In my experience, people are not able to modify their software to change the default smtp server. It seems more efficient to have them connect back via SMTPS+AUTH to the company mailserver and send their email that way.

Now, some webmail providers allows you to haev multiple reply-to address, that you use depending on your location. This is nice but then we fall in the categories listed below, and I'm not sure that DKIM provide a meaningful authentication of the reply-to address.

----- Original Message -----
From: "Gordon Peterson" <***@terabites.com>
To: ***@irtf.org
Sent: Sunday, 11 January, 2009 3:18:34 PM (GMT+1200) Auto-Detected
Subject: Re: [Asrg] where the message originated (was: DKIM role?) (SM)

It is important to remember that many individuals and many small
companies use personal or "vanity" domain names.

These domain names appear in their "From:" and "Reply-to:" addresses on
their outgoing e-mail messages, but SHOULD NOT be presumed to indicate
where the e-mail in question is arriving from.

For example, I might be travelling somewhere and sending e-mail messages
from an inhabitual location: a cruise ship Internet cafe, an Internet
access kiosk above a post office location in Beijing, a coffee bar, or
other such public-access location. In such a situation, I will
typically have NO control over what outgoing mail server is sending my
e-mail message, and since my being there is temporary I obviously don't
want to put a return address on my mail that would be connected with the
location where I physically am at the time.

Another example is where a small company also uses a company domain
name, although they might use very different mail handling for their
outgoing staff e-mail messages (for example, which might go through a
nearby ISP, often for historical reasons) as compared to their
automatically generated e-mails (example: invoices, price quotations,
EFT transfer notices, and the like) generated by their back-office
accounting systems... which might be sent directly by outgoing mail
servers inside their NAT router.

We've several times been hurt by stupid antispam approaches which refuse
perfectly legitimate e-mails because they don't like the IP address they
are coming from.

Another problem we have had is when we were sending company E-mails
through the outgoing mail server provided by our domain hosting company,
and one of the (tens of thousands) of companies they were hosting
domains for apparently became infected and began sending messages
containing a virus or something. The result was that ALL the companies
forwarding through that outgoing mail server became blocked, even though
our company (and, I'm sure, most of the companies using that same shared
outgoing mail server) was never infected or compromised.


While we're talking about the issue of antispam nuisances, another is
the situation where a spam blocker inadvertently serves as an "IP
address laundering agent" when they bounce back a message detected as
containing spam, or a virus. It is particularly stupid to bounce back a
message because it is detected to contain a virus WHICH IS KNOWN TO
FALSIFY OR COUNTERFEIT THE RETURN ADDRESS! In that case, the spam
blocker sending the 'bounce'/refused message does not know where the
original message was ACTUALLY sent from; commonly they will send the
bounce message to the COUNTERFEIT "from" address (n.b. the address the
original spammer ACTUALLY wanted to send the message to!) only now, it
arrives from a "clean" IP address (i.e. the IP address of the antispam
blocker which "bounced" it) rather than from the IP address actually
originating the message (which the actually intended recipient might
have refused, based on the sender IP address). So now the unwanted
message arrives at its intended destination, having "reflected" off a
spam reflector and thus now with a "reputable" IP address. (True, it is
now shown as an "undeliverable/spam/virus" bounce, but a lot of people
DO open such messages). ...ANYHOW, PARTICULARLY when a message is sent
by a virus KNOWN to falsify origin addresses, it is NOT helpful to send
a bounce message back to the "bogus" "origin" address indicated in the
message.

I have a folder here with probably something approaching a hundred
thousand such bounces, caused by spam messages which were sent using
bogus/falsified addresses but counterfeiting one of my domains, and
where these messages did not originate from any of my systems. The
point is that there is NO value in sending back a bounceback/refused
message unless you are SURE you know where it should be sent back to
(i.e. who actually sent it). It's NOT enough to just believe the
"From:" address.

That's a hopeless setting. If you carry a laptop, SMTP+AUTH to the
company server is the way to go, as Franck said already. If not,
assuming you won't configure an email client, you should use company's
webmail server. You are not going to store your userid/password at an
unknown box, are you? Thus, you should connect to your outgoing server
in the same way that you connect to your incoming one.
Same comments as above apply. However, for vanity addresses the
company's MX just forwards to each employee's actual address. In that
case, outgoing mail should also originate from each employee's ESP.
The company's SPF record, if any, should take that into account.

The historical ISP habit to allow relaying from their own IP addresses
since clients already authenticated on connecting, has had its day.
Obviously there are the same problems when sharing cars, buildings,
and sex mates: whoever catches accidents or infections affects
everybody else...
Correct. The anti-virus filter should just swallow the message with no
complains nor notices. I don't know what RFC blesses that behavior,
though.

messages
don't
with the
company server is the way to go, as Franck said already.

That's precisely the point. I am not using my habitual mail client, nor
am I using my own familiar webmail service. I am using a mail
kiosk-type service which allows me to enter a subject, my return
address, a to address, and the body of my mail.
company's webmail server.

That's not an option, and nor can I configure what e-mail server is
being used.
unknown box, are you?

No, of course not. And they don't ask for that. The mail message
doesn't go out through my normal e-mail channels, and that's just
exactly the point.
in the same way that you connect to your incoming one.

Again, that's not one of the options available.

When you're travelling on a ship, understandably they want to have you
send your mail through the ship's own outgoing mail server, since that
minimizes the time they have to keep the (very expen$ive) satellite
channel open.
company's MX just forwards to each employee's actual address. In that
case, outgoing mail should also originate from each employee's ESP.
The company's SPF record, if any, should take that into account.

And again, that's okay, WHEN THEY ARE MAILING FROM IN-HOUSE. When they
are not, is when the problem turns up.
since clients already authenticated on connecting, has had its day.

That's not really the issue. The issue is that people occasionally have
very legitimate need to send mail other than through their normal
channels, PARTICULARLY when away from the office (at home, perhaps,
although sending a mail that's work-related; from a library or airpport
public access terminal; at a customer location; and particularly when
traveling out of the country.)
refuse
they
company,
companies
though
shared
and sex mates: whoever catches accidents or infections affects
everybody else...

In this case, however, the overly-broad-brush of poisoning ALL traffic
transiting an IP address just because it has sent "some" unwanted or
malicious mail can create a GREAT deal of serious collateral damage.
back a
complains nor notices. I don't know what RFC blesses that behavior,
though.

It is very frustrating to get (sometimes hundreds a day) bounce messages
that come back to my domain (catch-all address mailbox) for e-mail
messages which *I* NEVER SENT, just because the spammers' From: address
used a counterfeit/bogus e-mail address forging one of my domains.

You need to use your email service provider's Message Submission Service.
That should be available to authenticating clients on port 587.
Alternatively, use their webmail. If your Internet cafe is willing to relay
your email, then they're willing to relay spam, too, and should therefore
be blacklisted.

Actually, it occurred to me that we have mechanisms whereby domain owners
can prevent abuse of their domains (SPF and DKIM). Therefore, we should
feel free to bounce email to any domain owner the doesn't deploy SPF and
DKIM - in order to encourage them to do so. Of course, bouncing email is
also OK when you find an SPF or DKIM match.

I'm not sure that http://en.wikipedia.org/wiki/Sender_Signing_Policy has a correct definition?

spamassassin, DNSBL, DCC are well known, so we know how they behave with different emails, what we don't know is what the google, yahoo, microsoft and others are doing to classify their emails (this is the part about security by obcurity).

----- Original Message -----
From: "Robert Barclay" <***@gmail.com>
To: "Anti-Spam Research Group - IRTF" <***@irtf.org>
Sent: Tuesday, 13 January, 2009 10:37:52 AM (GMT+1200) Auto-Detected
Subject: Re: [Asrg] where the message originated




On Mon, Jan 12, 2009 at 1:51 PM, Franck Martin < ***@avonsys.com > wrote:


I'm curious when you say ADSP is always keyed of the real live From address? You talk about the From: and not the Mail From: (Return-path)?
Yes, the A is for Author. ADSP is built on top of DKIM and allows domain owners to specify that they sign some or all mail using a specific domain in the From: address




as a side note, all this SSP/ADSP processing looks like a blackbox (or black magic) to me. There is no recommended practices and no one explain what they do to filter mail. like in the statement "AOL will use DKIM to do build reputation based on domain", what does it mean?

It means they are going to start establishing reputation for DKIM domains based on the DKIM signed mail passing through their systems. This isn't any more of a black box than their existing reputation systems.
As for recommended practices I'm not sure there's enough operational experience is most situations to have anything useful to recommend yet. I would be pleased to be wrong here but suspect that we may be starting to get there for some uses of DKIM and are a long way away from that with ADSP.





We know well about spamassassin, DNSBL, DCC but this is about it. I thought security by obscurity was a bad idea? ;)

Not sure this qualifies for security by obscurity. It's pretty straightforward how all these technologies work. How people make use of the data these technologies provide, that only seems obscure because people are still figuring it out themselves. Compare this to how people use IP addresses there's a pretty wide variety there and a lot of those uses would qualify as "obscured" from outside users too.

spared B a possible infection, but I'm reluctant to blame A's MX for
this: it didn't originate, accept or transfer the malware-laden message.
I think responsibility lies with M, and/or with whatever system passed
the message to M (presuming the message didn't originated on M).

Well, regardless of who is pointing the finger at who, the fact remains
that:

1) an infected E-mail is being passed on to someone who quite likely
had NOTHING to do with sending it, nor did they probably have any
control over the system(s) that did;

2) the extra bandwidth was wasted by sending mail to someone who
didn't want it, and who can't do anything about it;

3) the resulting infected E-mail is now coming from a computer whose
IP address is likely in the (actual final) recipient's "trusted" zone,
whereas the original actual origin system might well not be.
we can do -- we can't block something before we see it, we can only do
our best to reject outright spam/malware/junk traffic at the earliest
available opportunity. (One of the ways I've expressed this elsewhere
is that the best place to stop spam is as near its source as possible.
The farther it gets from the origin, the trickier detecting it gets,
and the greater the possible consequences.)

Actually, I believe that that philosophy is incorrect.

First of all, ultimately the ONLY authority which TRULY determines FOR A
FACT whether a given piece of e-mail is unwanted or not is the final
recipient.

Other people enroute might conclude that something PROBABLY is spam, but
they cannot be sure.

I understand the desirability of stopping spam and viruses as close to
the sender as possible, WHERE THAT IS POSSIBLE, but I suggest that it
often is not.

ULTIMATELY, the recipient of the message (i.e. the addressee, not
necessarily the place where it ultimately gets bounced to) has a KEY
piece of information that MTAs enroute do not have: the knowledge of
the (prior?) trust relationship that exists between the addressee and
the purported sender.

And, let me point out, this even varies WITHIN a single addressee: I
have more than one E-mail address, and use them for different purposes.
An E-mail message arriving at the "wrong" address might indicate that
it is unwanted, EVEN IF THE SAME SENDER MIGHT BE EXPECTED TO MAIL TO ME
AT A DIFFERENT ONE OF MY ADDRESSES.

This is part of why I still believe that a finely-grained "permissions
list", based on the recipient/orignator e-nmail address pair, AND having
access by then to the WHOLE message, can do a SIGNIFICANTLY better job
of accurately performing the spam/nospam triage than ANY more
generalized SMTP-level MTA could ever hope to do enroute.

As I have pointed out before, if I get an e-mail containing an
executable (a control panel applet, a hard .EXE file, even a piece of
Java script or Active X enclosure or whatever) from someone who (a) I do
not know, or (b) who I might know but who I do not expect to send me
something like THAT, then it's perfectly reasonable to treat that e-mail
as at least HIGHLY suspect.

Now, there ARE people I correspond with who I might EXPECT to send me
stuff like that, or at least SOME of those sorts of things; obviously
those should come through to me fine. But there may be OTHER things I
would expect to see in mail from those trusted and familiar
correspondents; for example, their familiar sig that they put on the
e-mails they send out to me, or the masthead I normally see on their
e-newsletter, or whatever. Even maybe the familiar way they address me
in the accompanying message.

Note that this is not unlike the way most of us actually handle "spam
triage" in our inboxes now: we look to see mail coming from unfamiliar
senders, or unfamiliar subjects, or for that matter common spam-type
subject lines. The key thing is that mail coming from an address we
recognize might encourage us to look more closely at mail which we might
not give a second thought to deleting if it came from someone unfamiliar.

I personally think that mail containing attachments (of any type) or
HTML (scripting, ActiveX, misrepresentable links, etc) coming from
people I don't know and trust are primary examples of mail that stands a
strong probability of being unwanted (or at the very least, untrusted).

Now, I would agree that e-mail containing certain types of things can
probably be axed at a very early point in the delivery process (an
example would be mail containing a recognized virus content, especially
a virus known to falsify return addresses...!)

BUT it is also VERY frustrating when, for example, I find that an
absolutely legitimate e-mail message I have sent out gets bounced back
to me by someone enroute, containing something like:

[quote]

Diagnostic-Code: smtp; 554 The message was rejected because it contains
prohibited virus or spam content (in reply to end of DATA command)

[end quote]

...and particularly when the message contains neither virus nor spam,
and where I have not the slightest idea of who I would need to try to
contact (and where, or how) to solve the non-delivery problem.

And I presume that the addressee I was sending the mail to has similarly
no idea of who they would need to complain to about our mail being
intercepted and waylaid enroute.

Given the choice, I like the simplicity and correctability of people
enroute delivering the mail as requested, and having the recipient's
mail client (given the additional knowledge that only it has!) doing the
BETTER possible job of deciding how to perform the triage.

IF the mail is bounced because it contains a virus or worm, and if that
virus or worm is KNOWN to falsify return addresses, then I claim that
there is little or no value in bouncing it... because it is not clear
that ANYONE working backwards is going to be able to figure out reliably
who (if anybody!) should be notified of the problem.

It doesn't really much matter which antivirus software identified the
message as malicious (although it would be nice to have an audit trail
somewhere such that a misbehaving piece of related software can be found
and fixed).

[snip]
there's no way to know that the message will be delivered. If the
putative sender is elsewhere, then the mail system there might
detect and reject the message. The putative sender's mail client
may be using an anti-virus product that detects it. Or the putative
sender may never "open" the message (which seems to effectively
defuse most, but not all, of these problems).

That's a bogus argument. You're basically saying that "someone else
will probably pick up on this" and using that as a (lame) excuse to lob
a grenade their way.

Not quite, but not far off. I'm not taking responsibility for your decision
to forge the domain. However, I AM responsible for the fact that IBM have
no easy way to detect that forgery. I SHOULD accept that IBM are therefore
more likely to bounce that email back to me.

When a spammer forges my domain, and the recipient bounces the message,
they're doing what SMTP is designed to do. I shouldn't get pissed off
with
the recipient, if I've failed to publish records that allow them to
check for forgeries.

What I should take responsibility for is publishing records that let IBM
easily check whether the email is legitimate. For example, if I publish SPF
records, and sign all my outgoing mail with DKIM, and require my users to
use my Message Submission Service, then I think I've discharged that
responsibility.

Having taken those actions (actually, I haven't but this is hypthetical),
I'm quite happy to accept any bounce messages from IBM - provided they've
checked for an SPF or DKIM record match before accepting the message.

Now, given that I haven't yet published SPF or DKIM records, I still get
lots of spam bounced into my domain. Who do I blame? Well, in part it's my
responsibility for failing to help the spam recipients. If I did publish
those records, then recipient domains could more easily detect forgeries
out of my domain.

SPF records would be useful because you can check them early, and cheaply.
DKIM give senders the opportunity to get messages through forwarders.

Now, what I'm suggesting (not advocating yet, because I'm not certain that
this is right), is that when there's no SPF record published, that we
should not feel too bad about bouncing email because the domain
administrator isn't taking adequate steps to protect the domain against
spam blowback, and against phishing. Of course, I'm NOT suggesting that
lack of an SPF record should score very high in any any spamicity measure,
but it might count for something.

Now, an SPF or DKIM match gives us the huge gain that we can bounce
messages selectively based on the content. Some recipients may not want
certain message content, but by the time we've seen the content SMTP
doesn't allow us to selectively reject. And, a pass allows us to
confidently whitelist a domain or sender address without opening up a huge
hole in our spam defences. For example, I've refused to whitelist UK
academic research boards because they don't publish SPF records.

Now, the question is, what do we do when we see an SPF softfail, and no
DKIM record? Well, at first I'd be reluctant to bounce the message, because
I want to reward admins that are taking steps to protect their domains.
However, that's not something that I'd be happy with on a permanent basis.
Eventually, I want the world to be in a position where all forwarders check
SPF on the way in, and rewrite sender domains. When we're sufficiently
advanced in that project, then bouncing softfail would be more acceptable.

No SPF record:
SPF fail: reject the message at SMTP time.
SPF softfail: check DKIM
SPF pass: accept if you trust the domain, otherwise do other spam checks.
You can reject, bounce or accept depending on other spam checks.
Importantly, you can bounce PER RECIPIENT depending on the content, which
you can't do with SMTP rejections.
No, you just need to sign your outgoing email, and publish SPF records.

I know, someone's going to tell me that SPF breaks forwarding. Well email
is already broken. I get up to a million spam messages into my domain
daily. Everything we do to prevent spam causes problems ranging from
additional load on our DNS servers to loss of important emails. The
question is, are we going to fix it? I think what I'm proposing would at
least allow people to do safe whitelisting