A grass-roots movement to improve the SMTP protocol that governs e-mail traffic is gaining acceptance, and its lead developer hopes to get fast-track approval by the Internet Engineering Task Force to make the emerging framework a standard.
The developing framework, known as Sender Policy Framework (SPF), would prevent the spoofing of e-mail addresses and hijacking of SMTP servers, common tactics used by spammers to remain anonymous to the millions of addresses to which they send unsolicited e-mail.
The group behind SPF, known as SMTP+SPF, published its Internet draft Wednesday, the first step on the road to IETF approval, according to Meng Weng Wong, whos spearheading the effort.
Wong, the CTO of e-mail forwarding service Pobox.com, plans to attend the 59th IETF Meeting, which starts Feb. 29 in Seoul, South Korea, to make his case for the IETF to form a working group to study SPF. But Wong said hes hoping for more than that. He wants the IETF to adopt the SPF framework, bypassing the workgroup stage.
“Its very unlikely that thatll happen but itd be valuable for them to do that,” Wong said, in Philadelphia. “Workgroups can take years to get anything done.”
Wong said hes had in effect a shadow workgroup for the past eight months, with 500 people on an e-mail list exchanging ideas about SPF. He claimed most of the work an IETF workgroup would do has already been accomplished by the SMTP+SPF group.
“It may take a year from now [before SPF goes through the regular IETF process], and no one wants another 12 months of spam,” Wong said.
SPF is essentially a whitelisting system that in order to work requires domain owners to publish the IP addresses from which they send e-mail. Mail transfer agents, such as Sendmail, Qmail and Postfix, would then have to match the client IP address with the domain the message is coming from. SPF would also provide “read” technology that the SMTP+SPF group is close to completing, Wong said.
If the client IP address doesnt match the published IP addresses for the domains, the message is rejected before it ever gets to the inbox. Under the existing SMTP protocol, domains cannot limit the use of their names to a set of trusted servers, which SPF would provide.
Today, blacklists work by IP address. In an SPF world, anti-spam activists would blacklist by domain name, knowing that a spammer was not misusing the domain.
Next page: Anti-spam providers throw support behind SPF.
SPF Support
Existing anti-spam filters can easily be tuned to support SPF, Wong said. Anti-spam technology providers, such as CipherTrust Inc., InboxCop Inc. and Sophos plcs ActiveState division, have thrown their support behind SPF.
CipherTrust in fact announced Thursday that it has incorporated SPF into its IronMail anti-spam appliance, using the SPF domain registry as a data point in IronMails Enterprise Spam Profiler correlation engine. CipherTrusts FirstAct service will provide the companys customers with automatic updates from the SPF registry on an ongoing basis, as well as assistance in registering their more than 1,500 domains with SPF, said CipherTrust officials, in Atlanta.
“SPF works pretty well with everything else,” said Wong. “Were not looking to be a competitor to anything else.”
SPF would be free and voluntary, according to Wong, with its effectiveness dependent on the number of domain holders that register their sender IP addresses. Nearly 7,000 domain holders have registered their IP addresses at the SMTP+SPF Web site, including American Online Inc., SAP AG, Mail.com and the World Wide Web Consortium (W3C).
Support for modifying SMTP is growing within the e-mail industry.
“The only way to stop spam on a permanent basis is to change the SMTP protocol,” said John Davies, CEO of e-mail server software developer Rockliffe Inc. “If SMTP protocols are enhanced to provide the capability to validate the sending server, it becomes impossible for spammers to send spam anonymously.”
Davies said Rockliffe is looking to support SPF in a future release of its Mailsite e-mail server product. Mailsite currently supports the Simple Authentication and Security Layer (SASL) with SMTP, which SPF also uses at the MTA level.
While the SPF work began last June, Wong said that efforts to modify SMTP have been under way since 1998. There are other draft initiatives in the works to validate return e-mail addresses including Designated Mailer Protocol (DMP) and Reverse MX.
Wong described SPF as a superset of DMP and Reverse MX and said acceptance of any one of the three will reduce spam.
“SPF is certainly not original, but were beginning to shepherd people to use it,” said Wong. “Our customers say we have to do something about spam, so this is what were doing.”
Next page: SMTP flaws need fixing.
SMTP Flaws
While no one wants to replace SMTP, there seems to be little debate that there are flaws in the protocol that need to be fixed.
“Spammers spoof a lot,” said Mark Wegman, researcher at IBMs T.J. Watson Research Center in Hawthorne, N.Y., describing spammers tactics to forge legitimate e-mail addresses. “They pretend to be various and sundry other people, and SMTP protocols let them do that.”
Wegman said SPF would be a step in the right direction, but not a silver bullet that would stop all spam, a point that Wong doesnt dispute.
“[SPF] can certainly make it harder [to send spam], but I dont believe it will solve the problem,” said Wegman, who believes virus attacks like MyDoom could still confound even an enhanced SMTP system.
IBM Research is currently developing a spam filter that has been nearly 100 percent effective at catching spam, Wegman said. The filter takes into account content, delivery patterns and other factors that Wegman declined to name. It can be set up to support SPF as well, he said.
“Even if SPF is just partially adopted, I think it will help us,” Wegman said.
As for IBM Researchs spam filter project, Wegman cautioned that its only being tested within IBM Research and has yet to be used in a true real-world setting. But its performance so far has been too good for product people at IBMs Lotus Software division to ignore, he said.
“The numbers weve been getting are sufficiently encouraging that I think well be listened to,” he said.
Whether such a technology ever makes it out of the lab remains to be seen. Lotus has to this point relied mainly on partners to provide anti-spam technologies for its Notes/Domino and Workplace products and that strategy wont change for the time being, according to a company spokesman.
“We dont want to roll out anything where our partners would say, Wait a minute, this is what Ive been developing for the last two years, now youre including it in the product,” said Michael Shamrell, a spokesman for IBMs Lotus division.
