Tuesday, July 10, 2007

Some White Listing Essentials - Procedures Followed

Armed with an IP address and a client request, the admin first checks the sender domain to see whether or not it is forged, since spammers like varying their return address domain names. This is done using SPF or Sender Policy Framework, and is an extension of SMTP which by default gives power to spammers who are sending from a forged address; note that Simple Mail Transfer Protocols allow anybody to forge a return address (the design is basically outdated and should be changed). With SPF the sender specifies which servers are authorized to send mail, so a web admin checks the sender policy of the domain from which the information is sent and if the sent email does not comply with the sender's policies the email is treated as being from a spammer and the “white list” request is rejected.

So if Messrs Spam sends an email claiming to be and asks to be white listed for all users, Jungle's admin checks Whois sender's policy (after verifying that whois is a real site), and if he notices that only so and so public domain is allowed to send emails but this comes from Spam and not public domain, s/he rejects the whitelist request, since it isn’t really from whois. The above method does not work if has compromised machines or if the spammer is actually an account holder on (but this leaves a trail for the spammer to be tracked).

Other Procedures

Other means of authenticating include SenderID and DomainKeys. DomainKeys checks emails by verifying the digital signature on the email as opposed to SPF’s method of simply querying the sender’s server to check whether the sender ID is one of the servers tagged as mail servers.

Protect Your Turf

If you want to be sure that some spammer does not start using your server to start sending mail (and you have never bothered to separate your mail sending servers from the rest), it is best to block your non-mail-sending servers, if none of your servers send mail. Then simply say so in your DNS records. Note that this blocking is voluntary but once it is done, the only thing you should be watching out for is that there are no open ports in your mail server that a hacker can use to gain access to your mail server.

Third Party Senders

Some agencies forward emails from various IPs. This third party throws a cog into authentication procedures. Since only their IP addresses are contained in the message, this gives procedures such as SPF and Sender ID problems when dealing with them. Most third party senders are trusted by the ESPs to verify that the senders are not spammers before sending their mails. Forwarders will however have their mail bounced back to them (not the sender) if it is discovered that their mails are spam, and are in turn obligated to bounce it back to the sender. Email authentication is a big deal. It is a good idea not to take white listing for granted, and it will definitely get more important as time goes on.

Sending an email through a third party     Diagram Source:

DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

No comments: