Novel Method for Universal Email Authentication

MKaplan writes "Most spam is sent using spoofed domains. Email authentication schemes such as SPF attempt to foil spoofing by having domain administrators publish a list of their approved outgoing mail servers. SPF is sharply limited by incomplete domain participation and failure to authenticate forwarded email. A paper describes a novel method to rapidly generate a near-perfect global SPF database independent of the participation of domain administrators. A single email from an unauthenticated domain is bounced and then resent — this previously unauthenticated domain and the server listed in the return path of the resent bounce are entered into a globally accessible database. All future emails sent from this domain via this server will be authenticated after checking this new database. Mechanisms to authenticate forwarded email and to nullify subversion of this anti-spam system are also described."

The BIG issue

[Skiron]

Is MS windows boxes that are comprised and doing this - you can see this where the spam mails get 'chinese whispered from one box to another and end up incoherent (to say the least).

Any ISP should/could get suspicious of thousands of mails sent from one 'home user' source at anytime. But when you have thousands of 'users' doing the same thing, it gets lost in the noise.

One simple solution is:

if account == home user & running MS
      if mails sent > 10 per minute
          block it
      fi
fi

etc.

Very easy.

email has already been replaced

[Chapter80]

The spam problems of email are causing people to migrate to trusted systems.

As I stood at a kiosk at a trade show this week, and waded through my spam-filled email on a few services (work email, hotmail, and gmail), the young woman at the kiosk next to me accessed her myspace and facebook accounts and responded to friends only.

She turned and said that only old people use email. And she was a VENDOR at the conference.... Things that make you go hmmmmmmmm......

Not SPF, and similar to what I use...

[argent]

This is just an additional layer over automatic whitelisting of addresses using tagged responses.

Some years ago I set up for my family a pretty simple set of procmail rules and scripts that bounced messages that hadn't otherwise been classified as spam or been whitelisted with requests that they be resent with a certain keyword in the subject line. For example:

"Hello, you just sent me the following message. Could you send me the message again with the word 'leisure' in the subject line? You can reply to this message if you like, just be sure to add 'leisure' to the subject line."

Over a period of several years the only spam that's gotten through this has been from a 419er.

The advantage of a subject line token like this is that you can tell people the token to use, or put the token in the subject line when you send the message so it's usually there when the recipient replies.

Whether you take the resulting message and whitelist the sender address, or some other information in the header that you consider reasonable, that's up to you. It's not really the same thing as the SPF database, though, even if you choose to make the same kind of information the key you use for whitelisting. The point of SPF is that it's supposed to be authoritative for the organizations involved, and doesn't include things like "I sent something with my work address from Earthlink and now you're accepting mail from my work domain through Earthlink's servers".

And using this to whitelist the sender rather than their whole domain gives you a lot finer control.

Greylisting is effective for me

[baileydau]

Do you have any data on the exact date or extent to which greylisting became ineffective?

I don't know about the GP, but for me greylisting is very effective. I have a personal domain for my wife and myself. I have a catchall mail address.

Here are some stats for part of last week:

Start Date 23/09/07 04:02
End Date 28/09/07 17:00
                5.54 days

Total spam: 4624
Spam blocked with greylisting: 4478 (96.8%)

spam via backup MX: 69 (1.5%)
spam retried (got past greylisting): 77 (1.7%)

Total through to end user: 146
Identified as spam (SpamAssassin): 123 (84.2%)

backup MX marked as spam: 50 (72.5%)
direct marked as spam: 72 (93.5%)

Total to end user not marked as spam: 23 (0.5%)

NB. Up until about a month ago, ~25% of SPAM came via my backup MX, which doesn't have greylisting. I don't know why it dropped, but I'm happy it did.