Thanks for that Scott. The point about forwarding is well taken. I'm definitely not suggesting using SPF as an end all, just as a way of if it passes for select domains, let it through. Your thoughts on that it appreciated.
On Tue, Jan 19, 2010 at 4:39 PM, Scott Haneda <[email protected]> wrote: > Hello K Post, > Actually, this explains how a spammer can use forwarding and SRS to easily > spoof/dupe SPF into accepting an email. > > http://www.advogato.org/article/816.html > > Forwarding, which is something many, of not all email servers rely on, > completely breaks SPF, and without a ton of work, it is very hard to unbreak > it. Even with that work, it is still something a spammer can get past. > > We see more and more spam coming from 9.00 a month hosting accounts the USA > now. It just shows, spammers are now willing to spend a little money to make > money. > > SPF was a good idea, but it required instant global adoption, which with > email, is something that just can not happen, as there are too many legacy > systems. Some MTA makers refuse to even support it at al. > > I think it is beneficial, you just have to understand it, and I like to try > to use it as a weighted system, and not use it as a pass fail system. That > seems to be a good balance. I have never tried this in ASSP though. > -- > Scott * If you contact me off list replace talklists@ with scott@ * > > On Jan 19, 2010, at 12:42 PM, K Post wrote: > >> Thanks for the input Scott. >> >> I'm not suggesting using this any time SPF passes, just for specific >> domains, facebook in particular. Obviously, we can't just allow spf >> passes, or else all spammers would just setup their own domain, set >> spf, and be golden. >> >> How are spammers spoofing the SPF? >> >> Aren't we only comparing the IP that's hitting our and then checking >> the SPF record in DNS for that domain to insure that it's an allowable >> sending IP? >> >> To spoof this, wouldn't the spammer need to modify the dns record??? >> I must be missing something. >> >> Thanks >> >> On Tue, Jan 19, 2010 at 2:32 PM, Scott Haneda <[email protected]> wrote: >>> Facebook is in an out of spamcop all the time. Whitelist them. >>> >>> I caution you on your SPF ideas as it os possible for spammers to >>> spoof SPF, and we are seeing it more often. >>> >>> I like SPF as a weighted idea, and spamcop too. Spamcop is one dnsbl >>> you can not just block / accept on unless you have solid dns >>> whitelists in place. >>> >>> -- >>> Scott >>> (Sent from a mobile device) >>> >>> On Jan 19, 2010, at 7:48 AM, K Post <[email protected]> wrote: >>> >>>> just noticed one of the facebook messages being blocked: >>>> DNSBL, 69.63.178.178 listed in bl.spamcop.net >>>> >>>> so it's not even a bayesian error... >>> ------------------------------------------------------------------------------ >>> Throughout its 18-year history, RSA Conference consistently attracts the >>> world's best and brightest in the field, creating opportunities for >>> Conference >>> attendees to learn about information security's most important issues >>> through >>> interactions with peers, luminaries and emerging and established companies. >>> http://p.sf.net/sfu/rsaconf-dev2dev >>> _______________________________________________ >>> Assp-test mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/assp-test >>> >> >> ------------------------------------------------------------------------------ >> Throughout its 18-year history, RSA Conference consistently attracts the >> world's best and brightest in the field, creating opportunities for >> Conference >> attendees to learn about information security's most important issues through >> interactions with peers, luminaries and emerging and established companies. >> http://p.sf.net/sfu/rsaconf-dev2dev >> _______________________________________________ >> Assp-test mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/assp-test > > > ------------------------------------------------------------------------------ > Throughout its 18-year history, RSA Conference consistently attracts the > world's best and brightest in the field, creating opportunities for Conference > attendees to learn about information security's most important issues through > interactions with peers, luminaries and emerging and established companies. > http://p.sf.net/sfu/rsaconf-dev2dev > _______________________________________________ > Assp-test mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/assp-test > ------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
