Flathead Valley Web Works has been providing quality website design, hosting, advertising layout and photography since our founding in 1998

 
Sender Policy Framework (SPF)

SPF - An Anti-SPAM Measure

This piece is both informational and a call for action. Please take the time from a busy day to read it carefully. Some of the actions will affect you directly - it is important you understand their impact.

The volume of SPAM is rising - rapidly. SPAM increasingly threatens the effectiveness of email as a medium for doing business. Something has to be done.

SPAM and email based attacks are becoming increasingly sophisticated but the sheer volume of low tech SPAM is clogging the arteries of the internet and the inboxes of legitimate users.

There is nothing more annoying and frustrating than to receive a bounce message saying that a mail item - which you did not send - was rejected because it contained a virus or other offensive material. Someone has forged your address. Someone has stolen your identity.

It is estimated that 15 billion SPAM messages are sent every day. Some days it feels like they all arrived in our mailboxes!

Classic Solutions

The problem is finding a cure that is not worse than the disease.

We have reviewed and rejected some potential solutions:

  • Incoming Mail SPAM Filters: It is not up to us, nor should it be, to decide what constitutes SPAM and what does not. One person's legitimate mail may be another persons SPAM and vice versa. Until we can provide domain specific SPAM filtering controlled by local mail administrators, detection and determination must remain an end-user feature.
  • The Good Guys vs the Bad Guys

There is action on both technical and legal fronts.

A number of countries and states have passed legislation providing for increasingly stiff remedies to cope with SPAMers but until the problem reaches manageable proportions authorities worldwide will be swamped. How do you stop 500,000+ spammers. Get that number down to a couple of hundred and the authorities stand a fighting chance.

On the technical front the IETF (the group that sets technical standards for the Internet) has been looking at the problem under the MARID Working Group and hopes to have something standardised perhaps as early as late this year (2004). The technical debate is fierce but APPEARS to be moving toward a compromise for immediate action - possibly SPF as the simplest effective system - perhaps to be followed by a progressive series of enhancements each squeezing out more and more email vulnerabilities.

So What can We do

We believe it is reasonable for us to reject mail which we know has forged its origin. It is trivially simple for SPAMers to use a legitimate email addresses to send SPAM. Checks to verify this form of SPAM were historically doomed to failure.

But things are changing.

The Sender Policy Framework (SPF) initiative was started earlier this year to provide a simple means to verify that mail most likely originated from the real sender. The SPF proposal has been forwarded to the IETF for consideration as an Internet standard. There is no guarantee that this will happen.

Having examined SPF we believe it can play a significant role in reducing SPAM and especially in the case of identity theft (forged mail using your email address) which we know is especially troubling to users. SPF uses only Public Domain technologies.

We believe we should implement SPF now - irrespective of its final status as an IETF standard. AOL is probably the biggest - certainly the most visible - company to have implemented SPF to date. Microsoft's alternate proposal has now been synchronised with SPF. With this kind of commitment and the 175,000 other domains that have registered their use of SPF (as of mid October 2004) we believe the SPF initiative can be effective and has industry traction.

When using SPF, as mail arrives at our incoming servers the senders domain's Name Server can be interrogated to find if the originating IP address(es) is authorised to send the mail. This process is managed transparently by us as part of your normal mail delivery. SPF has two implications for users:

  • You will be able to send company email from any off-site location only by using your web mail account. An attempt to send mail using the off-site service provider's SMTP service will not be authorized for your company domain and would fail an SPF check at the receiver. We belive this has little impact on users but welcome your input. We provide WebMail for this reason, you can log in to WebMail anywhere in the world and send and receive your mail.
  • Permanent Forwarding of mail. If you elect to permanently forward mail for a particular user (typically an ex-employee) this will fail the receivers SPF checks. There are a number of solutions to this problem which we will implement before going live.

We welcome any comment about these issues and in particular any ideas you have whereby we could reduce their impact.

The Call for Action

We support the SPF initiative as a First step to making SPAM a manageable problem.

We are in the middle of a radical overhaul and upgrade of our mail servers and have mapped out a five phase email program:

  • Implementation
    • We have registered the domains to help build the counts and the industry momentum.
    • We have added the SPF logo to our front page and will progressively add the logo to our new mail servers.
  • All DNS Domain we Manage
  • If we manage your DNS records and mail we request that you authorize us on your behalf to:
    • Implement SPF records for all the domains that you own and that we manage.
    • Register your domain with the responsible authorities to both to continue the momentum and to make others aware that your domain may be safely checked using SPF to reject forged mail that has stolen your identity in order to deliver malicious or offensive material.
    • Help awareness by publicising the SPF initiative. We have no formalised plans at this time.
  • SPF Incoming Implementation
    • We plan to reject mail that fails the SPF checks. We will do it in three stages:
    • Implement SPF rejection on all domains owned by FVWW. We will run this for either 4 weeks or until we are comfortable that there are no negative effects or that the negative effects are acceptable.
    • Request authorization from all domains whose incoming and outgoing mail we manage to turn off SPF rejection.
    • Where a domain has implemented an SPF policy which shows the mail to be illegitimate we will reject it. We will continue to accept mail from domains which have not yet implemented SPF. We may decide to mark this mail as non-SPF checked. We will do this only after consultation with users.
  • SPAM Filtering of Incoming Mail
  • We request your help in supporting both our and industry wide initiatives to help reduce SPAM. We cannot promise these measures will stop SPAM, we cannot even estimate how effective these measures will be in reducing SPAM. We promise only two things:
  • We will in all cases be the 'guinea-pigs' and experiment on our own domains first.
  • If we do nothing - the problem will get worse.

For Our Clients:

OpenWebMail:

UserID:

Password:


use HTTP compression
Account
Manager:
user name

password



 
[Home] [About Us] [Services] [FAQ] [News] [Contact Us] [Legal] [References]

Copyright 1998 - 2007, Flathead Valley Web Works