One giant step towards ending spam
Summary: SPF Part 1: Sender Policy Framework (SPF) isn't a miracle weapon but if combined with other techniques it could well turn the tide in the war against unsolicited mail
The fight against spam is one of the biggest tasks facing the industry today, and a great deal of time and money has been invested in trying to thwart unwanted email -- but with little real success. But a new anti-spam measure currently under development, Sender Policy Framework (SPF), is attracting a lot of attention. Not only is it quick and inexpensive to implement, a recent trial by AOL indicates that it could generate the kind of widespread support fundamental for any anti-spam system to succeed
Some estimates put the level of spam at around 50 percent of all email sent over the Internet. In addition to messages advertising dubious goods and services, there are emails carrying worms that pose an additional hazard. While anti-spam and antivirus filters can help prevent these rogue messages making your inbox unusable, they can be defeated by changing the format of junk emails -- and the messages themselves are still using valuable bandwidth.
The problem is that simple mail transfer protocol (SMTP) has so few security features. Originally, any SMTP server would accept mail from anyone, for anyone -- known as an open relay. This wasn't a problem in the early days of the Internet, where there were fewer users, and virtually no commercial ones. However, open relay meant that a spammer could connect to a random server and use it to send thousands of messages. Open relay abuse can be dealt with by only permitting mail from or addressed to that server's registered users. But while open relay is no longer an issue for the vast majority of companies, mail that's correctly addressed to a valid mail address, but comes from a dubious source, is the big, big problem.
Closing the loophole
This is where SPF comes in. Also known as "Sender Permitted From", its purpose is to prevent forged email being sent by checking the sender is authorised to send email from the domain they're claiming to be from. That way, if a spammer attempts to send email from a faked address, the message will be rejected. Similarly, recent email-borne worms have pulled fake sender details from address books or Web page caches; they wouldn't be able to use this trick.
SPF uses the domain name service (DNS) to provide information about which servers will send mail on behalf of a particular domain -- in the same way as receiving mail servers are currently specified using Mail Exchange (MX) records. When a mail server gets an incoming message, it looks up the sender's domain to get the SPF record, and checks whether the sending server is in the permitted list. If not, the mail is rejected as a forgery. The use of DNS as the underlying mechanism means that no additional infrastructure is needed to make SPF work worldwide.
SPF's creators are careful not to over-hype the system's capabilities: It won't solve spam completely, overnight or unilaterally. It can't prevent spam with genuine addresses (although this is easier to trace) or from spam-friendly domains that choose not to participate in the scheme. But it will stop a large amount of the spam sent currently and will help make spammers easier to trace and prosecute.
SPF isn't yet an official standard, but is being submitted to the Internet Engineering Task Force (IETF) for consideration as a standard. There's every reason to believe it will be adopted, since it's vendor-neutral, patent-free and requires very little in the way of extra software to implement. It also doesn't require the sender to do anything special, such as visit a validation Web page or include a special code in the email. Crucially, it also doesn't rely on having a third party verify mail or provide any sort of certificate -- everyone is master of their own domain.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
This means customers will be required to host their domain with the same provider as their dial-up connection, since the constraint on open relay means email senders always need to send smtp via the SMTP server at the ISP they dial in to.
This will be an issue for many small businesses which use dialup/adsl, do not run an email server to do dns lookups and send direct, and use a separate web hosting provider, which by necessity must host their domain, but doesn't provide smtp or dialup/adsl.
So this will have 2 effects
1. reduction in customer choice - you cannot pick a different web host from your connectivity isp
2. hosting only providers will no longer be able to operate unless they add smtp servers which can authenticate relaying senders.
No doubt ISPs love this, as it ties customers into buying more services from them, and big businesses are unaffected as they run their own smtp server. How many small businesses are represented in the group devising the standard? Those ISPs with significant small business customer-bases will probably have to provide a SPF-optout service to keep their customers (which the spammers will use).
In any case, spam friendly ISPs in less-well-regulated countries, and worms which use brute force attacks and dns lookup to get a legitimate sender address for a compromised PC used as a relay will soon render SPF ineffective, and spammers are very quick to exploit any loophole.
I doubt therefore whether SPF will have more than a fleeting impact.