[TriLUG] Another seal broken... thinking of installing a C/R anti-spam system

Jon Carnes jonc at nc.rr.com
Sun Jan 28 20:29:13 EST 2007


On Sun, 2007-01-28 at 18:59, Cristóbal Palmer wrote:
> On 1/28/07, Jason Faulkner <jason at oldos.org> wrote:
> > If you allow authorization of senders via DNS, doesn't it take out
> > most of the benefits Jon was talking about?
> 
> No. You would act as their mail server. They would list you as one of
> their mail servers. What did you think I meant? That the recipient or
> next hop would check to see if your domain (eg. intellicontact.com)
> was a valid sender?
> 
> Or maybe I misread Jon. How _should_ we deal with companies with
> products like intellicontact?
> 
> -CMP

I agree with Cristóbal, Intellicontact would have to become a valid
server for that domain.

And now lets take it up a notch, since we want to design our own
SMTP-like protocol (TriLUG-SMTP)... lets include a 128 bit digital
signature line as a header in the email. The digital header can also act
as authorization for the mail. Any mail server that the message passes
through, can then check this header to insure that the email is
authentic. 

The header would have to be unique for the email - generated at the time
the email is sent. Checking the Authentication of this header could be a
function of the domains DNS service. We would have to ratchet up DNS a
bit, but folks are already attempting this with other email
authentication schemes, and it seems acceptable to the general masses.

You wouldn't have to check the authentication of every message passing
through, but you could if you wanted to. Ideally though, you would just
check the ones that seem suspicious.

If your email client wasn't capable of generating the digital signature,
then you would have to drop your mail off at your domains server using
an TriLUG-SMTP login for the drop off. The mailserver would then
generate the digital signature for that email and subsequent mail
servers could use that for authentication if necessary.

This would allow us to move the standard out into the world and have it
work immediately for some folks. Eventually, the ratio of
unsigned-mail/spam would approach 1, and folks would simply stop
accepting unsigned-mail... Especially since folks can either drop off
mail using an authenticated Send using TriLUG-SMTP with their domain
server - or in extreme cases, using a web-based email client to send out
their mail (till they can install a free mail client that *does* meet
the new standard).

Jon




More information about the TriLUG mailing list