The Return of Caller ID and other alternatives
Microsoft's original Caller ID for e-mail wasn't approved so they have merged their proposal with the Sender Policy Framework (SPF) written by Meng Weng Wong and Mark Lentczner. Have a look at the Sender ID Framework Executive Overview for a quick intro to what the Sender ID is.
My thoughts on it? SPAM sucks and there must be a way to fight it. Sender ID may be a step in the right direction, as it makes it easier to detect spam by automatic systems, but it does not prevent spam from being sent. It would be a lot better to kill the spam before it even reaches the internet. These days a lot of spam is sent by trojans and virus infected PCs with fast internet connections. There is, as far as I can see, no reason why any person or small company with a consumer broadband connection needs to send more than 1 mail every minute. Large companies are a different story but they don't have a consumer internet connection.
Internet Service Providers could block all outgoing traffic on port 25 and force clients to use their SMTP server with authentication to send mails. Mail clients are getting more secure so trojans/viruses don't use OLE Automation to send mails anymore but rely on their own spam sending SMTP client. SMTP authentication would fix the problem as they can't send mail directly to the internet anymore and they don't know the user name or password to use the ISPs SMTP server. Even if they magically found the username/password the damage would be limited as an infected host could only send 1 mail a minute and not several per second like they do now. Filtering is trivial as the ISP can work on a mail server level and not on a TCP/IP level.
I already use a similar setup on my LAN but I haven't gotten around to writing the outbound mail filter yet. You can reduce the chance of becoming a spam spewing bot by denying all outgoing connections to port 25 unless it is to your IPSs mail server
Other documents recently posted by Microsoft:
- Sender ID: Authenticating E-Mail Specification (Draft) : This core document describes how the Sender ID Framework works
- Sender ID Framework and Intellectual Property Overview and FAQ : FAQ regarding the need and use of Microsoft's royalty-free license for implementation of the Sender ID Framework.
- Purported Responsible Address in E-Mail Messages Specification (Draft) : Describes how to extract from an e-mail message the Purported Responsible Address (PRA).
- Sender Policy Framework: Authorizing Use of Domains in Mail From : This document describes the content and format of the SPF record, the information that senders need to publish in DNS regarding their outbound e-mail servers. It also describes how receivers use this information to validate the Mail From domain of an e-mail message.
- Sender ID Framework Deployment Overview : Steps e-mail senders must take to comply with the Sender ID Framework specification.
No comments:
Post a Comment