Anti-spam protocols help reduce spam's network impact

Anti-spam protocols are useful in helping network administrators block spam. This tip covers three anti-spam protocols -- Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Vouch by Reference (VBR) -- and discusses other responsibilities of the network administrator in blocking spam.

Spam is not just annoying; it clogs networks and, at worst, can point to larger network security problems. Upcoming developments in efforts to reduce spam will require network administrators to implement anti-spam protocols. The alternative is that receiving sites that have implemented the protocols may reject mail sent from your site as possible spam.

Progress on anti-spam protocols has been slow. The effort has been delayed by competing concepts, but now two protocols have emerged: Sender Policy Framework and Domain Keys Identified Mail.

Both anti-spam protocols deal with the fact that much email carries a falsified source address. Each of the two protocols attacks a different aspect of the problem.

SPF: Protecting against false SMTP header address

Sender Policy Framework (SPF), defined in RFC 4408, addresses the case where the return address in the RFC 2821 SMTP envelope is falsified. A sender implementing SPF creates DNS text records specifying the IP addresses of the systems within the sender domain that legitimately send mail.

The receiver of the mail accesses the DNS entry of the purported sending domain. If the IP address from which the mail came does not match one of the legitimate email senders, the return address is false.

When mail forwarders and list servers encounter mail protected by SPF, they must modify the SMTP header as received from the originator of the email by replacing the source address with the forwarder or list server's own address. Otherwise the mail will appear to carry a falsified address.

DKIM: Protecting against false email source address and content modification

Domain Keys Identified Mail (DKIM) protects against falsification of the address specified in the RFC 2822 message format. This is the source address that is normally displayed by a receiving email client. DKIM uses public key encryption to sign a hash of the entire mail message, including the source address and the contents of the message.

The sender has placed its public key in the DNS entry describing the sender's domain. The receiver accesses DNS and uses the sender's public key to decode the hash. The receiver computes the hash of the message it received and compares it to the decoded hash. If the hashes match, the message did in fact come from the source address indicated. Since the hash is computed over the entire contents of the mail, DKIM also guarantees not only that the source address is correct but that the message contents have not been modified along the way.

SPF and DKIM can be used together. SPF provides a guarantee that the source address in the SMTP header is accurate. DKIM provides a guarantee that the address and contents of the message are accurate.

VBR: Creating a certifying authority for email

SPF and DKIM are useful only in guaranteeing the source of mail. They do not address the problem of a domain that uses either or both protocols but allows its users to send spam. To address this problem, a group of email equipment and software vendors organized the Domain Assurance Council. This group has created another anti-spam protocol called Vouch by Reference (VBR).

VBR creates the concept of a certifying authority for email. Senders sign up with certifying authorities, which then verify to mail recipients that the sender is to be trusted.

The protocol adds a header containing the identifier of the certifying authority to the mail message. The receiver extracts the identifier of the authority and compares it against a list of authorities it trusts. If the authority is trustworthy, the receiver constructs a DNS query from the domain names of the sender of the mail and certifying authority. The response to the query will indicate whether this authority does in fact certify the quality of email from this sender.

Patrick Peterson, VP of Technology at Ironport Systems, a manufacturer of email appliances, compares the combination of SPF, DKIM and VBR to driver's licenses and driving records. "SPF and DKIM are analogous to driver's licenses. They identify who is driving the car. VBR allows you to find out whether the driver has a clean record or a string of accidents and offenses."

The network administrator's responsibilities in reducing spam

SPF, DKIM and VBR do not address all sources of spam. Much spam originates from computers infected with viruses. These computers may be located inside a legitimate domain that properly identifies itself and uses a certification authority. Network administrators must keep virus software up to date and monitor mail emanating from their networks to prevent and detect this source of spam. Otherwise, recipients will report back to the certifying authority that the sending network is not being carefully managed. The authority can then refuse to further certify this network.

The SPF RFC was finalized last year, and DKIM is expected to reach final status early this year. Now, specialists in the field believe that an industry meeting scheduled for this spring will result in the adoption of these protocols by many large enterprises and ISPs. Those who adopt the protocols will do so on both the sending and receiving sides. Their outgoing mail will have a much greater chance of reaching its destination than mail sent without the guarantees of authenticity provided by the protocols.

Incoming mail lacking these assurances will be treated as possible spam. Those who are slow to adopt the protocols will find that mail they send will often end up in spam folders and never be seen by the intended recipient. The consequences for these enterprises will be a diminished ability to communicate with customers. For ISPs, failure to adopt will mean unhappy customers -- surely results that network administrators will very much want to avoid.

About the author: David B. Jacobs of The Jacobs Group has more than 20 years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies, as well as software startups.

Read more on Network security management