HomePeople Policies Press Resources |
| Home | Contact | Search | |
|
Press Resources Server Authority, Inc. created and maintains the Outbound Server Authentication Index, an anti-spam infrastructure. For detailed information about the Outbound Index and the problems it solves, go to the Outbound Index site.
The origin of the Outbound Index The Outbound Index was developed because Ken Beauregard and April Lorenzen, co-owners of a web/email hosting ISP company, had grown frustrated with the spam-fighting tools available in 2001. "As a hosting ISP responsible for several hundred business domains in the late 1990's, we always employed the latest moderate anti-spam techniques," April says. "Our frustration level mounted as customers complained about false positives due to our use of blacklists, and offensive and annoying spam email still leaked through daily. "By mid 2001 we were experimenting with radical approaches such as parsing Julian Haight's Spamcop.net 'spam in progress' Web page every 5 minutes, and automating a 24-hour block on the class C addresses found there. We created a whitelist to make this concept useful, since the general public reporting to SpamCop.net often nailed many of sources of wanted mail. "This method was neither 100% effective nor free from false positives. Our clients could lose some of the email they wanted if the source server for those emails wasn't on our own local whitelist. We also noticed in this experiment that spammers were skipping over a large and unpredictable variety of Class C netblocks, often only staying on a particular IP for a couple of hours. This made our somewhat drastic measure only marginally effective." The light bulb goes on "In June 2001, I had an epiphany. I realized we were wasting our time chasing after lists of 'bad' IPs that would never stop growing and changing. Spammers have nearly 2 billion possible addresses at their disposal, so they won't run out of fresh unlisted IP addresses any time soon. "Instead, it seemed far more efficient to create a worldwide index of domains and their associated, authorized outbound email servers, stored in a shared repository database that also contained other information useful to those fighting spam. "In mid-2001, we formed a new corporation, Server Authority Inc., to develop a reliable, scalable infrastructure for our concept of an email server identity database. We called it the Outbound Server Authentication Index ('Outbound Index' for short). The people and resources we needed to create and further refine the prototype seemed to come to us almost magically on cue, thanks in great measure to the Open Source community and the years of innovation and sharing that it had spawned. Naji Wakim, a seasoned high-level corporate executive, provided seed capital and business know-how. "Another one of the key people who showed up to help us was Petru Paler. Working with Petru and a few other programmers, we created a simple open-source query client first for Postfix and later for Sendmail, as an example. We created a query-response server interfaced to a prototype worldwide Outbound Index database. Our vision was for incoming mail servers to query this repository, and automatically reject mail with a forged return address or mail from servers operating on IPs forbidden by their own ISPs. "We realized that the answers to other checks could also be served up by the same infrastructure, and thus the Outbound Index could be flexible enough to conform to the policies and standards of each Email Administrator individually. He or she could pick and choose which checks to run on the queries and what action to take on pass or fail (reject, accept, tempfail, skip or use content filtering, etc). These checks could handle the issues associated with spammer organizations listing their domains in the Outbound Index, and close loopholes. Check examples include: Does the sender domain:
"Although identifiable, well-established, stable corporations could still send unwanted bulk mail. Exercising legal measures against them would be a viable option, whereas legal measures are extremely difficult to use against spamming operations which hide and move constantly. In addition, recipients and recipient ISPs do have the easy option of blocking mail from domain names with local RHSBLists—if the sender domains are well-established stable corporations who keep using the same domain name. Therefore, I thought, we can reward those who don't try to hide their identity and who have easily verified long-term existence and stability, by whitelisting them. In short, they can be found and sued if they break the law—either by fraudulent practices, selling illegal goods and services, or breaking spam-related laws. "On the monitoring side, we realized that the queries coming from numerous incoming email servers would create a real-time, worldwide view of spammer activity. ISPs and corporate abuse departments would be able to look at a live monitor in a browser window and be alerted to any forged return address spam originating from their own netblocks. They'd be able to instantly see / trace data and use it to cut off non-AUP compliant use of their networks. "ISPs and corporate network managers would be able to specify which of their IP addresses were allowed to run a mail server, proactively—and forbid the rest. While this ability has theoretically been available for many years (i.e., MAPS DULS, the predecessor to MAPS DULs, and other excellent efforts), it has never been offered in a way that allows all networks in the world to list their 'mail server allowed' and 'mail server forbidden' IP ranges, simply and instantly, using a web form. "Although at the time we didn't find mention of it, we know now that Bruce Gingery had conceived of a plan using IN SRV DNS records to relate domains to their email server IPs. And we also know that more than one person has had the idea of some type of worldwide email server registry. Additionally, many of our spam-fighting colleagues have proposed and used whitelists in various forms. More recently, additional domain+server proposals such as RMX, DMP, and SPF have arisen. We find ourselves in alignment and support with many of the same basic concepts behind them, such as the right of the domain owner to determine which servers can send mail using his domain name in the return address. We also share some of the same challenges such as forwarding issues. "Beyond just the domain+server check, one of our goals for the anti-spam infrastructure—based on the shared data repository—was that it would be able to accommodate numerous techniques for differentiating spammer-like behavior from the behavior of identifiable, well-established, stable senders. Email administrators could then incorporate their preferred techniques into the processing of their queries in the Outbound Index. Traditional filtering, scoring, challenge/response and other methods could be used as follow-on processing, on the email characterized as "suspicious/unknown" (neither 'acceptable' nor 'rejectable'). "Almost all existing anti-spam implementations use an IP-based blacklist and/or whitelist lookup, in addition to their primary anti-spam methods. SIQ (Server Index Queries) are reasonably similar to black/whitelist queries, so the method for employing them is familiar to email administrators. The Outbound Index can also be queried using standard DNSBL queries. "We see the it as complementary to, rather than in competition with, existing spam-fighting appliances and software. We envision the Outbound Index being guided by the anti-spam community." April Lorenzen & Ken Beauregard, January 2004
How can I get more information? For more information about the Outbound Index, call 888.894.3896, or use the form below.
Geocities Spam Resources
|