back to article If you love your email standards, SMTP your feet: 35 years later

This month marks the 35th anniversary of the sign-off of RFC 821, the first definition of the Simple Mail Transfer Protocol, that everyday staple of email comms. Although the original spec has long been superseded, with the latest version of SMTP being contained in RFC 5321, RFC 821 laid the foundations for the billions of …

Idea: user-defined whitelisting string.

Tell your bank that email from them will only be accepted if the email body and/or header contains the provided string. If and when emailing you, the bank includes that string. Your email client, knowing your string, jettisons email not including it. Hey presto, more easily identified spam and phishes, at least until the next data hack.

I plan to have HMRC include the string "The balance will be left behind the bar at the Winchester"

11
2
Silver badge

Already exists

That user-defined whitelisting string already exists. It's called your email address.

Without it, the email never reaches you.

With it, the email does reach you.

9
9
Silver badge

Re: Already exists

"It's called your email address."

And you set up one specifically for your bank (and others for each other correspondent you wish to verify). Added bonus: if it leaks you know who to blame.

23
1
Silver badge
FAIL

Re: Already exists

I have had email accounts I have just created receive spam because the senders are sending out to random addresses not caring if they exist or not. Lets not forget companies get hacked and then the emails of their employees and customers get sold on so even if you're careful, that's no guantee that you won't receive spam.

8
0
G2

user-whitelisting

here's a simpler idea:

1) have an entire (sub)domain for yourself and set up a wildcard mailbox.

2) make up a dedicated email address for anything that asks for you to provide an email address. Design the address JUST for that service and do not reuse it. Even if it's a printed form to fill in on paper, you can create an one-time-use email address on the spot just with a pen and paper.

3) if that particular email address starts to receive spam it means that whoever you assigned that address has leaked it.

since the (sub)domain is configured as a wildcard mailbox all emails arrive in a single central mailbox where a) it's first processed to clean obvious spam by the default server rules, and b) you can set up filters for each destination email "to:" address and apply labels or sort into folders for that topic (in your example, for mails from the bank)

and bonus: it's all already possible.

If you host that (sub)domain on Google's G Suite (formerly known as Google Apps) you can configure the Gmail service with a wildcard mailbox and do all of the above. It might work on other services too.

Edit: P.S. wildcard mailboxes are different that Google's standard plus-alias addresses. Those still have an account name tag. In this case, wildcard really means wildcard, *@hosted.sub.domain.com

8
0
Silver badge

Re: Already exists

"I have had email accounts I have just created receive spam because the senders are sending out to random addresses"

They might just be able to hit some of the individual addresses I have set up, but the one I gave my bank is far too long and complex for them to hit it by chance.

4
0

Re: user-whitelisting

>> 1) have an entire (sub)domain for yourself and set up a wildcard mailbox.

And then get hit by a dictionary spam attack and get a few thousand spam crap in your mailbox.

8
3
Silver badge
Alert

Re: Already exists

I've been doing that for several years now. It works very well for blacklisting and finger pointing. However I discovered recently that the finger pointing part can be flawed.

In my case it seems that a forum I registered on several years ago got hacked. Some time later those credentials were used to log onto another forum and that email address used to send me spam.

So whilst DEA did its job and pointed me at the correct site it was actually another site's lax security that led to the problem. And my lax security for opening the door by using the same credentials on different sites but most forums don't matter enough for me to care and the password was my lowest security password.

3
0
Silver badge
Boffin

Re: user-whitelisting

1) have an entire (sub)domain for yourself and set up a wildcard mailbox.

Exactly what I've been doing for many years now. I also run my own mail server because that's the only way you can be sure what the sender used as an address. You can't trust headers for that you need to see RCPT command to know for sure.

5
0
Silver badge
Happy

Re: user-whitelisting

And then get hit by a dictionary spam attack and get a few thousand spam crap in your mailbox.

Nah. If your chosen format is multipart then it'd be an unusual dictionary attack.

*@mydomain.com is vulnerable as you describe.

MrWibble.*@mydomain.com

Is nowhere near as vulnerable. It will only succumb to a dictionary attack if someone actually notices the prefix. Not saying they won't ever spot that but even if they do the only reason to dictionary attack would be to piss you off. There's just not much practical value in dictionary attacking a DEA system. And of course the solution is easy:

MrWibble.*.v2@mydomain.com

6
0
Anonymous Coward

Re: user-whitelisting

"make up a dedicated email address for anything that asks for you to provide an email address."

That used to work on Demon until Vodafone outsourced their Demon domain email system to Namesco.

The new system limits you to 100 email addresses - and a new one has to be pre-registered before you can send an email with it.

On the useful side it does also bounce any incoming emails not in that set.

The real negative is the slowness with which it refreshes an IMAP folder. Wouldn't survive even a mild flood. Namesco have also doubled their price for the email service this year to £61.

3
0
Silver badge

Re: user-whitelisting

2) Feed anything that hits that address straight into SpamAssassin or whatever it is that you use to score your emails with.

2
0
Vic
Silver badge

Re: user-whitelisting

have an entire (sub)domain for yourself and set up a wildcard mailbox

Good god, no.

If you accept all, you get inundated with spam.

make up a dedicated email address for anything that asks for you to provide an email address

That's what many of us do - but you allocate those addresses on demand by way of an alias.

since the (sub)domain is configured as a wildcard mailbox all emails arrive in a single central mailbox

The same is true of aliases - but you only get email to addresses you've actually configured.

if that particular email address starts to receive spam it means that whoever you assigned that address has leaked it.

And if you've implemented this with aliases, you can then kill that address without affecting any other operation.

Vic.

6
0
G2

Re: user-whitelisting

Multi-quotes and replies below:

quote:

And then get hit by a dictionary spam attack and get a few thousand spam crap in your mailbox. /quote

Google is expert at catching such dictionary attack spams. They never hit my inbox. I might get a few of them in the spam folder but once Google's servers figure it, it never even makes there - it helps them to train their spam filters. In addition to that, i have 1 TB of space allocated to the wildcard mailbox there. that can waste a loooooot of spammer time ... :D

.

quote:

Some time later those credentials were used to log onto another forum and that email address used to send me spam. /quote

there's a simple solution for that too: configure DKIM signing of all mails, set up SPF + a strict 100% DMARC reject policy that enforces DKIM+SPF. (this DMARC + DKIM + SPF authentication can also be configured on Google's servers too). Someone sending mails with fake 'from' addresses should not be possible if the domain is configured like this, they will hit a brick wall.

Google's standard response for such messages looks like:

550-5.7.1 Unauthenticated email from xyz is not accepted due to

550-5.7.1 domain's DMARC policy. Please contact administrator of xyz

550-5.7.1 domain if this was a legitimate mail. Please visit

550-5.7.1 https://support.google.com/mail/answer/2451690 to learn about DMARC

550 5.7.1 initiative. gsmtp

After you set up DMARC you can then use a site like https://dmarcian-eu.com/ to help you visualize email traffic statistics from the DMARC reports. You can even see how many fake emails pretending to originate from your domain were received by the DMARC-compatible servers worldwide - google, yahoo/verizon/ microsoft, etc.. all major email systems will start sending you statistical data about email that pretends to be from your domain, including the ip address of the spam source.

DMARCIAN is quite an interesting tool in analysing email spoofs reported via DMARC... in the last 30 days over 95% of the email spoofs that pretend to come from my domains (but are obviously not signed with DKIM and not a SPF match) are from India and Vietnam. Surprisingly, Iran is on 3rd place as a spoofing email spam source.

For ISPs, top spammers in my statistics are from *.airtelbroadband.in followed closely by *.vnpt.vn (India and Vietnam again - not a surprise there)

quote:The new system limits you to 100 email addresses - and a new one has to be pre-registered before you can send an email with it./quote

who says you have to SEND from ALL those email addresses? most of them are intended to be receive-only anyway.

3
0

Re: user-whitelisting

"here's a simpler idea:"

It's not new though, I've been doing that for the last 20 years.

There is, however, a downside; there's a lot of random (though easily filtered) cr*p that arrives.

Imagine taking all the possible slurped prefixes from @yahoo.com or @gmail.com and then finding them in the inbox for @your_domain

2
0
Anonymous Coward

Re: user-whitelisting

"who says you have to SEND from ALL those email addresses? most of them are intended to be receive-only anyway."

There is an absolute limit of 100 preregistered aliases on the same Demon subdomain - irrespective of whether you use them to send or not. You still have to do a preregistration of the new specific address when you engage a new supplier etc via a form. That means logging in to Office 365 control panel and hunting for the right page to activate alias editing.

1
0
Silver badge

Re: user-whitelisting

You don't even need a domain, just use plus-form addressing. Say you are G2@gmail.com.

Tell El Reg you are G2+elreg@gmail.com. Tell Tesco you are G2+tesco@gmail.com. Tell your bank you are G2+53CR3T@gmail.com.

All of those will find their way into G2@gmail.com and all you have to do is filter them. And if you get spam to one of them, you know which one leaked.

2
0
Silver badge

Re: user-whitelisting

How about an extension to add (and collect) certificates to each email on a per recipient basis.

Basically PKI but you give the recipient a certificate to use to communicate with you. Everone runs their own CA. If it gets compromised, you send them another one. It isn't perfect, but that's ok because it allows for graceful failure.

It all boils down to clever address-books, which is why the idea will fail. Webmail halts the development of email in the same way that tablets and phones with hardware-based video decoding mean that developing new video standards is pretty much futile. The "winner-takes-all" cloud means you can't grow adoption of something.

The internet was designed to be decentralised. That design is being increasingly over-ridden and its dangerous.

/rant

6
0
Silver badge

Re: user-whitelisting

>And if you get spam to one of them, you know which one leaked.

Wouldn't the spammers just see the "+" and delete it and everything up to the @ sign?

7
0
Bronze badge

Idea: user-defined whitelisting string.

I did that 20 years ago. The domain is not something I wish to reveal here. It is still in operation. I wish I could post pics of the nice javascript screen I used. The e-mail body must contain some sort of password, users choice. My idea at the time was to provide child safe e-mail. It worked well but with the onset of porn everything nobody seemed to care much anymore.

3
0
Bronze badge

If and when emailing you, the bank includes that string. Your email client, knowing your string, jettisons email not including it. Hey presto, more easily identified spam and phishes, at least until the next data hack.

That's a capital idea. How do you propose we deal with banks selling that string to affiliates, business partners, subcontractors and being flooded with spam?

Oh, I know, we pass a law that forbids banks doing that. Then we'll get another 'sorry, we've been hacked, it's not our fault' piss poor excuse.

2
0
G2

Re: user-whitelisting

quote:You don't even need a domain, just use plus-form addressing. /quote

unfortunately the plus-alias method used by @gmail.com addresses is also known to spammers (d'oh!) and they routinely discard +anything from gmail email addresses that they harvest.

this is why a wildcard mailbox is much more useful, because you can make it look like a regular email address without the need of such plus-aliasing tricks.

3
0
Silver badge

Re: user-whitelisting

And then get hit by a dictionary spam attack

At which point the anti-spam provisions on your firewall block the spam and blacklist the sender IP address..

1
0

Re: RFC 2549 et al

My favourite April RFC is Steve Bellovin's "The Security Flag in the IPv4 Header" (RFC 3514) from 2003.

5
0
Silver badge

A protocol that should have been obsoleted at least 15 years ago.

Seriously, people, SMTP is the last major protocol that seriously needs a redesign from the ground up. From being able to fake return addresses, to no guarantee of end-to-end encryption, to all kinds of third-party DNS-based addons to try to reduce spam and forgery, to ancient file encodings, to even the concept of "bouncebacks", it's all archaic, problematic, and ripe for replacement.

Someone really needs to propose SMTP2, which just fixes this junk, makes everything key-based (so you can't send from a domain unless you have the corresponding key, and not just "well, properly configured places may not accept your email" but actual protocol refusal), provides end-to-end encryption (put public keys in domain DNS for source and destination, sending server negotiates key-pair with end-recipient server and verify it's them that you're talking to using their DNS, then it doesn't matter WHAT mail servers it passes along the way, it can't be modified or snooped on en-route except by authorised systems), properly allows immediate response messages, you can put in explicit functionality for email-forwarding and rewriting if necessary (no reason that can't be done officially, with a full trace history, rather than just trying to tell the world that GMail may send emails on my domain's behalf), allow explicit refusal of email from unknown senders (i.e. they literally have to request permission first, if the user wants that, and are then given an explicit token that lets ONLY them send to you - "Do you want to accept email from hinet.net?" - answer No and there's no way for them to ever bother you again, even if they sell your email address), and turn it into what it should always have been: A transport system, that has no clue what it's transporting, just so long as it gets to the intended recipient, if they want it.

Then all the SPF, DKIM, greylisting, spam filters, postmaster@, bouncebacks, message envelope rewriting, plain-text emails, mass CC:'s, and all the other junk that you have to deal with are consigned to the bin. Don't even get me started on bouncebacks-of-bouncebacks, each with a different format, reason and nothing you can do about any of them. Hell, even a "this email was received by the destination server successfully" binary indicator would be infinitely more use than just guesswork like it is now (just because your ISP mailserver said it would deliver it means nothing, you might get a bounceback an hour or even a day down the line saying that it couldn't talk to the end domain)

Hell, if you made the initial SSL challenges hard enough, you can push spammers out of the market just by the amount of CPU they would have to expend on trying to talk to new users (while established users would already have a negotiated keypair that you could re-use for a period so as to not bog-down genuine servers sending to domains). And your Outlook could literally just store the keypairs of only the people you're interested in talking to, everything else just bounces off the server without you ever seeing it.

SMTP needs to die like Telnet and FTP before it, and like plain HTTP now.

And it's not that hard to put in a HUGE wishlist of things it shouldn't deal with at all, and things that it should, and instantly solve everything from spam emails, to email forgery, to botnet emails, to delivery-silence.

8
13
Silver badge

SMTP is the last major protocol that seriously needs a redesign from the ground up.

IP was redesigned from the ground up to give IPv6 21 years ago. The highest adoption figure seems to be ~37% in Belgium, maybe 16% world wide according to Google's search requests.

We'd end up with dual SMTP/SMTP2 systems for at least 30 years, which would be worse than the current problems.

17
1
Anonymous Coward

SMTP: teletype-era protocol

Well said that man, though I suspect very few people are listening, as ISPs and such largely seem to prefer cheap to effective/trustworthy (hey, other people can pick up the costs, right?), hence the bandaids on bandaids which form the 'modern' SMTP setup we all know (and very few, outside ISPs and other malware-flingers, actually love).

SMTP comes from the era of the teletype when 4K wasn't the resolution of your TV screen, it was more like the amount of memory on most typical computers. Same goes for IPv4.

It is overdue for a ground-up redesign, and it happened in the 1980s and 1990s, as did the replacement for FTP etc. For some reason it was mostly ignored, and still is (even more so than IPv6 is ignored).

4
3
Silver badge

There is nothing wrong with SMTP ...

... when used properly. Likewise, I still use FTP and telnet and several other protocols that kids today probably don't know exist. They all still have their place, quietly doing the job they were designed to do.

Just don't tell Apple I have a dumb serial terminal attached to a port[0] on an aging iMac, with a nice friendly login prompt displayed for all to see ... They'd probably take me to court on charges of miscegenation or something equally daft.

[0] With a little help from USB, of course.

3
1
Silver badge

We'd end up with dual SMTP/SMTP2 systems

Indeed. We went through something akin to that when ESMTP came along. As an example, trying to send emails from a Solaris server to a server using Exchange 5.5 would fail silently since the Exchange server would advertise as ESMTP-capable and then silently ignore any ESMTP commands and drop any emails sent using pipelining..

Took me a while to find out why emails were going astray. Telling sendmail to *never* use ESMTP to the specific E5.5 servers solved the issue.

Now, it could be argued that the problem was Exchange 5.5 having an incomplete ESMTP setup (which was true) and the default being ESMTP was enabled (which was true) but it neatly shows how having multiple SMTP standards or extensions can be a problem.

1
0
Silver badge

And if it takes 30 years, where do you think we'll be in 2047 when someone STILL hasn't proposed an alternative and started deploying it? In exactly the same position.

I'd rather have 10 years of it being "unheard of", 10 of it being "mixed" and 10 of it being "why aren't you using SMTP2 already?" than 30 years of "Oh, it's so hard to do and nobody will change".

Seriously, I'd quite like to be able to send an email to my bank, lawyer or family without my ISP being able to read it. I don't think that's much to ask.

3
0
Anonymous Coward

"I'd quite like to be able to send an email to my bank, lawyer or family without my ISP being able to read it. I don't think that's much to ask."

And you don't want to wait another thirty years?

Then you very likely want something based on the solution that was tried, tested, and proven (but unacceptably expensive for wide deployment, not least because compute power and networking were unaffordably expensive at the time) in the 1990s.

Sorry if I'm getting repetitive, but the modern IT/fashion industry's apparent need to re-invent wheels that were already working decades ago (and now need a bit of TLC) gets boring after a while, for those who just want "stuff that works".

Reminder:

https://www.isode.com/whitepapers/x400-messaging.html

1
0
Vic
Silver badge

I'd quite like to be able to send an email to my bank, lawyer or family without my ISP being able to read it. I don't think that's much to ask.

I can do that - and I do.

It's really not very difficult - but you'll have to run the encryption endpoint if you don't want your ISP to be involved. That's trivial...

Vic.

1
0
Silver badge

Re: There is nothing wrong with SMTP ...

... when used properly. Likewise, I still use FTP and telnet and several other protocols that kids today probably don't know exist. They all still have their place, quietly doing the job they were designed to do.

No there isn't. I still run a gopher server for example. Yes I could convert or wrap it around http, but why would I when it works fine as it is.

There is no need to go all Poettering on SMTP, it works fine.

0
0
Silver badge

Seriously, I'd quite like to be able to send an email to my bank, lawyer or family without my ISP being able to read it. I don't think that's much to ask.

PGP

0
0

This post has been deleted by its author

I don't know why all the downvotes - are any of these from anyone who works with a substantial email environment? (Multiple enterprises, or even medium-large enterprises?)

I thought Google was on the right track with their Wave idea. Of course, their ramming it down everyone's throats and the fact Google were going to make it their proprietary thing meant its death-knell, deservedly so.

But the idea of moving seamlessly between a IM conversation style to a message delivery system in "offline" mode (if you like) was great. How the security and connection handshake could be handled with multiple providers is something else, because of course Google weren't designing for that either. Something like the messaging equivalent of Diaspora (the social media platform), where multiple nodes can intercommunicate, perhaps.

I know that some would say it'd be overly complicated, but if anyone thinks that pure SMTP is workable these days, they're dreaming. Multiple message formats, multiple mail access protocols, bolt-ons (and they ARE bolt-ons) like SPF, DKIM and DMARC, the gymnastics required to encrypt messages and the transport layer, SenderBase, RBLs, etc etc etc etc.

1
1
Silver badge

The spam problem: older than you might think.

https://www.rfc-editor.org/rfc/rfc706.txt

Nov 1975

4
0
Silver badge

Re: The spam problem: older than you might think.

Spam started in UK when telegraph terminals could be installed outside of post offices. In the Victorian era.

5
0
Silver badge

Re: The spam problem: older than you might think.

To be fair, Jon was discussing misconfigured servers spewing unintentionally, not intentional sending of junk email.

The first actual "spam" that I'm aware of was sent on ARPANET, mid 1978. If you're interested, search for "Gary Thuerk". I didn't get my copy of the email, alas (my bozo filter worked!), or I would copy & paste it here. Gary got yelled at, none of the rest of us ever tried anything as daft.

I remember a student at Stanford sending every email account on campus a "wanna buy my bike?" email back when I was stanford!sail!vax!jake (address changed to protect the guilty; I'm archived at DejaGoo under the real one) ... Probably 1982 or thereabouts. He got yelled at, loudly, and had computer privileges revoked for the rest of the year.

After that? Probably the first real spam was on Usenet in late 1993 or early 1994. (Religious crap, and a bot kibozing on the word "Turkey"). Followed, of course, by the infamous "Green Card Lottery" spam.

For modern email? Soon after Usenet ... I'm guessing late 1994 or early 1995.

2
2
Bronze badge

Penny mail

Companies that want to send you email can do so, but it will cost them one penny, or a tenth of a penny, or whatever - it doesn't really matter.

If you open/read the email, they get their penny back. If you don't, they don't; the penny goes to charity.

That will soon stop spam.

2
1
Vic
Silver badge

Re: Penny mail

That will soon stop spam

No it won't.

The *vast* majority of spam is sent from forged addresses through armies of compromised machines.

So if you charge for email - it is those compromised users who pay, not the spammers.

Email micropayments has been suggested about a billion times as the FUSSP. It doesn't work. Not even a bit.

Vic.

21
0
G2

Re: Penny mail

the forged address problem is easily solved by a strict DMARC policy that enforces DKIM + SPF.

It's been years since Google / Yahoo / Microsoft implemented support for these but each domain owner is responsible for configuring the DMARC protection for their domain. The defaults are to not enforce anything.

1
3
Silver badge

Re: Penny mail

Charging money for sending emails is not viable for various reasons. However, the concept of charging *processing time* is a good one, because it wastes spammers time. See "Hash Cash" for the principle involved.

Tarpitting and Greylisting are available techniques for slowing down, or forcing a spammer to repeat their submission respectively, but I've found that many mail servers are configured not to tolerate these techniques. Cloud email used by legitimate senders in particular thwarts greylisting because each time an email is resent from a cloud service it likely comes from a different IP address to the previous message which means that the recipient mail server thinks it is from a different source.

3
1
Anonymous Coward

Re: Penny mail

"[...] because it wastes spammers time. "

Same with landline cold calls. Some of the recorded ones don't appear to terminate the call. If you then leave the phone off-hook there is no dial tone - and hopefully you are stopping them using that outgoing line until you hang-up. If anyone desperately wants to ring me there is always the mobile as back-up.

3
0

Re: Penny mail

The forged problem is not solved by DMARC/DKIM.

1) It depends on the recipient knowing what domains actually belong to the purported sender. Quick, which of these are valid paypal domains?: paypal-communications.com, paypal-prepaid.com, paypal-payments.com.

2) Also, phishing studies (such as those from APWG) show that phishers don't bother spoofing the From: header address because most users don't bother checking. Simply putting the email address in the display name is more than enough to fool people.

3) It assumes DKIM/DMARC/SPF is properly implemented, which is a huge assumption.

3
0
Silver badge

Re: Penny mail

strict DMARC policy that enforces DKIM + SPF

Ha ha. Don't make me laugh (no, really, don't).

Back in the mists of time when SPF was new I happily configured it for all of the domains that I handle email for. Nowadays I don't bother because the majority SMTP sewers (Gmail/Hotmail/Yahoo) ignore it utterly when sending email[1].

And I can't think of any email host outside of Western Europe or North America that actually uses it.

[1] They seem *slightly* more keen on implementing it on the receiving side. But only slightly.

1
0
Silver badge

Re: Penny mail

Tarpitting and Greylisting are available techniques for slowing down

And getting your domain(s) blacklisted..

0
1
Silver badge

GOTO 10

It's a testament to the complexity of the application server/cloud stack these days that I'm seriously considering automating an information interface to users via email, like we did in ye olde days (who remembers FTP-by-mail gateways?). That's a doddle to write, and small enough to actually be securable.

All I have to do is work out which mail encryption/authentication works for people using Outlook....

3
0

"[N]obody disputes that email is an indispensable part of everyday modern life."

I think my texting-only kids, both in their 20s, would disagree.

10
0
Anonymous Coward

The youngsters who communicate with me - talk to most people with SnapChat or WhatsApp They only use email to me because I don't have a smartphone.

2
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017