The e-mail system on the Internet needs to be totally gutted and recreated. It doesn't have the best security measures and it doesn't have any effective ways of blocking spam (other than reading patterns in your e-mail messages).
So, a new protocol should be made, possibly called POP4. It would be reverse compatible with POP3 (at least until other servers update to be POP4 compliant).
Well first, here's some of the problems with POP3: • E-mail forging is too easy. Just run some local SMTP server and you can totally B/S the From: field. • Spam protection isn't very efficient.
And now, how POP4 could solve these problems: • Upon receiving an e-mail, it would then double check with the claimed domain of the sender, to make sure they really sent it. ¤ This would stop fake e-mailers, since the domain of the FROM: must be sent from that domain's server alone. ¤ This would stop spam, since spam would have to be sent from its own server, which could easily be blocked by other POP4 servers.
And a for instance:
Quote:
Say you want to send an e-mail from an @cpan.org address to an @yahoo.com address.
You decide to use a local SMTP server to forge the e-mail (I don't know that CPAN even has any on-site e-mail senders anyway).
So, Yahoo.com gets the e-mail that claims to be sent from CPAN.org. It would connect with CPAN.org and ask the server if it's really responsible for sending this e-mail.
The server would reply that it did NOT send that e-mail. Yahoo would then know the e-mail was forged, and would delete it.
Many spam companies use all kinds of different SMTP servers, making it hard to block them. But in this case, all the @domain.com e-mail addresses must be sent from their own domain's server, so spammers can't make up random domains and get away with it--they must send from their own domain. All POP4 compliant servers would be able to block spam domains. Effectively reducing spam.
So, at least for a project, I and whoever else wants to volunteer, will program a POP4 protocol. After the protocol is complete (or at least beta enough for testing), it would be copied to another server and run there. Then we'd send all kinds of e-mails (real and fake) that appears to be from one server directed at the other, and see how the POP4 protocol handles these.
If anybody wants to help with this project, or contribute other ideas of how to improve the POP3 protocol for the POP4 one, reply here.
Edit Yes, the "POP4" protocol would also include a new SMTP protocol. SMTP's are the ones who handle incoming and outgoing e-mails, after all. _________________ Current Site (2008) http://www.cuvou.com/
Sounds good cer but the thing is if you have access to a server ( e.g hosting account ) its very easy then to fake emails for domains off the same server.
But of course with dedicated servers / ips it would be much better.
cer if you need anyone to test it on a server or two then i could possibly help.
Joined: 03 May 2006 Posts: 2292 Location: Colorado
Posted: Sat Apr 02, 2005 12:12 am Post subject:
I've actualy heard of such things already. I'm not sure there isn't already some sort of thing under works. Check and see if there is an RFC out for such a sever already. Then you could work to meet that protocol.
The biggest problem, thought not a deal breaker, is that if it is backwards compatible then it has all the problems of current mail server because the spammers can always just use POP3. BTW I think you mean to talk more about SMTP (yes i saw your update). POP3 is specificaly mail box acess, like IMAP, and others I can't remember. You want to focus on how email servers transfer messages. One idea might be to be backwards compatible but still find a way to force users on an old server to identify themselves. Like sending an email to the user asking them to simply relpy to verify they exist. It wouldn't prove that the email was coming from them, but most spam comes from non-existent addresses so it *might* help some.
A more interesting project might be to take an existing mail server and see what kind of automated anti spam techniques you can build into the existing protocol. This would all existing servers to fix things without changing protocols....Okay enough blabing from me. _________________ Eric256
Proud previous owner and current admin of Bot-depot.com
Just enable authentication for ALL smtp servers. Include the auth name (can be your ISPs email address) inside the mail headers.
Now, it would still be possible to forge the FROM field (can be enabled/disabled per account by the ISP), but at least there is notification in the headers of the original message.
Suppose SMTP2SMTP traffic also happens authenticated in the same way. That would still allow you to setup your local mail server (using your ISP authname & password) but would 'mark' all your outgoing mail as being sent by 'authname' (which could resemble your standard mail address).
Mayor ISPs could talk to eachother and agree on authnames/password to deliver mail with eachother, systems that can not do it directly (because they haven't got a login/pass with the receivers mail server) would have to dump it to one that can.
Of course, such changes aren't pushed overnight. But this will allow you to reliably 'blacklist' certain servers/users/domains.
I had this idea a while ago and started working on it: http://pop4.org
However, what you're talking about is SMTP more than pop. SMTP is what needs to be fixed to stop spam. pop (and my pop4 implementation) is more about more organized mail retrieval.
Alas, nobody is interested and mark crispin (the imap guy) was less than pleased. And there are people doing things like you said.
QUOTE(Cer @ Apr 1 2005, 02:17 PM)
This is an idea I had a while ago:
The e-mail system on the Internet needs to be totally gutted and recreated. It doesn't have the best security measures and it doesn't have any effective ways of blocking spam (other than reading patterns in your e-mail messages).
So, a new protocol should be made, possibly called POP4. It would be reverse compatible with POP3 (at least until other servers update to be POP4 compliant).
Well first, here's some of the problems with POP3: • E-mail forging is too easy. Just run some local SMTP server and you can totally B/S the From: field. • Spam protection isn't very efficient.
And now, how POP4 could solve these problems: • Upon receiving an e-mail, it would then double check with the claimed domain of the sender, to make sure they really sent it. ¤ This would stop fake e-mailers, since the domain of the FROM: must be sent from that domain's server alone. ¤ This would stop spam, since spam would have to be sent from its own server, which could easily be blocked by other POP4 servers.
And a for instance:
Quote:
Say you want to send an e-mail from an @cpan.org address to an @yahoo.com address.
You decide to use a local SMTP server to forge the e-mail (I don't know that CPAN even has any on-site e-mail senders anyway).
So, Yahoo.com gets the e-mail that claims to be sent from CPAN.org. It would connect with CPAN.org and ask the server if it's really responsible for sending this e-mail.
The server would reply that it did NOT send that e-mail. Yahoo would then know the e-mail was forged, and would delete it.
Many spam companies use all kinds of different SMTP servers, making it hard to block them. But in this case, all the @domain.com e-mail addresses must be sent from their own domain's server, so spammers can't make up random domains and get away with it--they must send from their own domain. All POP4 compliant servers would be able to block spam domains. Effectively reducing spam.
So, at least for a project, I and whoever else wants to volunteer, will program a POP4 protocol. After the protocol is complete (or at least beta enough for testing), it would be copied to another server and run there. Then we'd send all kinds of e-mails (real and fake) that appears to be from one server directed at the other, and see how the POP4 protocol handles these.
If anybody wants to help with this project, or contribute other ideas of how to improve the POP3 protocol for the POP4 one, reply here.
Edit Yes, the "POP4" protocol would also include a new SMTP protocol. SMTP's are the ones who handle incoming and outgoing e-mails, after all. [right][snapback]47437[/snapback][/right]
Your mail server sends an email to @aol.com, @aol goes to check and make sure that your mail servers IP address has a PTR record (in.addr-arpa).
This negates things like smtp zombie clients from sending email to them. You can still spam aol but you must do it from a machine on a real network, not from comcast/earthlink, etc.
There are also spamlists which are very effective if people used them. It is also fun to run query's against the database at http://openrbl.org
Not to sound demeaning or anything but people smarter then you have already thought about and fixed the whole smtp problem, it just seems that noone wants to convert over and use it. This is a common problem though not localized to SMTP. Take IPV6 for example, we still aren't using it
I saw another solution people had for this... I got an e-mail once from a Yahoo member (to my Yahoo mail) and it said something about how this e-mail was actually sent from Yahoo and not through another server.
They use something called DomainKeys, http://domainkeys.sf.net/ I don't quite get how they work but it sounds more efficient than what AOL's been doing (and can easily be included with other peoples' servers too).
I just lost track of this topic until now so didn't post about this sooner.
Quote:
Not to sound demeaning or anything but people smarter then you have already thought about and fixed the whole smtp problem, it just seems that noone wants to convert over and use it.
It's not my lack of intelligence, it's my laziness. When I really want to do something I find a way to do it, even if I have to expand my own knowledge a bit. _________________ Current Site (2008) http://www.cuvou.com/
User Control Panel
