516761-100003: Original Electronic

Comment Number:	516761-100003
Received:	6/24/2005 11:18:49 AM
Organization:	Net Fulfillment Technologies, Inc.
Commenter:	Serre Murphy
State:	FL
Agency:	Federal Trade Commission
Rule:	Email Authentication Questionnaire
Docket ID:	To Be Added
Attachment:	516761-100003.pdf Download Adobe Reader

Comments:

Answers to Specific Questions

1-SPF and other anti-spam and anti-phish strategies (e.g. reverse PTR).

2-No modifications. (Our test was more a live production experience than a test). We decided to reject mail that only met the "Fail" criteria. (We accepted mail that was evaluated as "Softfail" and "Inconclusive".

3-We tested product functionality of a comercial product, Argosoft Mail Server Pro for Windows. We operate a production mail server for several clients, most of whom are small businesses. In early May we configured the server so that it would reject messages evaluated as "Fail" vs. SPF. The mail server also rejects mail that fails SMTP authentication (probably someone attempting to use as open relay), comes from a domain/IP blacklisted by Spamhaus, has SMTP protocol violations, and does not have a reverse PTR record. Statistics in the attached Excel spreadsheet show percentage of messages that were rejected by each method.

4-One server (Windows XP). Disk is 80 gigabytes. Not sure of speet. CPU is 1.2 gigahertz. Amount of memory is 256 meg.

5-Argosoft Mail Server Pro for Windows. Configured as noted in #3.

6-10,591

7-They were "live", "real" emails. They were rejected if not successfullly authenticated. Originator received a 5xx message if message was rejected.

8-32 days

9-Yes. When we bought the server in April, we tested it with messages originating from SPF compliant and non-SPF compliant domains for several test accounts.

10-47.7%.

11-Yes. By inspection, considerable perccentage of messages was sent by spammers and/or phishers. The amount of traffic from zombies seems to have diminished to practically zero, probably due to the reverse PTR requirement.

12-52.3% failed the combined authentication checks. 3.1% of the rejects (173 messages) were failed due to SPF "hard fails" (-).

13-We watch CPU and memory usage very closely on the mail server used for this test. It would appear that we could scale the amount of email traffic by at least a factor of 100.

14-CPU usage for the mail server rarely exceeds 1%.

15-NA

16-None. We operate this server as part of service to our customers. We believe that the email authentication checks that we have used are part of "Best Practices" for operating a mail server.

17-We have not tested Sender ID. We will test Sender ID when and if it is accepted as a standard, concerns about patents are eliminated, and our software vendor (Argosoft) provides SID testing capability.

18-As noted in #17, we will not test PRA records until they are standardized and any patent concerns are alleviated.

19-Yes. We will test Domain Keys and IIM when and if our software vendor includes this capability in the Argosoft Mail Server product line.

20-Testing is complete. Our customers are delighted to see more than a 50% reduction in spam and phishes. As noted above, we will test DK and IIM when they become more mature, and we expect that these technologies should lead to additional reductions in spam and phishes.