Dombox — The Zero Spam Mail System

10 min read Original article ↗

When you enable “Restricted Mode” for the first time, you must agree to our “Restricted Mode” terms.

You can turn on/turn off this mode anytime.

When it’s turned off, it allows emails from everyone. But not from the “Blacklisted” contacts

When it’s turned on, it allows emails only from the “Whitelisted” and “Neutral” contacts. For all others “Injection” rules apply. {Refer next section}

If you send an email to a new contact, it will be automatically whitelisted.

If you ever deactivate the Domboxes extension, then the restricted mode will be deactivated too.

This is the end result, once you activate “Restricted Mode”.

Press enter or click to view image in full size

Phase 3: Injection

Via “Isolation” you allow only certain “Websites” to mail you and via “Restriction” you allow only certain “Individuals” to mail you.

Injection phase only deals with “Strangers” and rely on Challenge/Response mechanism to detect spam mails.

This phase contains few methods.

Method 1: Intro via a Mutual Contact

Method 2: CAPTCHA

Method 3: Phone Number Validation

Method 4: Proof-of-Work (PoW)

Method 5: Attention Fee

I’m going to explain only the CAPTCHA method here. Please refer my white paper for detailed description of other methods.

This method works exactly like Google reCAPTCHA. The idea is that spammers usually send millions of mails. They don’t have enough time to manually enter the CAPTCHA.

Since we already isolated the website mails, websites don’t have to worry about entering the CAPTCHA.

When you enable “Restricted Mode”, the warning text would look something like this.

Caution:
You are about to enter a sensitive zone.
"Restricted Mode" is intended for the boxes that deals with only conversational mails. So offload all website related mails to the Domboxes before you enable this mode.
When the Restricted Mode is ON, we will send a challenge mail to the Sender if the sender is not found in your "Address Book".  
Real users can respond to those challenges. e.g. CAPTCHA. But automated and bulk mailers cannot. So their mails **never** gonna reach your inbox when the box is Restricted. 
Do you understand what you are signing up for?
(a) Yes, I know what I'm doing
(b) No, Get me out of here.

When the Restricted Mode is ON, then our system will be considered as Email 2.0

This is how our challenge mail would look like.

From: challenge@dombox.org
To: someuser@gmail.com
Sub: Mail Delivery Pending
Message:
The following recipients enabled Restricted Mode.
user1@domboxmail.com
user2@domboxmail.com 
user10@domboxmail.com			
And your contact not found in the recipient Address Book.
Please verify that you are human by filling the CAPTCHA in the following link to deliver the mail.
https://www.domboxmail.com/challenge/abcde/fghij
Our apologies for the inconvenience.

Challenge Form

Backscatter Attacks

Email can be easily forged.

If a mail we receive says it’s from “president@whitehouse.gov”, that’s not always gonna be true. If we keep sending our challenge mail to “president@whitehouse.gov”, then we have a far more serious problem.

So we need to make sure mails from “Strangers i.e. unknown senders” are not forged.

Sender Policy Framework

SPF is one of the best mechanisms we have for email to detect email spoofing. We compare the “Incoming mail IP address i.e. Client IP” with the whitelisted IP addresses found in the “Envelope Domain” SPF record.

For example this is the SPF record of facebook.com

But there is one bigger problem with SPF. It’s an optional mechanism. i.e. There is no internet standard that says, a domain MUST configure SPF.

The popularity of SPF record fades away once we get past the Alexa top 1 million domains. So if we rely only on SPF record, then the solution may work for the 100th domain, but not gonna work for the 100 millionth domain.

Hot Gates Strategy

Whatever we did so far, just to have the content you are gonna see from this point forward. So pay strict attention.

Have you ever watched the Gerard Butler starred movie 300? If yes, let me ask you a question?

Press enter or click to view image in full size

In that movie, King Leonidas and his soldiers battle against 300,000 persian soldiers, near a narrow pass called “Thermopylae aka. Hot Gates”.

My question is, Why Hot Gates? Why not battle in an open ground?

That’s because these spartans strength not only lies on their superior fighting skills, but also lies on their tactical advantage. Without “Hot Gates”, the whole battle would have been an instant massacre.

Challenge/Response mechanism is a weapon that should be used in a narrow battle like “Hot Gates”. But every C/R based spam solution out there, trying to use the C/R mechanism in an open ground battle. That is the main reason why C/R mechanism is flawed and not popular even though it got patented 20 years back.

Email is ubiquitous. You know what else is ubiquitous?

MX Records. They were introduced in 1986.

Let’s refresh our memories.

  • We classified the mails into three categories. Conversational Mails, Transactional Mails and Promotional Mails.
  • We offloaded Transactional Mails and Promotional Mails to Domboxes.
  • Users agree that they are gonna use the Mailboxes only for “Conversational Mails” when “Restricted Mode” is ON.

So… In “Injection” phase, we are dealing with only “Strangers”. Not just any strangers. We are talking about “Conversational Mail Strangers”. Context really matters here.

We already gave unrestricted access to websites and apps in Domboxes via “Isolation”. So, there is no such thing as “Transactional Mail Strangers” or “Promotional Mail Strangers” in our system.

The term “Conversational Mails” can be termed as MX-to-MX Mails.

e.g. When john@example.com sends an email to jane@gmail.com, Gmail.com MX record is queried and then mail will be transferred to one of the Gmail MX servers. When Jane reply to that mail, example.com MX record is queried and then mail will be transferred to one of the example.com MX servers. So Conversational Mails requires MX record on both sides.

So “MX Records” should be the “Hot Gates” of our Challenge/Response based email system. i.e. We actually diverted the spammers to the injection phase by Isolating and Restricting the genuine senders.

Our primary clue for verifying mail genuineness now is “MX Records”. Let’s verify these stranger mails.

MX Records

MX Records can be classified into two categories. Self-Hosted and Third-Party Hosted

Self-Hosted

When a mail coming from richard@piedpiper.com, we are gonna compare the “Incoming mail IP i.e. Client IP” address with the IP addresses extracted from the following records.

dig MX piedpiper.com (MX Records)

dig TXT piedpiper.com (SPF Record)

dig A piedpiper.com (A Record)

Third-Party Hosted

When MX server domain not ends with the same domain, then that domain will be considered as a third-party hosted domain.

In this case, piedpiper.com hosting their mails in Google servers.

So we are gonna compare the “Incoming mail IP i.e. Client IP” address with the IP addresses extracted from the following records.

dig MX piedpiper.com (MX Records Points to google.com)

dig TXT piedpiper.com (PiedPiper SPF Record)

dig TXT google.com (Google SPF Record — The base domain of MX host)

dig A piedpiper.com (A Record)

Strangers

We can classify the Strangers into two categories based on the MX Record check we performed in the last section.

Verified Strangers and Unverified Strangers

Verified Strangers

Challenge/Response mechanism applicable only for verified strangers.

An incoming mail from the “Verified Stranger” will be accepted, but it will be put in the “Pending” folder. This is a system folder and cannot be accessed by the user.

If we display “Pending” folder to the user, then it beats the purpose of the system since “Pending” folder is a replacement for “Spam” folder.

If the sender responded to the challenge correctly, then the mail will be moved to the user inbox. If the sender do not complete the challenge within 30 days, then the mail will be discarded.

Unverified Strangers

If the receiving domain is a Self-Hosted system (e.g. @domboxmail.com), then the mails will be rejected with the following error.

550 Restricted Box. Unauthorized and Unverified Sender. Please configure SPF or Send this mail from one of your MX server IP address

99.99% of the “Unverified Stranger” emails are from either spammers or probably the websites you didn’t want to isolate.

Genuine Senders rarely get caught here. If a genuine sender get caught here, then it’s actually their mistake. Put it this way, they have an address in America for incoming mails, but outgoing mails are originating from Japan. That’s abnormal since we are talking about “Conversational Mails” here.

Small businesses usually don’t go for such abnormal setup. Anyone who go for such abnormal setup probably doing that for better networking policies. These networking professionals most likely knew what is an SPF record.

Besides we are giving crystal clear error message when rejecting the mail.

550 Restricted Box. Unauthorized and Unverified Sender. Please configure SPF or Send this mail from one of your MX server IP address

This is how 550 error message look like on the sender side when the mail gets rejected.

Press enter or click to view image in full size

If the mails are third-party hosted (e.g. @gmail.com), then the mails will be moved to Trash directly.

Domain Reputation

In Email 1.0, stranger reputation is tied to the IP address. Emails can be easily forged. If a spam mail says it’s coming from “president@whitehouse.gov”, we can’t just block the whole whitehouse.gov domain. We can only block or rate limit the IP address.

But In Email 2.0, only mails from “Verified Strangers” will be accepted. That means, mail is REALLY coming from the said domain since the domain is either whitelisted the IP address or mail received from one of their MX servers. So, stranger reputation not only tied to the IP address, but also tied to the domain.

So if you send spam mails via our “Injection Phase”, you are converting yourself from “Verified Stranger” to “Verified Spammer”. In such cases, we not only block your domain and IP address, but also build a block list similar to “Spamhaus Block List (SBL)” and then publish your domain and IP address there to help others.

Spam Filters

In our Injection Phase, we use Challenge/Response mechanisms like CAPTCHA. If you don’t want to annoy the sender, then you can stick with the typical Spam Filter.

Keep in mind, injection phase is all about “Verified Strangers” mails. So we use Spam Filter only for scanning “Verified Strangers” mails. Most Spammers are “Unverified Strangers”. So Email 2.0 with spam filter is much better than Email 1.0 with spam filter.

Email 2.0 + Spam Filter = Scan only Verified Mails. The sender owns the domain. So no Phishing or Spam since the owner take full responsibility.

We can also use “Domain Registration Date” to rate limit emails from “Verified Strangers”. i.e. If the domain is fresh, then we can respond with error message like “Your domain is a new domain and you have exceeded the daily limit. Please try again tomorrow or ask the recipient to whitelist your email address”

So Spam Filter based Email 2.0 is a three step process.

Step 1: Is the Sender is a “Unverified Stranger”? If yes, reject mail. Else proceed to next step.

Step 2: Is the domain is a fresh domain and daily limit exceeded? If yes, reject mail. Else proceed to next step.

Step 3: Scan the mail using Spam Filter.

Final Architecture

This is how Email 2.0 system architecture looks like.

White Paper

Whatever you have read so far is a heavily trimmed version of my 300 pages white paper and tries to offer only an overview of my system. My white paper solves many notable problems. Email Spam is one of them. So, There is more to it.

Please take a look at my white paper if you wanna understand my complete system. My white paper can answer the following questions.

What are the Box Types available? What are Dombox Layers? What is Mail Score? What is an Anomaly? What is Parallel Internet? What is a Portal? How Teleport Works? What are the Contract Terms? How Telescribe works? How Dombox works for Mailing Lists? How Dombox can prevent Phishing? How Dombox can help with Data Breach? How Dombox can help with Internet Privacy? What are the benefits of Dombox?

Download full white paper here.

Get Notified

My product is still a work in progress. And, I don’t have the ETA for release. But if you are Interested, I’m happy to notify you for the BETA once it is ready.

Please leave your email address here.

Notes & Links

Official Website: www.dombox.org

White Paper: Our white paper is a ~300 pages document that explains our Email 2.0 system from top to bottom.

For feedback and business enquiries, please send a mail to giri@dombox.org