Vouch by Reference

Last updated

Vouch by Reference (VBR) is a protocol used in Internet mail systems for implementing sender certification by third-party entities. Independent certification providers vouch for the reputation of senders by verifying the domain name that is associated with transmitted electronic mail. VBR information can be used by a message transfer agent, a mail delivery agent or by an email client.

Contents

The protocol is intended to become a standard for email sender certification, and is described in RFC 5518. [1]

Operation

Email sender

A user of a VBR email certification service signs its messages using DomainKeys Identified Mail (DKIM) and includes a VBR-Info field in the signed header. The sender may also use the Sender Policy Framework to authenticate its domain name. The VBR-Info: header field contains the domain name that is being certified, typically the responsible domain in a DKIM signature (d= tag), the type of content in the message, and a list of one or more vouching services, that is the domain names of the services that vouch for the sender for that kind of content:

 VBR-Info: md=domain.name.example; mc=type; mv=vouching.example:vouching2.example

Email receiver

An email receiver can authenticate the message's domain name using DKIM or SPF, thus finding the domains that are responsible for the message. It then obtains the name of a vouching service that it trusts, either from among the set supplied by the sender or from a locally configured set of preferred vouching services. Using the Domain Name System, the receiver can verify whether a vouching service actually vouches for a given domain. To do so, the receiver queries a TXT resource record for the name composed:

domain.name.example._vouch.vouching.example

The returned data, if any, is a space-delimited list of all the types that the service vouches, given as lowercase ASCII. They should match the self-asserted message content. The types defined are transaction, list, and all. Auditing the message may allow to establish whether its content corresponds. The result of the authentication can be saved in a new header field, according to RFC 6212, like so:

 Authentication-Results: receiver.example; vbr=pass header.mv=vouching.example header.md=domain.name.example

Implementations and variations

OpenDKIM and MDaemon Messaging Server by Alt-N Technologies [2] have been among the first software implementations of VBR. OpenDKIM provides a milter as well as a standalone library. Roaring Penguin Software's CanIt anti-spam filter supports VBR as of version 7.0.8 released on 2010-11-09. [3]

Spamhaus has released The Spamhaus Whitelist [4] that includes a domain based whitelist, the DWL, where a domain name can be queried as, e.g., dwltest.com._vouch.dwl.spamhaus.org. Although the standard only specifies TXT resource records, following a long established DNSBL practice, Spamhaus has also assigned A resource records with values 127.0.2.0/24 for whitelist return codes. The possibility to query an address may allow easier deployment of existing code. However, their techfaq [5] recommends checking the domain (the value of the d= tag) of a valid DKIM-Signature by querying the corresponding TXT record, and their howto [6] gives details about inserting VBR-Info header fields in messages signed by whitelisted domains. By 2013, one of the protocol authors considered it a flop. [7]

Related Research Articles

Email Method of exchanging digital messages between people over a network

Electronic mail is a method of exchanging messages ("mail") between people using electronic devices. Email entered limited use in the 1960s, but users could only send to users of the same computer, and some early email systems required the author and the recipient to both be online simultaneously, similar to instant messaging. Ray Tomlinson is credited as the inventor of email; in 1971, he developed the first system able to send mail between users on different hosts across the ARPANET, using the @ sign to link the user name with a destination server. By the mid-1970s, this was the form recognized as email.

The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission. As an Internet standard, SMTP was first defined in 1982 by RFC 821, and updated in 2008 by RFC 5321 to Extended SMTP additions, which is the protocol variety in widespread use today. Mail servers and other message transfer agents use SMTP to send and receive mail messages. SMTP servers commonly use the Transmission Control Protocol on port number 25.

A Domain Name System-based Blackhole List, Domain Name System Blacklist (DNSBL) or Real-time Blackhole List (RBL) is a service where with a simple DNS query mail servers can check whether a sending IP address is on a blacklist of IP addresses reputed to send email spam. Most mail server software can be configured to check one or more of such lists - typically rejecting or flagging messages if it is from a listed site.

Various anti-spam techniques are used to prevent email spam.

SenderPolicy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the delivery of the email. SPF alone, though, is limited to detecting a forged sender claim in the envelope of the email, which is used when the mail gets bounced. Only in combination with DMARC can it be used to detect the forging of the visible sender in emails, a technique often used in phishing and email spam.

The Spamhaus Project

The Spamhaus Project is an international organisation, based in both London and Geneva, founded in 1998 by Steve Linford to track email spammers and spam-related activity. The name spamhaus, a pseudo-German expression, was coined by Linford to refer to an Internet service provider, or other firm, which spams or knowingly provides service to spammers.

In computer networks, a reverse DNS lookup or reverse DNS resolution (rDNS) is the querying technique of the Domain Name System (DNS) to determine the domain name associated with an IP address – the reverse of the usual "forward" DNS lookup of an IP address from a domain name. The process of reverse resolving of an IP address uses PTR records. rDNS involves searching domain name registry and registrar tables. This may be used to try to identify the originator’s domain name to track, for example, a spammer sending spam emails or the domain name of a computer trying to break into a firewall or someone trying to hack the system. It may also be used to determine the name of the internet service provider assigned to a particular IP address. The reverse DNS database of the Internet is rooted in the .arpa top-level domain.

Email authentication, or validation, is a collection of techniques aimed at providing verifiable information about the origin of email messages by validating the domain ownership of any message transfer agents (MTA) who participated in transferring and possibly modifying a message.

Message submission agent

A message submission agent (MSA) or mail submission agent is a computer program or software agent that receives electronic mail messages from a mail user agent (MUA) and cooperates with a mail transfer agent (MTA) for delivery of the mail. It uses ESMTP, a variant of the Simple Mail Transfer Protocol (SMTP), as specified in RFC 6409.

Forward-confirmed reverse DNS (FCrDNS), also known as full-circle reverse DNS, double-reverse DNS, or iprev, is a networking parameter configuration in which a given IP address has both forward (name-to-address) and reverse (address-to-name) Domain Name System (DNS) entries that match each other. This is the standard configuration expected by the Internet standards supporting many DNS-reliant protocols. David Barr published an opinion in RFC 1912 (Informational) recommending it as best practice for DNS administrators, but there are no formal requirements for it codified within the DNS standard itself.

For a mail transfer agent (MTA), the Sender Rewriting Scheme (SRS) is a scheme for rewriting the envelope sender address of an email message, in view of remailing it. In this context, remailing is a kind of email forwarding. SRS was devised in order to forward email without breaking the Sender Policy Framework (SPF), in 2003.

Email spoofing is the creation of email messages with a forged sender address.

In computing, Author Domain Signing Practices (ADSP) is an optional extension to the DKIM E-mail authentication scheme, whereby a domain can publish the signing practices it adopts when relaying mail on behalf of associated authors.

A challenge–response system is a type of spam filter that automatically sends a reply with a challenge to the (alleged) sender of an incoming e-mail. It was originally designed in 1997 by Stan Weatherby, and was called Email Verification. In this reply, the purported sender is asked to perform some action to assure delivery of the original message, which would otherwise not be delivered. The action to perform typically takes relatively little effort to do once, but great effort to perform in large numbers. This effectively filters out spammers. Challenge–response systems only need to send challenges to unknown senders. Senders that have previously performed the challenging action, or who have previously been sent e-mail(s) to, would be automatically whitelisted.

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in emails, a technique often used in phishing and email spam.

DMARC is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing emails, email scams and other cyber threat activities.

Invisible mail, also referred to as iMail, i-mail or Bote mail, is a method of exchanging digital messages from an author to one or more recipients in a secure and untraceable way. It is an open protocol and its java implementation (I2P-Bote) is free and open-source software, licensed under the GPLv3.

Spam reporting, more properly called fake reporting, is the activity of pinning abusive messages and report them to some kind of authority so that they can be dealt with. Reported messages can be email messages, blog comments, or any kind of spam.

A TXT record is a type of resource record in the Domain name system (DNS) used to provide the ability to associate arbitrary text with a host or other name, such as human readable information about a server, network, data center, or other accounting information.

Authenticated Received Chain (ARC) is an email authentication system designed to allow an intermediate mail server like a mailing list or forwarding service to sign an email's original authentication results. This allows a receiving service to validate an email when the email's SPF and DKIM records are rendered invalid by an intermediate server's processing.

References

  1. RFC 5518, "Vouch By Reference", P. Hoffman, J. Levine, A. Hathcock (April 2009)
  2. "Alt-N Technologies: Email Certification". Alt-N Technologies. Retrieved 2016-06-24.
  3. "CanIt 7.0.8 Release Announcement" . Retrieved 2010-11-09.
  4. Quentin Jenkins (2010-09-26). "Spamhaus Releases The Spamhaus Whitelist". News. Retrieved 2010-09-27.
  5. "Whitelist Technical FAQ" . Retrieved 2010-10-03.
  6. "How to Use" . Retrieved 2010-11-09.
  7. John Levine (20 April 2013). "no hints for receivers". dmarc-ietf (Mailing list). Retrieved 24 June 2016. I don't know of any publisher of VBR other than the vestigial Spamhaus whitelist.