Re: [Declude.JunkMail] SPF - Missing the Point

[Matt]

Andy, Thanks for the kind words.  My answer was more so an indirect response instead of a direct one. As far as your points go, please allow me to piece them out. a) It is plain fact that the largest providers do check SPF, which in turn means that Joe-Jobs have a drastically lower impact on the spoofed domain's owner. It depends on the joe-job.  Most of them target random domains and not necessarily the largest providers.  If providers are rejecting on SPF-FAIL alone, then that is actually even more reason for me to not implement SPF on my own domains and advise customers to skip this as well.  There are just too many legitimate exceptions to this that would cause an SPF-FAIL on a strictly defined record.  If I was to define the records less specifically, it doesn't have much practical use since this would be like saying it can come from anywhere...and in fact it can.  The worst joe-job bounce issues that I see are where the open relay itself is what is bouncing the majority of messages.  Open relays are not likely to support SPF.  Other servers that bounce the joe-jobs are ones that accept all E-mail without authenticating, which is a huge mistake in this day and age, and I wouldn't expect for them to use SPF either since they can't seem to figure out how to validate addresses which is 100 times more important. b) It is also a fact, that spammers are very SPF aware (to the point that they create SPF records.) Static spammers (where they spam from their own servers) are aware of SPF and abuse it.  Zombie spammers can't make use of it and they are a whole different class in terms of what they do.  Forging is almost exclusive to zombie spammers.  They can be very sophisticated, but they don't cleanse their databases of things like SPF, they just generally rotate through either fake or known addresses as they attack servers with millions of addresses that mostly don't exist in the first place.  I have also found that many of these guys cache the IP addresses corresponding to MX records and they don't refresh this data for very long periods of time if ever.  I have changed MX records for domains that are still being spammed on the original IP over a year and a half later.  This is why we always attempt to lock down our gateway customer's servers, or at least try to get them to change IP's if that isn't practical. c) Based on my personal, admittedly anecdotal, experience (supported by common sense) it further appears to me that SPF protected domains would be less likely to get picked for Joe-Jobs than unprotected domains. This kind of points to my reply to a).  I don't think that the zombie spammers care.  They will attempt 1 million addresses on a domain with a single valid user, they don't care if every attempt is accepted or rejected, and they aren't even trying to capture the rejected addresses so save themselves processing on future attacks.  They aren't really even dictionary attacks by definition, they are just brute-force spam runs.  While you might have experienced some anecdotal proof of them caring about SPF, it doesn't make sense to me that they would ignore bigger issues such as repeatedly hitting invalid addresses and not bothering to update their IP cache of MX records.  These guys are social misfits, many of them with tens of thousands of zombies in their bot networks, and they don't care to micro-manage things.  Success to them is not just spamming a particular site, but also causing a bounce, overwhelming a server, or even just pissing you off.  I think that you might have the perception that these guys care.  I don't think they do. SPF just isn't anywhere near accurate enough for me to want to use on my system for catching spam, and it would create some double-hit problems with SPAMDOMAINS.  I can control SPAMDOMAINS, but I can't control what someone does for their own SPF records.  Many domains, especially the larger and more actively used ones, have many examples of fully legitimate use that will fail SPF, and while I might be smart enough to not block on that alone, there are others around here that will most definitely at least hold a message if it hits SPF-FAIL, and again I have no control over that except to either configure SPF records for every address, or not configure it at all. Since SPF has come out, forging spam has dramatically increased, and dictionary attacks have become much more common and fierce.  I tag this stuff with much more reliable tests such as Sniffer, enhanced URIBL functionality, DUL lists enhanced by my own data, technical heuristics that find zombie spamware patterns, blacklists, and custom combo filters that know that a combinations like a DUL hit, a Sniffer hit and an XBL hit together is stronger than the three alone.  It works incredibly well on my system and I don't feel that I need any more tools to block such things, though tweaking them can help of course. My opinion remains that SPF, while well intentioned, lacks the ability to be accurate enough to be used reliably in real world circumstances, and it can create more issues than it solves on even properly administrated systems.  It totally fails at it's original primary goal of authenticating good E-mail.  All of these issues should have been obvious since the very beginning. IMO, this effort should have gone into pushing port 587 functionality and adoption in not just mail servers, but also in mail clients as a default config so that we could move towards blocking port 25 on broadband connections without affecting legitimate use.  This would cut down on not just spam, but also the viruses that opened the computers in the first place.  Resistance to blocking port 25 is totally a consequence of not having a legitimate alternative. Matt Andy Schmidt wrote: Hi Matt:   I read your posting (because you are always insightful), but I'm not sure that your message actually applies to what I had said (and to which Andrew had commented on) or if you may be answering to a different part of the conversation. Certainly nothing Utopian in what I wrote?   a) It is plain fact that the largest providers do check SPF, which in turn means that Joe-Jobs have a drastically lower impact on the spoofed domain's owner.  b) It is also a fact, that spammers are very SPF aware (to the point that they create SPF records.)  c) Based on my personal, admittedly anecdotal, experience (supported by common sense) it further appears to me that SPF protected domains would be less likely to get picked for Joe-Jobs than unprotected domains.   Here is what I had written: How many times have we received angry emails or hundreds of bounce messages from other ISPs because some Spammer was sending mail with a fake email sender - using OUR domain names? If you define SPF for your own (and client) domain names, then the largest ISPs won't accept the spam that has your email address faked, thus you and your clients will no longer be bombarded with responses/complaints/bounces to messages you never sent in the first place. The effect of having SPF defined is, that FEWER spammers even bother trying to abuse YOUR domain name, because they know that a lot of their spam would never reach anyone.  Instead, they now use their own domain names and even set up SPF for those.  To me - that ripple effect alone justifies SPF! Best Regards Andy Schmidt Phone:  +1 201 934-3414 x20 (Business) Fax:    +1 201 934-9206   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Thursday, September 08, 2005 01:55 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] SPF - Missing the Point But isn't this utopian?  The majority of situations have exceptions as they apply to SPF, and in a world where there are open relays on every corner, many servers without proper reverse DNS records, etc., would you really want to trust others to maintain SPF records accurately? I use a custom filter for tagging local domains in incoming E-mail.  Since all of my customers' servers are whitelisted, and hosted clients are also whitelisted through AUTH, I can add a couple of points for anything with a Mail From that matches something that I handle.  This does have false positives, many in fact due to mailers that forge such as greeting cards or feedback forms, devices that send out notifications with their own SMTP engine, people that are port 25 blocked or proxied, configured to use their own ISP's SMTP server, Web applications, etc.  SPF isn't required to do this.  I don't trust how well some random admin manages their own SPF records, and if I had my own SPF records, I wouldn't trust how some random admin treated a failure among my own customers.  At least they aren't going to be tagged for sending E-mail from someplace that they didn't know not to send from, and is otherwise perfectly acceptable.  I am obviously not going to give any credit to anyone for passing SPF either.  Passing SPF is a better indication of spam than of legitimate E-mail these days for incoming traffic. I have never been a big fan of SPF because of what I saw as an impractical and unreliable implementation in the real world.  It really isn't any better than Habeas once you get down to it, but people ate that up for a while as well.  We have many tools available to us these days that are quite effective and much more accurate.  Forging spam almost never leaks through my system, and it's not something that I care to focus on at all these days.  It's things like Advance Fee Fraud, Phishing, Niche Spam, and First Run Static Spam that concern me. Matt Colbeck, Andrew wrote: That's right on the money, Andy. I agree 100%. Andrew 8) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andy Schmidt Sent: Thursday, September 08, 2005 8:48 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] SPF - Missing the Point still unacceptable and reason enough for me to discard SPF completely. << I think the discusson is missing the key point of SPF. Sure, this list is focused on INCOMING spam, and thus we restricting our discussions to SPFFAIL/SPFPASS and how to use it in Declude. However, that ignores what SPF is designed to do: How many times have we received angry emails or hundreds of bounce messages from other ISPs because some Spammer was sending mail with a fake email sender - using OUR domain names? If you define SPF for your own (and client) domain names, then the largest ISPs won't accept the spam that has your email address faked, thus you and your clients will no longer be bombarded with responses/complaints/bounces to messages you never sent in the first place. The effect of having SPF defined is, that FEWER spammers even bother trying to abuse YOUR domain name, because they know that a lot of their spam would never reach anyone. Instead, they now use their own domain names and even set up SPF for those. To me - that ripple effect alone justifies SPF! Thus, without question, SPF should be in place for all domains you control. Specially for alias/vanity/web-only domains that never send any email. Ideally, in addition, set up SMTP AUTH for your clients so that you can use SPFFAIL for incoming mail and, if you choose, ignore SPFPASS for now. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206