September 2004 Newsletter

New Email Control Directions

There is no question that email spam is out of control. Undelivered email can have a loss of business attached.

As users set up blocks to stop spam into their email boxes, senders are having problems ensuring that legitimate emails are received. For example, just the use of the words "your website" is sufficient to get some emails blocked. This is why our newsletters generally point to the article on the 4specs website so I can use that and other terms.

"It's the paradox of e-mail," he said. "The value of e-mail to organizations is accelerating, but the threats to e-mail from outside the organization have never been greater." (from e-week article) [link no longer works]

It is expected that "E-mail that passes the SPF test will be passed through for delivery. E-mail that doesn't pass this simple test must go through additional hoops before it can be delivered to the inbox."
[link no longer valid]

The first step towards spam control has been agreed to by Microsoft, Yahoo, AOL and much of the open source community. The start of implementation is planned for October. Now called SenderID, this is a merging of Caller ID and SPF - Sender Permitted From or Sender Policy Framework. These approaches help fight email address forgery and makes it easier to identify spams, worms, and viruses. Although similar, there are several critical differences between SPF and SenderID due to potential Microsoft licensing requirements. SenderID is essentially a superset of the SPF proposal.

"And that's it! SPF aims to prevent spammers from ruining other people's reputations. If they want to send spam, they should at least do it under their own name." [link no longer available]

While you probably do not have any direct action to take, I suggest you ask your IT department or web consultant how they will implement this for your domains. It is expected that spammers will search out domains that do not have a SenderID or SPF record set up and use them until blocked. Hence the importance that your company plans for action this fall.

One cause of the email problems is that there are no authentication of who is sending and email. If you can authenticate that the email was sent by approved servers, you can eliminate forgeries and the ISP can take action against abusers that are authenticated through their servers.

It is expected that email with a proper SPF/SenderID authentication will be subjected to less spam checking and will be more likely to get delivered.

SenderID permits a domain owner to specify what email servers can be used to send their email. Starting this fall, incoming SMTP email servers will start to reject all email from domains with
    (1) SenderID implemented and
    (2) where the email under question is not from a permitted server if certain options are taken.
While this sounds simple, and I can envision some major problems for construction product companies.

Definition - SMPT server - think of the blue post office box on the street corner as the equivalent of the email SMPT server. Put mail in the blue box and it gets delivered. Think about a blue post office box where no postage was required to be delivered. The post office would have to station a line of semi-trailers by the box to get all the mail that would be dropped there by bulk mailers, companies and individuals. This is what has happened with email where SMPT servers accept spam or virus attacks and forward the email for free.

For 4specs, I will add a line to our DNS record listing all the approved SMTP servers. For the other domains I own - specs-online.com, 4spec.com and forspecs.com - I will probably not permit any email to be sent under those domain names. I plan to adopt the option that says discard all email from 4specs if it does not come from an approved SMTP server.

The problem for many manufacturers will be the reps in the field or working from home - they use a multitude of ISP's and SMTP servers and yet want to use your domain name in the email. You, or your web host, may have to provide an authenticated SMTP service for your domain and users.

One authentication system is used by the 4specs hosting company. Their relay mail server will accept mail from a specific IP# for 15 minutes after checking for email (which requires a password and user name), and uses a non-standard port (ie not the port 25 normally used for SMTP) so the sending of emails is not blocked by the ISP. Earthlink, for example, has been blocking port 25 for a long while. Other ISP's require you to use their domain name in email (and not use yours) or require that they host the domain.

There are other ways to authenticate email, and the result will be your company will probably need to change how your emails are sent outside the office.
[Link no longer works] - information about blocking access to outside port 25 servers.

The first step for many construction product manufacturers will be to identify all the email addresses used by the staff and outside people and the SMTP servers they use. This can be tricky. I realized in doing this for 4specs, I missed one SMTP server used when I use a web mail interface. I recommend that your company use your domain name (or a new one just for email) and set up some sort of authenticated SMTP servers for that name.

For specific information about SPF:

[link no longer works]

Recent Articles:

[link no longer works]

[link no longer works]

[link no longer works]

ClickZ - May I See Your ID? [link no longer available]

ClickZ - the next step will be reputation of the sender as part of permitting email to pass. [Link no longer available]

[link no longer works]

Complaints (from Open Source community) about the Microsoft SenderID version due to licensing requirements:

EWeek - article no longer available

Spammers will adopt SenderID/SPF also, and this is why this is just the first step:
[link no longer works]

--------------------------------------

Colin Gilboy
Publisher - 4specs
Contact us