Jump to content

Option to use SPF for incoming email


petzl

Recommended Posts

http://spf.pobox.com/howworks.html

This site has a reasonable explanation

Basically fake email addresses are checked to see if email address originates from that domain if not it is rejected (hopefully in SpamCop emails case it goes to held folder)

31706[/snapback]

As mentioned elsewhere in these forums, SPF has it's own problems, specifically in using the address you want while sending email from wherever. For instance, I always use my ISP to send email but do not use that address anywhere because the master account was not allowed to format the address the way I wanted. It was required to be my last name and my house number, which is why I get lots of spam through that address.

I want to be able to use only my spamcop address on all emails, regardless of where I send my email from.

Link to comment
Share on other sites

I want to be able to use only my spamcop address on all emails, regardless of where I send my email from.

31711[/snapback]

Well if JT would get behind the SPF program and provide a SMTP (out going server accessed by logon/Password) It would be a disincentive for spamcop joejobs and you could send/access email with your SpamCop address anywhere

Remember I would also like non SPF to go to held mail if not whitelisted

The idea sounds solid and a good antispam solution (again IF it becoes a universal norm)

Link to comment
Share on other sites

Well if JT would get behind the SPF program and provide a SMTP (out going server accessed by logon/Password) It would be a disincentive for spamcop joejobs and you could send/access email with your SpamCop address anywhere

31897[/snapback]

But Petzl, I do not want to be transferring all my messages over the wire to any future spamcop SMTP servers. Often when away from home, I am on very slow dialup. Dropping the message at the closest mailbox (the ISP's) is an advantage and minimizes the bandwidth used across the internet.

I completely agree with spamcop's decision not to support SMTP servers from the reputation point of view. I don't think SPF will be widely accepted and implemented to make it useful.

Link to comment
Share on other sites

http://spf.pobox.com/howworks.html

This site has a reasonable explanation

Basically fake email addresses are checked to see if email address originates from that domain if not it is rejected (hopefully in SpamCop emails case it goes to held folder)

31706[/snapback]

SPF is one of those approaches to blocking unwanted messages that works just fine until the sender starts travelling and wants to retain their own from address and yet is forced to use a local SMTP server.

It has happened to me twice recently. Once in a university which blocked access to external SMTP servers from within its networks - presumably for security issues. Once for a company I was visiting for work in Tanzania. Their Internet networks in the country are not well linked and therefore virtually all traffic is routed out of Tanzania. They required use of their SMTP server to reduce bandwidth consumption on their overcrowded satellite link to Europe.

There are all sorts of legitimate reasons why SPF can create problems.

If it was an option then I guess it would not be too much of a problem but, in my opinion, it isn't a solution that would work well until it became an agreed and pretty universal approach.

Andrew

Link to comment
Share on other sites

which blocked access to external SMTP servers from within its networks - presumably for security issues.

31900[/snapback]

Andrew, you just hit another sticking point for me and my company. For security reasons, my company also does not allow access to external SMTP servers (or even webmail). All email traffic leaves the company via our servers so we have a record. We have lots of company secrets which we need to protect. I'm sure we are not alone in that.

Link to comment
Share on other sites

Andrew, you just hit another sticking point for me and my company. For security reasons, my company also does not allow access to external SMTP servers (or even webmail).  All email traffic leaves the company via our servers so we have a record.  We have lots of company secrets which we need to protect.  I'm sure we are not alone in that.

31901[/snapback]

I wish you luck on that one! It's easy enough to get around port-25 filtering by supplying SMTP on another port, say 587, or any of the 65k ports available. What you end up having to do, to be thorough, is block the SMTP protocol on all outgoing ports and you have to do that with stateful filtering. Even with all that, I could work my way past any firewall/filtering solution as long as I had control of the receiving machine.

And no, you're not alone. We're all tilting at windmills trying to secure IP from the (presumed) malicious employee. For any scheme that still allows connectivity to the net, I can see a way around it. If I can't, then someone more clever can, and that person probably works for one of us.

...Ken

Link to comment
Share on other sites

I wish you luck on that one!  It's easy enough to get around port-25 filtering by supplying SMTP on another port, say 587, or any of the 65k ports available.  What you end up having to do, to be thorough, is block the SMTP protocol on all outgoing ports and you have to do that with stateful filtering.  Even with all that, I could work my way past any firewall/filtering solution as long as I had control of the receiving machine.

31908[/snapback]

Quite simple really, we only allow our 2 email servers access to the SMTP port and the only other ports we allow out is HTTP and HTTPS.

Also, all HTTP type traffic goes through a content filter to block users getting to unwanted sites, including webmail. If there is a business need to get to a blocked site, the persons supervisor approves it and the site is added to the "whitelist".

All this was driven by the CFO so we have very few complaints.

Link to comment
Share on other sites

Quite simple really, we only allow our 2 email servers access to the SMTP port and the only other ports we allow out is HTTP and HTTPS.

Also, all HTTP type traffic goes through a content filter to block users getting to unwanted sites, including webmail.  If there is a business need to get to a blocked site, the persons supervisor approves it and the site is added to the "whitelist".

All this was driven by the CFO so we have very few complaints.

31909[/snapback]

That will stop the average user, not the guy wanting to steal. All that would have to be done is to set up an SMTP server at home on port 80 and they would be able to send email that you could not track. Use SSH going to port 80 and they can get to anything they want with port forwarding.

If you allow access to the net, you've allowed access out. Short of draconian measures, out means out.

...Ken

Link to comment
Share on other sites

That will stop the average user, not the guy wanting to steal.  All that would have to be done is to set up an SMTP server at home on port 80 and they would be able to send email that you could not track.  Use SSH going to port 80 and they can get to anything they want with port forwarding.

31921[/snapback]

OK, I am not going to go into this much deeper, but our content server (in line with the firewall, only allows HTTP traffic over port 80 (it is a proxy server so there is no direct connection to the internet, non HTTP traffic is dropped silently and logged) and only to specific allowed web site categories.

Link to comment
Share on other sites

But Petzl, I do not want to be transferring all my messages over the wire to any future spamcop SMTP servers.  Often when away from home, I am on very slow dialup.  Dropping the message at the closest mailbox (the ISP's) is an advantage and minimizes the bandwidth used across the internet.

I completely agree with spamcop's decision not to support SMTP servers from the reputation point of view.  I don't think SPF will be widely accepted and implemented to make it useful.

31898[/snapback]

Suprisingly I too end up in places where dialup was the norm. This has now changed or changing with wireless (now apparently offerering up to 75 megabites a second from your laptop)

SpamCop Email Service should never rest on its "laurels" and needs to advance. While still the very best (and only)email service for stopping spam getting to your inbox. I want more, which is a very white hat SMTP for sending email and needs not to be "pooh-poohed" and forgoten about because of simply being sumised as being in the too hard basket

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...