Version 2

    Email Fingerprints

     

    Draft

     

    Purpose

     

    This draft proposes a standard for creating server-generated ASCII fingerprints and server-managed "trust circles" for determining the distribution of fingerprints.  The intent is to drastically reduce spam through identification.  A fingerprint-enabled server will route mail which has a fingerprint to the appropriate non-suspicious folder.  Mail without a fingerprint will be rated as more likely to be spam.

     

    Challenges

     

    The usefulness of this proposed standard requires existing mail clients and serverrs to support this standard.  We plan to further this goal by adding these features to the Mozilla mail client and potentially produce a reference implimentation to show ideal mail client support.  Potentially, we will also extend the ChandlerMailClient.  Lastly, we may submit a draft to ITEF which managed other email standards such as SMTP, POP and IMAP.

     

    Overview

     

    Mail Fingerprints are intended to reduce spam by requiring mail clients to pass along a "fingerprint" which identifies a relationship with a user.  Mail fingerprints are generated by the mail server and can be retrieved by the fingerprint-enabled client.  Users send their fingerprint to other users preferrably via safe and secure means (SSL-enabled web pages, encrypted mail transport, etc).  Fingerprints expire periodically and users can request emergency expiration in the case of expiration the server will automatically generate a new fingerprint.  Users can identify mail senders by mail host address and email address which can automatically download their new fingerprint provided they have the old own although this method is not entirely secure it should protect against most forseeable automated spam tools.

     

    Fingerprints are implimented primarily as an extension to the SMTP protocol.  SMTP Servers supporting fingerprints provide the following extended commands:

     

    • FPRINT - retrieve fingerprint for user

    • EXPRNT - expire fingerprint for user

    • SETEXP - set expiration period

    • SETPRT - set fingerprint for session

    • ADFPRT - add an address to the list of fingerprint receipients

     

    Additionally, servers will recognize a mail header fingerprint: which should provide the user's fingerprint.