Spam Reduction via Server Signed Mail
Copyright Jon Snell, Nov. 2003, firstname.lastname@example.org (I will release this under some kind of free license if there)
A huge problem with spam detection these days is the ability of spammers to forge their From addresses and have it undetectable by the receiver. The goal of this document is to outline a technique which is 100% compatible with the existing SMTP protocol and can be implemented by either a receiving server or a mail client.
- Most spam these days pretends to be from somewhere it's not. Eliminating the from address spoofing will prevent spam from will allow better whitelisting, preventing real emails from being marked as spam.
Proposed Operation Overview
- Participating outbound email servers would sign all outbound email with their private key and then embed or attach the signature to the mail
- Participating inbound servers, spam filters, or mail clients would check the signature on the mail. The listed MX dns entry for the domain in the From address would be contacted for its public key. The mail would then be verified and marked as valid, not valid, or unknown.
- Participating outbound servers would also run a server which would give the domain's public key out to allow inbound servers to verify.
- Must improve the quality of spam detection
- Must be fully compatible with existing mail system
- Must be cheap or free to implement with no yearly costs
- Must be implemented in both open source and proprietary mail solutions
- Implemented with a tolerable amount of extra processing
Problems and Responses
- Users attempting to send mail from home with a From: of their corporation are frequently forced to use the MTA of their ISP
- Solution: allow the corporate MTA server to sign individual user keys as valid
- Spammers could use this as a DOS attack for the domain they are appearing to come from
- The public key download would take less bandwidth than sending an email. Additionally, the relay used to transmit the mail could be sent when requesting the public key, allowing DOS victims to trace the source easily.