petzl Posted August 16, 2005 Posted August 16, 2005 http://spf.pobox.com/howworks.html This site has a reasonable explanation Basically fake email addresses are checked to see if email address originates from that domain if not it is rejected (hopefully in SpamCop emails case it goes to held folder)
StevenUnderwood Posted August 16, 2005 Posted August 16, 2005 http://spf.pobox.com/howworks.html This site has a reasonable explanation Basically fake email addresses are checked to see if email address originates from that domain if not it is rejected (hopefully in SpamCop emails case it goes to held folder) 31706[/snapback] As mentioned elsewhere in these forums, SPF has it's own problems, specifically in using the address you want while sending email from wherever. For instance, I always use my ISP to send email but do not use that address anywhere because the master account was not allowed to format the address the way I wanted. It was required to be my last name and my house number, which is why I get lots of spam through that address. I want to be able to use only my spamcop address on all emails, regardless of where I send my email from.
petzl Posted August 22, 2005 Author Posted August 22, 2005 I want to be able to use only my spamcop address on all emails, regardless of where I send my email from. 31711[/snapback] Well if JT would get behind the SPF program and provide a SMTP (out going server accessed by logon/Password) It would be a disincentive for spamcop joejobs and you could send/access email with your SpamCop address anywhere Remember I would also like non SPF to go to held mail if not whitelisted The idea sounds solid and a good antispam solution (again IF it becoes a universal norm)
StevenUnderwood Posted August 22, 2005 Posted August 22, 2005 Well if JT would get behind the SPF program and provide a SMTP (out going server accessed by logon/Password) It would be a disincentive for spamcop joejobs and you could send/access email with your SpamCop address anywhere 31897[/snapback] But Petzl, I do not want to be transferring all my messages over the wire to any future spamcop SMTP servers. Often when away from home, I am on very slow dialup. Dropping the message at the closest mailbox (the ISP's) is an advantage and minimizes the bandwidth used across the internet. I completely agree with spamcop's decision not to support SMTP servers from the reputation point of view. I don't think SPF will be widely accepted and implemented to make it useful.
agsteele Posted August 22, 2005 Posted August 22, 2005 http://spf.pobox.com/howworks.html This site has a reasonable explanation Basically fake email addresses are checked to see if email address originates from that domain if not it is rejected (hopefully in SpamCop emails case it goes to held folder) 31706[/snapback] SPF is one of those approaches to blocking unwanted messages that works just fine until the sender starts travelling and wants to retain their own from address and yet is forced to use a local SMTP server. It has happened to me twice recently. Once in a university which blocked access to external SMTP servers from within its networks - presumably for security issues. Once for a company I was visiting for work in Tanzania. Their Internet networks in the country are not well linked and therefore virtually all traffic is routed out of Tanzania. They required use of their SMTP server to reduce bandwidth consumption on their overcrowded satellite link to Europe. There are all sorts of legitimate reasons why SPF can create problems. If it was an option then I guess it would not be too much of a problem but, in my opinion, it isn't a solution that would work well until it became an agreed and pretty universal approach. Andrew
StevenUnderwood Posted August 22, 2005 Posted August 22, 2005 which blocked access to external SMTP servers from within its networks - presumably for security issues.31900[/snapback] Andrew, you just hit another sticking point for me and my company. For security reasons, my company also does not allow access to external SMTP servers (or even webmail). All email traffic leaves the company via our servers so we have a record. We have lots of company secrets which we need to protect. I'm sure we are not alone in that.
loafman Posted August 22, 2005 Posted August 22, 2005 Andrew, you just hit another sticking point for me and my company. For security reasons, my company also does not allow access to external SMTP servers (or even webmail). All email traffic leaves the company via our servers so we have a record. We have lots of company secrets which we need to protect. I'm sure we are not alone in that. 31901[/snapback] I wish you luck on that one! It's easy enough to get around port-25 filtering by supplying SMTP on another port, say 587, or any of the 65k ports available. What you end up having to do, to be thorough, is block the SMTP protocol on all outgoing ports and you have to do that with stateful filtering. Even with all that, I could work my way past any firewall/filtering solution as long as I had control of the receiving machine. And no, you're not alone. We're all tilting at windmills trying to secure IP from the (presumed) malicious employee. For any scheme that still allows connectivity to the net, I can see a way around it. If I can't, then someone more clever can, and that person probably works for one of us. ...Ken
StevenUnderwood Posted August 22, 2005 Posted August 22, 2005 I wish you luck on that one! It's easy enough to get around port-25 filtering by supplying SMTP on another port, say 587, or any of the 65k ports available. What you end up having to do, to be thorough, is block the SMTP protocol on all outgoing ports and you have to do that with stateful filtering. Even with all that, I could work my way past any firewall/filtering solution as long as I had control of the receiving machine. 31908[/snapback] Quite simple really, we only allow our 2 email servers access to the SMTP port and the only other ports we allow out is HTTP and HTTPS. Also, all HTTP type traffic goes through a content filter to block users getting to unwanted sites, including webmail. If there is a business need to get to a blocked site, the persons supervisor approves it and the site is added to the "whitelist". All this was driven by the CFO so we have very few complaints.
loafman Posted August 23, 2005 Posted August 23, 2005 Quite simple really, we only allow our 2 email servers access to the SMTP port and the only other ports we allow out is HTTP and HTTPS. Also, all HTTP type traffic goes through a content filter to block users getting to unwanted sites, including webmail. If there is a business need to get to a blocked site, the persons supervisor approves it and the site is added to the "whitelist". All this was driven by the CFO so we have very few complaints. 31909[/snapback] That will stop the average user, not the guy wanting to steal. All that would have to be done is to set up an SMTP server at home on port 80 and they would be able to send email that you could not track. Use SSH going to port 80 and they can get to anything they want with port forwarding. If you allow access to the net, you've allowed access out. Short of draconian measures, out means out. ...Ken
StevenUnderwood Posted August 23, 2005 Posted August 23, 2005 That will stop the average user, not the guy wanting to steal. All that would have to be done is to set up an SMTP server at home on port 80 and they would be able to send email that you could not track. Use SSH going to port 80 and they can get to anything they want with port forwarding. 31921[/snapback] OK, I am not going to go into this much deeper, but our content server (in line with the firewall, only allows HTTP traffic over port 80 (it is a proxy server so there is no direct connection to the internet, non HTTP traffic is dropped silently and logged) and only to specific allowed web site categories.
petzl Posted August 23, 2005 Author Posted August 23, 2005 But Petzl, I do not want to be transferring all my messages over the wire to any future spamcop SMTP servers. Often when away from home, I am on very slow dialup. Dropping the message at the closest mailbox (the ISP's) is an advantage and minimizes the bandwidth used across the internet. I completely agree with spamcop's decision not to support SMTP servers from the reputation point of view. I don't think SPF will be widely accepted and implemented to make it useful. 31898[/snapback] Suprisingly I too end up in places where dialup was the norm. This has now changed or changing with wireless (now apparently offerering up to 75 megabites a second from your laptop) SpamCop Email Service should never rest on its "laurels" and needs to advance. While still the very best (and only)email service for stopping spam getting to your inbox. I want more, which is a very white hat SMTP for sending email and needs not to be "pooh-poohed" and forgoten about because of simply being sumised as being in the too hard basket
Recommended Posts
Archived
This topic is now archived and is closed to further replies.