off which would be like closing down the local post office of origion for someone sending forged illegal paper mail through it. Court battles would ensue and SPAMMERs would be laughing all the way to the bank. |
|
Goldengamego
Premium
join:2004-02-22
Okemos, MI | reply to keyboard5684
Re: OMFG
doh |
|
JPCass
join:2001-01-23
Denver, CO
|  reply to xv920
Re: limit the number of outgoing emails
I, and others, have wondered for years why more ISPs haven't done this. Some of the big ISPs, particularly the free ones, that spammers use a lot have finally done some limiting of outgoing mail in the last year or so.
Limits don't even need to be tied to higher fees, though the chance to charge a bit more might provide some incentive for some of the greedier or more callous ISPs. ISPs could just by default set low limits on outgoing mail, unless the user contacted them and specifically asked for higher limits because they sent out mailing lists or had some other specific need. And ISPs could still check suspicious mailing patterns regardless of limits, just as credit and phone card companies do when unusual usage shows up. |
|
Goldengamego
Premium
join:2004-02-22
Okemos, MI
2 edits | reply to xv920
No need to charge. A business should just have to call their ISP and register as such, anyone sending large amounts of mail and not registered (hacked PC) will be cut off.
EDIT: rats you beet me to it
--
Because Goldengamegod won't fit:p |
|
TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Brooklyn NYC
 ·Verizon Online DSL
| reply to fantomposter
Re: Why no revision to SMTP to include authenticat
said by fantomposter :
Spammer sets up his throw away domain. Puts up DNS for it at a place where it can be changed easily and quickly.
He finds a trojaned Comcast machine to use. He changes his DNS file to show the proper SPF record for that Comcast machines IP addy.
No-Good! the SPF must reside on his domain, and point to a mail server on his domain... No receiving SPF/SMTP server will ever query his spf record for mail originating from a comcast addy, it will query comcast's spf records, and reject the mail. Spammer Fails!
said by fantomposter :
Then he fires his spamm off from that machine and SPF stops nothing because he controls the domain and the SPF records.
Spammer can't control comcast's SPF records, in the same way he can't control their PTR records! Spammer FAILS!
said by fantomposter :
Rinse-Lather-Repeat. SPF only stops someone from using my or your address as a forged from, and it stops the virus that use forged froms.
Nope! SPF forces all mail from a domain to come ONLY from the allowed (SPF'd) domain's mail servers, which are advertised only by that domain's listed DNS servers. Spammer Fails!
said by fantomposter :
It will not stop spam nor will it slow it down much.
If implemented net-wide it will kill almost ALL spam. That which is left, will only come from spammer-owned/SPF'd domains. These domains will be easy to identify and block on site; black-lists will only have to deal with direct spammer domains. Spammer is toast!
Bob
--
Motor Vessel - Tamara B. - 43' Long-Range Trawler Cape Elizebeth ME.»www.tamara-b.org
|
|
nixen
Rockin' the Boxen
Premium
join:2002-10-04
Alexandria, VA
·Cox HSI
·Speakeasy
| Amusing...
I used to work for MCI. They used Entrust, internally, for "non-repudiation". In one of the recent articles quoting Cerf, he says that adoption of PKI within MCI is universal. Ironically, when I send emails to former co-workers, half of them can't read the emails I send because I use (Thawte) S/MIME signatures on my emails (cleartext signed; not encrypted). Apparently, either their Entrust software is misconfigured, or they've lost/forgotten their passwords, because they rarely use the application. So, not quite universal.
-tom
--
"There are 10 types of people in the world... those who understand binary and those who don't."
"That's only 2 types of people, moron" |
|
