Carl Hutzler’s Blog

Email Submission Operations: Access and Accountability Requirements :-)

---

Network Working Group                                         C. Hutzler
Request for Comments: 5068
BCP: 134                                                      D. Crocker
Category: Best Current Practice              Brandenburg InternetWorking
                                                              P. Resnick
                                                   QUALCOMM Incorporated
                                                               E. Allman
                                                          Sendmail, Inc.
                                                                T. Finch
                               University of Cambridge Computing Service
                                                           November 2007

  Email Submission Operations: Access and Accountability Requirements

Status of This Memo

   This document specifies an Internet Best Current Practices for the
   Internet Community, and requests discussion and suggestions for
   improvements.  Distribution of this memo is unlimited.

Abstract

   Email has become a popular distribution service for a variety of
   socially unacceptable, mass-effect purposes.  The most obvious ones
   include spam and worms.  This note recommends conventions for the
   operation of email submission and transport services between
   independent operators, such as enterprises and Internet Service
   Providers.  Its goal is to improve lines of accountability for
   controlling abusive uses of the Internet mail service.  To this end,
   this document offers recommendations for constructive operational
   policies between independent operators of email submission and
   transmission services.

   Email authentication technologies are aimed at providing assurances
   and traceability between internetworked networks.  In many email
   services, the weakest link in the chain of assurances is initial
   submission of a message.  This document offers recommendations for
   constructive operational policies for this first step of email
   sending, the submission (or posting) of email into the transmission
   network.  Relaying and delivery entail policies that occur subsequent
   to submission and are outside the scope of this document.

1 comment

My thoughts on the matter posted to Dave Farber’s IP list…

---

While I don’t work at AOL anymore, I did run the anti-spam team for many
years and worked on the email platform for almost a decade. I can tell
you that from time to time we had a group complain that we were blocking
their mail without proper cause. In most cases we would provide the data
to show the organization why they were having issues. Most of the time
it was a combination of complaints about their mail (REPORT SPAM from
members) along with an abnormally high rate of bounced mail
(non-deliverable addresses). And in most cases the organization would
fix the issue once we got them signed up for a feedback loop which would
allow them to see their complaints and address the cause.

In all of my years at AOL, I can tell you that AOL never intentionally
blocked an organization for their political views. I would not have
allowed it. But we did block some of these political groups along the way… Read more

3 comments

Margot Koschier and I did some interviews a couple of years back for the Spam Documentary which I blogged about a while back. The film was taped by the Canadian PBS equivalent. And as they promised, it is now going to air on a US station, CourtTV. The show is even featured on CourtTV’s home page right now.

So tune in at 11pm on Tuesday 9/18 and see your’s truly get his 15 minutes ;-)

Click here for a preview.

3 comments

Today I am in Boston attendig the AOTA conference/summit. Basically it is a collection of security and antispam vendors along with a number of big ISPs and big email senders. The main thrust has to do with combating PHISH emails which attempt to defraud consumers by tricking them into visiting websites and giving up personal information like their login or SS#. Since most of the “spam” I get these days is indeed eBay, Paypal, Bank of America, and Citibank scams, I fully understand why this is the big problem today.

I have a number of take-away impressions from the conference, but I think the biggest one is that for the first time, I am finally seeing a maturation of AUTHENTICATION technologies for email. The big two are DKIM and SIDF. A terrific accomplishment is that both of these technologies are seeing fairly widespread adoption by both senders and receivers of email. As more organizations/domains adopt these technologies, it will become easier to tell who the responsible party is for the email that you are reading. And if that email is spam, who to hold responsible.

But AUTHENTICATION is only half of the issue. Even if I know that “you are who you claim you are”, I still don’t know if you are a “good guy”. A good example is looking at someone’s drivers license (an analogy used during one presentation). I might know that your name is John Smith (after comparing your picture to you, etc) but I don’t necessarily know if you are a good driver. Good driving is established after a period of time during which the driver exhibits good driving behavior.

So the next step in the email world is combining AUTHENTICATION with REPUTATION. And the biggest surprise for me after being somewhat out of the industry for 2-3 years, is that REPUTATION systems have arrived and are viable. Companies including Return-Path, Habeas, Goodmail, and others have evolved considerably and can provide real data to both senders and receivers of email. In addition, some of these providers along with major ISPs are receiving data as well as sharing their reputation data across other providers in exchange for receiving valuable reputation data in return. And the number of “feedback loops” (I should have patented/copyrighted that term, damn!) has grown dramatically and are now available from upwards of a dozen ISPs instead of just AOL and beta testing from Yahoo and Hotmail.

Its great to see an industry coming together and building the necessary tools and standards to make real progress in solving real problems. Very cool :-)

2 comments

Last year, Margot Koschier and I taped some interviews in AOL’s Reston operations facility for an upcoming film, Spam: The Documentary. The film was produced by Scott Dobson and directed by David Manning for Canada’s CBC station (similar to the Public Broadcasting Service (PBS) in the US)

Anyway, looks like it airs on both Tuesday October 17 and Saturday October 21 at 10pm ET/PT on CBC Newsworld. Set your TIVO!!

We heard from the director that they got some great footage when they literally ran after some well known spammers and tried to interview them in Las Vegas. Should be fun.

PS: If anyone does actually TIVO it, I would love to see the show. I just can’t wait until it comes to the States on Court TV sometime in the future :-)

2 comments