Skip to content

Archives

Auth cookies in SMTP

Jeremy describes a way to kill off ‘joe-jobs’ — the practice of forging somebody’s address on spam, generally used to get around ‘does this user exist’ spam-filters, also used to ‘punish’ folks the spammer doesn’t like. Anyway, JZ’s suggestion is this:

One of the ideas tossed about was to implement a system that would make it easy for any MTA (Mail Transfer Agent–the programs that deliver e-mail on the Internet) to verify that a message that claims to be from [email protected] really is from a yahoo.com user.

This is technically doable. And it might be a good idea. Especially, as I argued, if one of the other big players (AOL or MSN/Hotmail) jumps on board and uses the same technique. If either one began to do the same, I expect that a domino effect would follow. Boom. Instant adoption.

But then he doesn’t say how to do this in a way that a spammer can’t forge. Dammit. ;)

Anyway, on with the message.

… However, one interesting objection was raised during the debate…

Wouldn’t that just cause spammers to prey on domains that are less equipped to ‘swallow a few million bounces per hour without breaking a sweat’? (To paraphrase a co-worker.)

Yep, it would — until those domains also instituted similar systems. Anyway, those domains are victims now anyway; I would say only about 50% of my spam comes from forged Yahoo!, Hotmail or other domains — the rest uses domains of small ISPs, and the occasional joe-job.

But back to the system. I would guess what Jeremy’s talking about is pretty similar to the system Pedro Melo describes in the comments. It consists of 2 components:

  • a header added by the MTA at relay time — X-Originator-Signature.
    • This contains ‘an internal identifier for the person who sent it …, a timestamp, and a MD5 of those two fields and a third secret passphrase I keep.’
  • a CGI script on a web server, which validates a pasted X-Originator-Signature header against what hashing those values with the secret passphrase produces, and responds ‘yea’ or ‘nay’.

A nifty idea. Jeremy, was that what you were thinking?

Comments closed