Matthew Jones lives in the UK.
If you want to contact him, please email him using his first name at the domain name you see this at.
Do not use the nice link below, which is a honeytrap for a spam filter.
|
|
 |
Email sender identity proof - could this work?
As someone who has been victim to a spammer forging our email "from" address,
and thus getting over 10,000 bounce emails a day for nearly ten
days, I have a personal interest in making sure it doesn't happen
again. The likes of the SPF (Sender Permitted From) therefore look
interesting. But why can't it be much simpler? |
One of the interesting thoughts I got from reading PC Pro (UK magazine), which said that there were three or four competing systems, one of which uses server keys, is why we can't just sign the emails? That is, make a header like:
X-SignText: 2004-04-22 name@matthew-jones.com 1942939
X-SignValid: KSKFKSJFLSKJSLKFSLKJFSLKJ
Now, to check this was valid, you'd get a text record from the domain server which would contain a public key. You'd then decrypt the SignValid part and match the SignText item. If it didn't match, then you'd just bin it. By including the date you stop people catching one header and forging forever and can ensure it is within a few days of sending. The random number keeps the encryption on its toes to ensure it can't be cracked.
Why wouldn't this work? It doesn't depend on sender IP numbers at all. It of course needs an email client to encrypt a line, but code for that is commonplace, and is certainly less work than lots of lookups as needed by SPF and the like.
Publishing date: 14.06.2004 14:21
I'll declare an interest in that I write the Epanoopy
spam filter for VPOP3. |
|
 |
|
|
