[nospam] ARTICLE: Three Proposed Ways to Stem the Email Influx
- From: "Jim Kenzig http://thin.net" <jimkenz@xxxxxxxxxxxxxx>
- To: nospam@xxxxxxxxxxxxx
- Date: Wed, 3 Mar 2004 09:30:22 -0500
From Windows & .NET Magazine Security UPDATE Newsletter
JK
==== In Focus: Three Proposed Ways to Stem the Email Influx ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net
Solutions are in the works to help curb the amount of junk email we
receive. Currently, most people probably use one of three types of
solutions (or combinations thereof) to help filter their email. These
solutions process incoming mail according to approved senders, banned
senders, and banned mail servers. Now three more solutions are making
their way into the marketplace: Sender Policy Framework (SPF), Caller
ID for E-Mail, and DomainKeys.
Meng Weng Wong and Mark Lentczner began working on SPF more than a
year ago, and more than 7500 domain operators have already implemented
the solution. AOL, one of the world's largest ISPs, has taken notice
and is testing SPF.
SPF attempts to use DNS queries to verify email sender IP addresses.
DNS publishes MX records for inbound mail servers for a given domain,
but there is no record type for publishing a list of outbound mail
servers for a given domain. To improvise, SPF uses specially formatted
TXT records in DNS to publish outbound mail servers for public queries
and subsequent attempts to authenticate email senders.
When an SPF-enabled mail system receives a message, the mail system
can query the sender's domain DNS servers to obtain a list of valid
outbound mail server addresses and compare these addresses with the IP
address in the message's SMTP email headers. If the IP addresses
match, the mail system can assume that the message isn't junk mail. If
the addresses don't match, the mail system can take a variety of
actions depending on how it's configured. You can learn more about
SPF, including how to implement it, at http://spf.pobox.com .
Microsoft recently published the Caller ID for E-Mail specification,
which is similar to SPF. Caller ID also works by using DNS TXT
records; however, Caller ID uses TXT records written in XML. Like SPF,
Caller ID checks IP addresses in SMTP email headers against outbound
mail server IP addresses published by DNS servers to verify that a
domain's authorized mail server sent a message. The differences
between Caller ID and SPF are in the way mail headers are processed
and the way DNS publishes outbound mail servers. You can learn more
about Microsoft's proposed Caller ID for E-Mail system at
http://www.microsoft.com/mscorp/twc/privacy/spam_callerid.mspx .
The third system, DomainKeys, is in development by Yahoo! and works by
cryptographically signing messages at the server level. You're
probably familiar with tools such as Pretty Good Privacy (PGP) that
use a public key and private key. Data is encrypted or signed by using
a private key; data is decrypted or a signature is verified by using a
public key. DomainKeys works the same way but at the server level. A
sending mail server uses a private key to sign all the messages it
sends. A DNS record publishes the sending server's public key. When
the target server receives a signed message, the server can use a DNS
query to obtain the sending server's public key and use the key to
verify the message signature.
For more analysis of these three proposed solutions, see an expanded
version of this Commentary at
http://www.winnetmag.com/article/articleid/41892/41892.html
****************************************************
To unsubscribe from this list go to:
//www.freelists.org/list/nospam
****************************************************
Other related posts:
- » [nospam] ARTICLE: Three Proposed Ways to Stem the Email Influx
