Frequently Asked Questions
- Individual Members
Why
is X-ASVP a better anti-spam "mousetrap" than what already exists?
X-ASVP isn't
really a "mousetrap" at all, it's a method of
describing "mousetraps" in a general way so that the senders and
receivers of SMTP mail have a standard way to communicate the methods
and level of authentication required to get a message into a
recipient's Inbox.
So
how does X-ASVP combat spam then?
X-ASVP allows
people who want to filter e-mail using the
X-ASVP e-mail header to "advertise" the level of authentication they
need in what's called a "meta-document". This meta-document
is posted in a predictable location on the Internet so that people who
want to send e-mail to the recipient can look at the meta-document and
figure out how to comply.
Sounds
like a lot of work.
Actually, it's
quite easy. The best part is that your
ISP can do it for you at very little cost to them. If your
ISP hasn't implemented X-ASVP yet, you should ask them why not.
What
if my ISP doesn't implement X-ASVP and I want to use it anyway?
That's OK.
You can use X-ASVP without the help of your
ISP. It takes a little more computer savvy, but all you
need to do is become a X-ASVP Individual Member, so that your secondary
level search path provider will host your meta-document. Once
that's done, you set a filter in your e-mail program that flags (or
deletes) items that don't comply with the requirements stated in your
meta-document.
Sounds
complicated. What's a meta-document?
A meta-document
is just a web page that lists the specifics of
how you choose to implement X-ASVP. Most people will implement
the Level 1 Extension 3 known as "ASVP-WEB". For those people,
their meta-document will show a token that has to be included in your
incoming e-mail X-ASVP header.
Can't
a spammer just grab my meta-document as well?
Sure, a spammer
can grab your token and attach it to an e-mail
just like anyone else that you want to receive
e-mail from, but if they do that, they've left their real IP address in
the log of the meta-document web server, which gives ISP's a quick way
to track them down and get their machine blocklisted. The
retrieval of a meta-document can also be configured to take a few
seconds, which would be invisible to you since you only send a couple
e-mails at a time, but adds up quickly for a spammer trying to send
millions of e-mails at a time. This would seriously reduce the
amount of mail that a spammer could send in any period of time.
Can't
a spammer just spoof my token?
That depends on
you, and what you use for a token, and how you
verify it. X-ASVP doesn't define how tokens are generated or
verified, it's just the transport mechanism. Token
generators are the "secret sauce" of how users (or their ISP's)
implement the protocol. Some will be easy to spoof, some
will be near impossible. The X-ASVP technology working
group posts suggestions for ISP's to make their token generators and
verifiers more robust and more difficult to spoof.
Why
would I use a token that's easy to spoof?
You can use a
very simple token and still be very
effective. It's not about being perfect, it's about being better
than today. (Perfect is described in X-ASVP Level 9.)
So having a static token that's very simple to verify in e-mail client
filters is not perfect, but it's very easy to implement, and can be
very effective, as spammers don't know that your token is static, or
that you're filtering based on the static part of a larger
token. They still have to visit the meta-document at least
once, which slows them down and leaves their trail.
Isn't
this vulnerable to denial of service attacks?
As more and more
ISP's implement the protocol, the system
actually becomes LESS vulnerable to denial of service, because when
implemented by both the sender and receiver ISP's, X-ASVP becomes a
peer-to-peer protocol. While there is a need for secondary (tld)
and tertiary (global) meta-document hosts to provide a level of
redundancy and universality for the protocol, when the protocol is used
between ISP's, the "central" parts of the infrastructure (the
meta-document hosts, and the part one
would expect to be attacked) are not necessary. So even if they
were
attacked, the protocol continues to work.
Frequently Asked Questions
- Sustaining Members
How
does setting up a X-ASVP host help me and my end users?
First, setting
up an X-ASVP host is easy. All you need is a virtual host on your
web server that rewrites all valid requests to a script like the
"meta-doc-complex.txt" example (PHP script) in the meta-document examples
area. Now, whether or not you actually train your MTA to look for
tokens, you just forced spammers to make a choice of whether or not
they will attempt to be compliant with the protocol for your
domain. Since they don't know whether or not you're filtering on
the token, they either have to give up their IP to the token-generator,
attempt to spoof a token, or give up on getting spam-mail into your
domain. The worst part for a spammer, is that every X-ASVP
host is a potential honeypot or tarpit for them. It may not
be, but they take that chance any time they decide to leave their real
IP behind on an X-ASVP host. They could spoof tokens, but that
only matters to you if you're actually filtering based on
tokens.....and you
can make a better token generator that isn't so easily spoofed.
Or, they can give up on your domain, and isn't that the
goal? So whether or not you use the token to filter, it makes
sense to support the protocol. It's so easy to set up an X-ASVP
host, why wouldn't you?
How
do I build a token generator?
The
technology working group is continually working on
improved methods for creating token generators and verifiers. You
are welcome to participate in the working group. Initially,
we suggest generating a format that includes several pieces of data
concatenated together, including those described on the "Executive
View" data flow diagram, in the diagrams area of this website. Here are some examples.
If
I set up a X-ASVP.mydomain host, why do I need the secondary path
provider?
If you have
highly available systems that never go offline,
then you don't. However, if you are filtering SMTP mail
based on a token, and your systems sometimes go
offline, you would want a copy of your token generator on the secondary
search path provider so that senders can still get tokens while your
systems are being maintained.
How is the level of support calculated for the membership benefit of
having a backup token generator hosted by a secondary path provider?
Secondary path
(x-asvp.tld) owners provide a valuable service to the Internet
community. They have invested time, effort and capital into
building the necessary universal infrastructure for this protocol to
work and benefit the global internet community as a whole.
This infrastructure requires continued investment and operational
maintenance. Your membership in the X-ASVP Committee helps to
defray these costs and ensure continued investment in future
infrastructure.
Sustaining Member suggested donations is calculated by the size of the
member's end user community:
Number
of end users
|
Support
Level per year
|
0-1,000
|
$500 USD
|
1,000-10,000
|
$100 + 0.40 per user
|
10,000-50,000
|
$1600 + 0.25 per user
|
Above 50,000
|
$9,000 + 0.10 per user
|
What kind of token generator will the secondary path (x-asvp.tld) be
willing to host?
This is
dependent on your particular secondary path provider. Most
support PHP within an html document. Specifics are continually
discussed in the technology working group forum. Contact your
secondary path provider directly If you have
specific questions.
Frequently Asked Questions
- Controlling Committee Members
How do I become a Controlling
Committee Member?
Register the
"x-asvp" host within a top level domain. Set up the supporting
infrastructure. Agree to the Committee Bylaws. Contact the
Board to announce your support and set up the reciprocal
agreement.
What resources are available
to Controlling Committee Members?
Once registered
with the Board, Controlling Committee Members are given access to the
Committee Resource Library. This is
where you will find meeting notices and agendas, internal working form
templates, and operational management tools.
Contact the X-ASVP Committee
X-ASVP Chair
2443 Fair Oaks Blvd
#147
Sacramento, CA 95825, USA
Email: chair@x-asvp.org
|