Preparing for the near future of email By Peter M. Abraham April 2004 You have probably seen an increase in the quantity of spam you receive in your email even though we are using seven RBL (real time black hole lists) to prevent spam from known spam senders as well as those companies who have mis-configured mail servers which pose a threat (virus, and otherwise) to our servers and you our clients. Spam senders and virus authors and hackers are taking advantage of the thousands of compromised personal computers and servers across the world to send out more and more spam.  RBL's are not catching these types of spam because of constant IP shifts; and one would have to block dial up accounts from sending email (something AOL is already doing) which puts more strain on valid senders. The large majority of this spam uses spoofed (forged or otherwise fake) return and sender email addresses. Over the past several months, we've seen an increase of complaints from email hosting customers who are the victims of email address spoofing (forgery). And it is not just our customers who are victims of spoofing! "Spoofing of e-mail has become a tremendous issue for the industry," AOL spokesman Nicholas Graham said. E-mail spoofing is one of the toughest problems that ISPs and anti-spam companies face, largely because Simple Mail Transfer Protocol (SMTP)--the method for sending e-mail--offers no widespread means to detect and verify a sender's identity. Junk mailers typically cover their tracks by hacking into unprotected e-mail servers or open relays, or by falsifying names and e-mail addresses in the e-mail sender field. There are three emerging solutions for this problem from SPF (Sender Policy Frame Work -- an independent, open source, solution), Microsoft Corporation, and Yahoo Corporation. The concept behind these methods is very similar to "Caller ID" on your telephone. Caller ID allows you to see the phone number of the person calling you; and, gives you the ability to accept or reject calls based on your knowledge of that phone number. SPF (Sender Policy Framework) is currently the leader of the emergency solutions. SPF requires the domain name servers for a domain name address such as dynamicnet.net to include additional records which tell the world whether or not the domain name sends out mail and by what means. Mail servers on the receiving end will query the domain name servers of the sending domain to determine whether the mail sender is a forgery (spoof) or an authorized sender. PC Magazine, and other journals, have recently started publishing more and more articles on the solutions presented by SPF, Microsoft Corporation, and Yahoo Corporation. Companies like America On-line (AOL) have already started moving towards SPF (yes, they picked the independent, open source solution). The move is time consuming and does involve labor and resources as all domain name records must be updated; and mail server software must be updated as well. Dynamic Net, Inc. is laying the ground work for moving towards SPF; and we should be on the floor running between before the end of the third quarter of this year. We are currently investigating whether or not a move from POP3 before SMTP (the current way all of our clients, board members and staff) send email to SMTP Auth (which requires a small setting change in Microsoft Outlook, Outlook Express, Eudora, etc.) will aid in ensuring our adoption of the emerging leader's methodology will make it easier for those sending email through our services to be white listed. White listed?  Do you recall a few paragraphs above about using caller ID to determine whether or not to pick up a call? Well, there are phone numbers you probably let go to the answering machine; and there are other phone numbers you may jump to pick up. On the same token, if mail receivers see our authorized sender records, AND know the sender has authorized themselves1, then the mail receiver has the potential to white list the sender making future communication go faster (less queries). We will be writing to you more about the move towards SPF and the potential change from POP before SMTP to SMTP Auth over the next several months. In the mean time, please understand that spoofing (forging) email addresses is on the rise including the volume of spam.  Please understand we do care about the impact of these two issues (spoofing and spam); and hence, we are moving towards the adoption of an emergency industry standard to help with these issues. Please feel free to call or email our support department with questions. Thank you. 1  POP before SMTP (the current way we allow customers to send email through our servers) means that as long as any POP3 user checks their email that anyone sending through the domain name is validated (ok to send). SMTP Auth, on the other hand, requires each sender to validate prior to sending.  So instead of riding on the coat tales (so to speak) of another person who did validate (by checking their POP3 email), each sender must validate on their own.