X-ASVP Committee Website

X-ASVP isn't really a "mousetrap" at all, it's a method of describing "mousetraps" in a general way so that the senders and receivers of SMTP mail have a standard way to communicate the methods and level of authentication required to get a message into a recipient's Inbox.

X-ASVP allows people who want to filter e-mail using the X-ASVP e-mail header to "advertise" the level of authentication they need in what's called a "meta-document". This meta-document is posted in a predictable location on the Internet so that people who want to send e-mail to the recipient can look at the meta-document and figure out how to comply.

Actually, it's quite easy. The best part is that your ISP can do it for you at very little cost to them. If your ISP hasn't implemented X-ASVP yet, you should ask them why not.

That's OK. You can use X-ASVP without the help of your ISP. It takes a little more computer savvy, but all you need to do is become a X-ASVP Individual Member, so that your secondary level search path provider will host your meta-document. Once that's done, you set a filter in your e-mail program that flags (or deletes) items that don't comply with the requirements stated in your meta-document.

A meta-document is just a web page that lists the specifics of how you choose to implement X-ASVP. Most people will implement the Level 1 Extension 3 known as "ASVP-WEB". For those people, their meta-document will show a token that has to be included in your incoming e-mail X-ASVP header.

Sure, a spammer can grab your token and attach it to an e-mail just like anyone else that you want to receive e-mail from, but if they do that, they've left their real IP address in the log of the meta-document web server, which gives ISP's a quick way to track them down and get their machine blocklisted. The retrieval of a meta-document can also be configured to take a few seconds, which would be invisible to you since you only send a couple e-mails at a time, but adds up quickly for a spammer trying to send millions of e-mails at a time. This would seriously reduce the amount of mail that a spammer could send in any period of time.

That depends on you, and what you use for a token, and how you verify it. X-ASVP doesn't define how tokens are generated or verified, it's just the transport mechanism. Token generators are the "secret sauce" of how users (or their ISP's) implement the protocol. Some will be easy to spoof, some will be near impossible. The X-ASVP technology working group posts suggestions for ISP's to make their token generators and verifiers more robust and more difficult to spoof.

You can use a very simple token and still be very effective. It's not about being perfect, it's about being better than today. (Perfect is described in X-ASVP Level 9.) So having a static token that's very simple to verify in e-mail client filters is not perfect, but it's very easy to implement, and can be very effective, as spammers don't know that your token is static, or that you're filtering based on the static part of a larger token. They still have to visit the meta-document at least once, which slows them down and leaves their trail.

As more and more ISP's implement the protocol, the system actually becomes LESS vulnerable to denial of service, because when implemented by both the sender and receiver ISP's, X-ASVP becomes a peer-to-peer protocol. While there is a need for secondary (tld) and tertiary (global) meta-document hosts to provide a level of redundancy and universality for the protocol, when the protocol is used between ISP's, the "central" parts of the infrastructure (the meta-document hosts, and the part one would expect to be attacked) are not necessary. So even if they were attacked, the protocol continues to work.

Frequently Asked Questions - Sustaining Members

First, setting up an X-ASVP host is easy. All you need is a virtual host on your web server that rewrites all valid requests to a script like the "meta-doc-complex.txt" example (PHP script) in the meta-document examples area. Now, whether or not you actually train your MTA to look for tokens, you just forced spammers to make a choice of whether or not they will attempt to be compliant with the protocol for your domain. Since they don't know whether or not you're filtering on the token, they either have to give up their IP to the token-generator, attempt to spoof a token, or give up on getting spam-mail into your domain. The worst part for a spammer, is that every X-ASVP host is a potential honeypot or tarpit for them. It may not be, but they take that chance any time they decide to leave their real IP behind on an X-ASVP host. They could spoof tokens, but that only matters to you if you're actually filtering based on tokens.....and you can make a better token generator that isn't so easily spoofed. Or, they can give up on your domain, and isn't that the goal? So whether or not you use the token to filter, it makes sense to support the protocol. It's so easy to set up an X-ASVP host, why wouldn't you?

The technology working group is continually working on improved methods for creating token generators and verifiers. You are welcome to participate in the working group. Initially, we suggest generating a format that includes several pieces of data concatenated together, including those described on the "Executive View" data flow diagram, in the diagrams area of this website. Here are some examples.

If you have highly available systems that never go offline, then you don't. However, if you are filtering SMTP mail based on a token, and your systems sometimes go offline, you would want a copy of your token generator on the secondary search path provider so that senders can still get tokens while your systems are being maintained.

How is the level of support calculated for the membership benefit of having a backup token generator hosted by a secondary path provider?

Secondary path (x-asvp.tld) owners provide a valuable service to the Internet community. They have invested time, effort and capital into building the necessary universal infrastructure for this protocol to work and benefit the global internet community as a whole. This infrastructure requires continued investment and operational maintenance. Your membership in the X-ASVP Committee helps to defray these costs and ensure continued investment in future infrastructure.

Sustaining Member suggested donations is calculated by the size of the member's end user community:

Number of end users	Support Level per year
0-1,000	$500 USD
1,000-10,000	$100 + 0.40 per user
10,000-50,000	$1600 + 0.25 per user
Above 50,000	$9,000 + 0.10 per user

This is dependent on your particular secondary path provider. Most support PHP within an html document. Specifics are continually discussed in the technology working group forum. Contact your secondary path provider directly If you have specific questions.

Frequently Asked Questions - Controlling Committee Members

How do I become a Controlling Committee Member?

Register the "x-asvp" host within a top level domain. Set up the supporting infrastructure. Agree to the Committee Bylaws. Contact the Board to announce your support and set up the reciprocal agreement.

What resources are available to Controlling Committee Members?

Once registered with the Board, Controlling Committee Members are given access to the Committee Resource Library. This is where you will find meeting notices and agendas, internal working form templates, and operational management tools.

Contact the X-ASVP Committee

X-ASVP Chair
2443 Fair Oaks Blvd #147
Sacramento, CA 95825, USA
Email: chair@x-asvp.org

Frequently Asked Questions - Individual Members

Frequently Asked Questions - Sustaining Members

Frequently Asked Questions - Controlling Committee Members

Contact the X-ASVP Committee