Friday, August 01, 2003

Spam and DNS

One of the simpler ideas that I've had for cutting down on SPAM is a solution to the forged domain problem. Right now, there's now way for a recipient to (easily) verify that a given IP address is authorized to send outbound mail on behalf of domain X. Some SMTP servers attempt to do reverse DNS lookups via PTR records (attempting to map the IP address back to the domain) - but this will not always work, and can't deal with outbound mail servers that are configured to allow multiple domains send from them.

What's needed is a surer way for an SMTP server, when it gets contacted over SMTP to determine whether the domain is being forged or not. It's then up to the destination SMTP server to decide whether to accept delivery for the message or not. (No external legislation please.) The basic scenario is as follows:

1. some-ip-address contacts my SMTP server to deliver a message on behalf of domain X
2. my SMTP server says, wait, let me verify your address
3. my SMTP server looks in domain X's DNS for the list of allowed outbound mail exchanges ("OX" records?)
4. if it finds the IP address to be a match, it allows the message to be delivered

Why create a new record type in DNS? Why not use A or MX records?

Well, MX records are for inbound mail routing only. In fact, a lot of places uses different machines for inbound vs outbound e-mail. So a change would have to be made to how MX records are used (which would break a lot of things). Advantage of MX records though is that there are usually only a few per domain, which makes it near-trivial to just grab all of the DNS records.

"A" records don't work well either, because AFAIK, there is no reverse DNS lookup that is efficient to say give me the record in domain X for IP address Y. A given domain might have hundreds or thousands of "A" records, which is too many for the SMTP server to look through quickly. Now, if there is an efficient search method in place, then it makes sense to just use "A" records. OTOH, by using records specifically tagged as "OX" or outbound exchange IP addresses, we cut off the problem where a virus/worm is able to e-mail itself to the entire world from an infected workstation without passing through our properly configured outbound SMTP server. (Where we can do things like check that the origin domain is not forged, or enforce other corporate policies.)

The big advantage is that it makes white lists more effective (white lists are lists of domains that are allowed to send e-mail without being flagged as spam) for the mail admins because they no longer have to worry about widespread domain forging. It doesn't solve the problem entirely (or even the spam problem in general), but it cuts down on the noise. It's really a non-issue with regards to anonymous mailings, because those can still happen - but the messages might not be deliverable if the destination SMTP server is strict about domain forging. Plus, there's also the option of sending through a trusted 3rd party, or web mail, or other transport options. It also doesn't require keys, or cryptography, or anything fancy on the DNS other then the ability to serve up one more record type.

Did some searching today on Google and found a similar proposal at the IETF for DNS RMX records (search for DNS and RMX or RMX and SMTP). Looks like the first draft went online back in Dec 2002, and they're working on the 3rd draft currently. Downside is that I think the IETF's anti-spam group will hem and haw rather then buckling down and implementing the darn thing. Latest copy of the draft has a section towards the end which lists some of the anticipated difficulties getting this into place.

Labels: Spam

posted by Wuphon's at 9:36 AM