Tuesday, June 15, 2004

SPF (Sender Policy Framework) reduces SPAM

SPF fights email address forgery and
makes it easier to identify spams, worms, and viruses
when domain owners designate sending mail servers in DNS, so that
SMTP receivers can distinguish legitimate mail from spam
by verifying the envelope sender address against client IP
before any message data is transmitted.

SMTP has a security hole: any connecting client can assert any sender address. This flaw has been exploited by spammers to forge mail. The result: your mailbox fills up with bounces to messages that you didn't send. Close the hole, and we can easily block spammers by sender domain.

SPF was originally designed to prevent joe-jobs (forged from address in an email). In this mode, an MTA uses SPF to verify the envelope sender (SMTP MAIL FROM) address during SMTP time. But some people pointed out that SPF can also be used to verify headers to prevent phishing. When used to verify headers, the agent could be an MTA or an MUA, and slightly different rules apply: you have to consider Sender and Resent-From as well as just the "From:" header. Header verification is one of the central themes of the May 2004 merger between SPF and Microsoft CallerID For Email.

February 24th 2004: Microsoft have announced Caller-ID for E-mail, a close relative of SPF. Some people have reported that Microsoft Word is unable to open the documents at that web site; we provide PDF versions for your convenience. In other news we are up to 7500 domains registered.

January 9th 2004: Slashdot noticed that AOL experimentally turned on SPF for 24 hours. During that time, thousands of spams were blocked. They have turned it off over the weekend to assess the results of the experiment, and will turn it on again next week.