Re: Spammers Skirt IP Authentication Attempts
On Wed, Sep 08, 2004 at 04:59:51PM +, Paul Vixie [EMAIL PROTECTED] wrote a message of 27 lines which said: you could bet that by closing off this avenue, SPF will force spammers to use other methods that are more easily detected/filtered, and that if you play this catmouse game long enough, it will drive the cost of spam so high (or drive the volume benefit so low) that it'll just die out. Good summary. This is the right strategy. but to me, SPF is just a way to rearrange the deck chairs on the Titanic. I can swim but I believe that the water under the Titanic was quite too cold to stay. Any advice to the people on the NANOG mailing list before the boat goes down?
Re: Spammers Skirt IP Authentication Attempts
On Wed, Sep 08, 2004 at 03:15:14PM -0500, Robert Bonomi [EMAIL PROTECTED] wrote a message of 37 lines which said: Same thing applies for 'simple' forwarding via sendmails '~/.forward' mechanism. the mail server 'accepts' the mail from the original source, and then 're-sends' to the new destination. That re-send originates as the _forwarding_party_, WITH an 'envelope from' of that forwarding party, Sorry, this is simply not true (sendmail, postfix, etc, always keep the original envelope from when forwarding). An SPF check of the _immediate_ sender does *NOT* break forwarded mail. Even SPF people say it: http://spf.pobox.com/faq.html#forwarding
Re: Spammers Skirt IP Authentication Attempts
Robert Bonomi [EMAIL PROTECTED] wrote Same thing applies for 'simple' forwarding via sendmails '~/.forward' mechanism. the mail server 'accepts' the mail from the original source, and then 're-sends' to the new destination. That re-send originates as the _forwarding_party_, WITH an 'envelope from' of that forwarding party, On Fri, Sep 10, 2004 at 09:55:55AM +0200, Stephane Bortzmeyer wrote: Sorry, this is simply not true (sendmail, postfix, etc, always keep the original envelope from when forwarding). I'm not sure where true diverges from reality in your analysis, but perhaps you should create one of those mail environments and test before you put your foot in your mouth again? -- Joe Rhett Senior Geek Meer.net
Re: Spammers Skirt IP Authentication Attempts
On Fri, Sep 10, 2004 at 01:57:51AM -0700, Joe Rhett [EMAIL PROTECTED] wrote a message of 19 lines which said: I'm not sure where true diverges from reality in your analysis, but perhaps you should create one of those mail environments and test before you put your foot in your mouth again? Good idea, I plan to install a Fedora this week-end and to learn a bit about Postfix. Your wide experience will certainly help. If you think that sendmail or postfix modify the enveloppe from when forwarding, I suggest that you send your big discovery to the IETF MARID working group, where it may change a lot of things in the current discussion about Sender-ID :-)
Re: Spammers Skirt IP Authentication Attempts
you could bet that by closing off this avenue, SPF will force spammers to use other methods that are more easily detected / filtered, and that if you play this catmouse game long enough, it will drive the cost of spam so high (or drive the volume benefit so low) that it'll just die out. Good summary. This is the right strategy. on the contrary. it has been a bad strategy and is still a bad strategy. but to me, SPF is just a way to rearrange the deck chairs on the Titanic. I can swim but I believe that the water under the Titanic was quite too cold to stay. Any advice to the people on the NANOG mailing list before the boat goes down? the boat will never go all the way down -- the internet, and e-mail, are survivable. however, it will get very cold where you are, since you'll be floating in atlantic icewater while clinging to floating wreckage. if that fate does not appeal to you, then embrace change. specifically, the kind of change that makes you cringe in fear because it is so alien. i'm referring to whitelists, webs of trust, trusted introducers, micropayments, and bonding. if you insist on an inbox that's open to all comers no matter what their intentions or reputation, then get out your snorkle.
Re: Spammers Skirt IP Authentication Attempts [operational content at end]
[ Two replies in one. Last point has operational content. ] On Wed, Sep 08, 2004 at 01:52:59PM +0100, [EMAIL PROTECTED] wrote: I see that 56trf5.com is a real domain. Does this mean that the domain name registries and DNS are now being polluted with piles of garbage entries in the same way that Google searches have been polluted with tons of pages full of nothing but search keywords and ads? Absolutely. As one example out of thousands, there are at least 350 domains names of the form: aaefelb.info abbbafd.info acdfiaj.info aclbkcdc.info adkehgi.info aeamdgi.info that have been burned through by one currently-active group of spammers. Another group has about 16,700 domains (and counting) that I'm aware of. Note also the relationship betwen this proliferation, the zombies, and rapidly-updating DNS -- see below. On Wed, Sep 08, 2004 at 01:26:27PM -0500, Robert Bonomi wrote: I _do_ think that it is _a_step_ 'in the right direction'. I'd *love* to see SPF-type data returned on rDNS queries -- that would practically put the zombie spam-sending machines out of business. Not even close, I'm afraid. Yes, it would deal, to some extent, with direct-to-MX spam from them (*if* all the domain they were forging cooperated), but: 1. Nothing stops those zombies from sending out spam via the mail servers on the networks on which they're located. (And in the process, forging either the address of the former owner of the zombie or another user on the same network.) Before you say but the network operators would detect and fix that let me point out that zombie-generated spam has been epidemic for going on two years and many -- MANY --ISPs have yet to perform basic network triage that could mitigate much of this very quickly. It's reaching, I think, to expect that those same ISPs, who by now have grown quite comfortable sitting on their hands, would do anything about this. (I recently speculated n Spam-L that I was willing to bet that at least one such ISP would respond by plugging in more mail servers in order to alleviate the resulting congestion. Bruce Gingery promptly pointed out that this is a sucker bet: it's already happened.) 2A. Nothing stops those zombies from embedding spam payloads in ordinary messages sent by their [putative] users. Mail grandma? Spam grandma. 2B. Nothing stops those zombies from accepting spam payloads on port and writing it directly to disk in the place and format expected by the end user's mail client. No SMTP. No DNS. And with optional forged headers proving SPF/DomainKeys/etc. validity, just in case tools for checking those are in use. 3. Spammers have been using rapidly-updating DNS for quite some time in order to spread out their zombie-hosted web sites. With today's change they can now extend that up a level: nothing is stopping them from, say, registering 1000 domains, using 100,000 zombies to host copies of the content, and using rapidly-updating DNS to distribute the traffic (as well as making shutting it all down tedious). And as if that won't be enough fun (and here's the operational bit): 4. This is the point that I think a lot of us tend to overlook: arguably, SMTP spam from those zombies is the *least* of our problems. Those systems are under the control of an unknown number of unknown persons, and can be put to many more uses -- and already have. They've already been observed hosting spamvertised web sites [1], probing for open proxies, and participating in DDoS attacks. They represent an enormous computing resource that's effectively in the hands of The Bad Guys. (To put this in perspective, compare the estimated size of the zombie farm to the much-vaunted Google cluster in terms of CPU count, aggregate bandwidth, and network diversity.) And as I said previously, none of the three entities who could do anything about it (the zombies' former owners, consumer broadband ISPs, Microsoft) are willing to step up, admit there's a problem, and do whatever it takes to fix it. There is thus no reason at all to expect the problem to decrease; on the contrary, there is every reason (given the miserable track records of all concerned) to expect it to increase. ---Rsk [1] Including some with content of interest to the FTC, DEA, FBI, RIAA, MPAA, BSA, SPA and other people who have lawyers, guns and/or money. Makes sense from spammy's point of view: it's free, it's fault-tolerant and scalable (thanks to rapidly-updating DNS), and maybe someone else will get clobbered for it.
Re: Spammers Skirt IP Authentication Attempts
J.D. Falk [EMAIL PROTECTED] wrote: On 09/07/04, Paul Jakma [EMAIL PROTECTED] wrote: Then there's Sender-ID. Bulky XML in DNS, sigh. No, that was CallerID. SenderID uses a format that looks and smells almost exactly like SPF. I only mention this to reduce the FUD. Sender-ID requires the processing of a minimum of 10 TXT scripts that can reference dozens of A, , MX, PTR, CIDR notation for IPv4 IPv6 addresses, construct labels from various message fields, invoke redirections, includes, exists macros, and specify both Pass/Neutral open-ended lists, where each script is provided a total of 20 seconds. In addition, the draft requires undocumented extensions be ignored, even at the released revision level. Such amounts of DNS lookups of who knows what may easily exceed normal mail traffic, and, with the 20 second timeout (200 second total), it is unlikely exponential UDP back-off will be obtained. XML would have made it worse, but that does not mean there is little reason for concern. By simply authenticating the MTA EHLO and establishing a name, a mailbox domain to MTA name relationship, as a name list, can be established within a single DNS lookup without the use of script. Importantly, the EHLO establishes a name that does not assume mail channel integrity to be useable for reputation assertions. Such a mailbox domain to MTA name list would not force the use of specific RFC2822 From mailbox domains, as it would be independent of the MTA authentication. Such a name list would not expose users to harm by both being spoofed and then having their mailbox domain blacklisted by reputation services mistakenly trusting Sender-ID. There is nothing within Sender-ID that indicates an MTA is shared, or that Sender-ID was checked. -Doug
Re: Spammers Skirt IP Authentication Attempts
On Wed, 8 Sep 2004, David Cantrell wrote: You forget, SPF doesn't just tell you who is authorised to speak on behalf of foobar.com, it also tells you who is *not* authorised. That is sort of implied, yes. If you get mail coming in from - eg - randomgibberish.comcast.net claiming to be from foobar.com, then you know that it's dodgy unless foobar.com's SPF record says that that cable modem address is authorised. Except that, SPF records are as easy to setup for a spammer, as for you and I. If the above is a spammer, then SPF for foobar.com will list randomgibberish.comcast.net as an authorised sender. SPF will absolutely not have any effect on spam. And I say this merely as a disciple of Vixie - he thought of a form of SPF /years/ ago, and he knew /years/ ago it wouldnt do anything for Spam. The only difference between Vixie's MAIL-FROM MX records and SPF is the snake-oil: Vixie was honest in his claims for what it could do, the hype around SPF is not. regards, -- Paul Jakma [EMAIL PROTECTED] [EMAIL PROTECTED] Key ID: 64A2FF6A Fortune: Reformatting Page. Wait...
Re: Spammers Skirt IP Authentication Attempts
On Wed, Sep 08, 2004 at 11:54:32AM +0100, Paul Jakma wrote: Except that, SPF records are as easy to setup for a spammer, as for you and I. If the above is a spammer, then SPF for foobar.com will list randomgibberish.comcast.net as an authorised sender. SPF will absolutely not have any effect on spam. But if instead of foobar.com, it is vix.com or citibank.com, then their SPF records will not point at randomgibberish.comcast.net as an authorized sender. That means that if I do get a mail purporting to be from citi from randomgibberish, I can junk it without hesitation. /vijay
Re: Spammers Skirt IP Authentication Attempts
On Wed, 8 Sep 2004, vijay gill wrote: But if instead of foobar.com, it is vix.com or citibank.com, then their SPF records will not point at randomgibberish.comcast.net as an authorized sender. That means that if I do get a mail purporting to be from citi from randomgibberish, I can junk it without hesitation. Yes, all we need for SPF to work is for spammers to play along and cooperate, and we'll be able to filter out the spam they send. Earth calling... ;) /vijay regards, -- Paul Jakma [EMAIL PROTECTED] [EMAIL PROTECTED] Key ID: 64A2FF6A Fortune: The Constitution may not be perfect, but it's a lot better than what we've got!
Re: Spammers Skirt IP Authentication Attempts
On Wed, 8 Sep 2004, Florian Weimer wrote: If there's significant deployment on the MTA side, it might mitigate the impact of delayed bounces for those who post authoritative SPF records. No offence, but did you read my reply to Paul Vixie? Delayed bounces, any any other NULL return path bot-mail, can be taken care of with SRS. care about responsible Internet Mail handling. Therefore, it's unlikely that we'll see significant deployment of a technology that is as controversial as SPF. Good thing too. regards, -- Paul Jakma [EMAIL PROTECTED] [EMAIL PROTECTED] Key ID: 64A2FF6A Fortune: You will be surprised by a loud noise.
Re: Spammers Skirt IP Authentication Attempts
On Wed, 8 Sep 2004, vijay gill wrote: And randomgibberish.comcast.net will still be in all the dynamic blacklists. I'm subscribed to both the SpamAssassin list, and this one. This is getting seriously off-topic. If you like SPF, embrace it. If not, don't. This may very well be one of the things that time will tell on, much like open relays, which were considered harmless, or things like telnet, which used to be a complete standard, and now, my *remote reboot* units come SSH capable. Spamassassin and other spam control technologies are choosing to. It's ONE PIECE of a very large solution. It's a solution to domain forging, not to spam. (nothing in this paragraph is anything new to this list in the past week). Can we please get on with our lives? Thanks -Dan Mahoney On Wed, Sep 08, 2004 at 11:54:32AM +0100, Paul Jakma wrote: Except that, SPF records are as easy to setup for a spammer, as for you and I. If the above is a spammer, then SPF for foobar.com will list randomgibberish.comcast.net as an authorised sender. SPF will absolutely not have any effect on spam. But if instead of foobar.com, it is vix.com or citibank.com, then their SPF records will not point at randomgibberish.comcast.net as an authorized sender. That means that if I do get a mail purporting to be from citi from randomgibberish, I can junk it without hesitation. /vijay -- It's three o'clock in the morning. It's too late for 'oops'. After Locate Updates, don't even go there. -Paul Baecker January 3, 2k Indeed, sometime after 3AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: Spammers Skirt IP Authentication Attempts
On Wed, Sep 08, 2004 at 12:14:54PM +0100, Paul Jakma wrote: On Wed, 8 Sep 2004, vijay gill wrote: But if instead of foobar.com, it is vix.com or citibank.com, then their SPF records will not point at randomgibberish.comcast.net as an authorized sender. That means that if I do get a mail purporting to be from citi from randomgibberish, I can junk it without hesitation. Yes, all we need for SPF to work is for spammers to play along and cooperate, and we'll be able to filter out the spam they send. Earth calling... ;) I'm probably going into an argument with a net.kook but just to be sure, let me clarify this: How do you think spammers will be able to subvert citibank.com to have random.cablemodem.net as a permitted sender? I've never believed spf was the ultimate solution, just that it allows me to better filter some of the joe-bobs. /vijay - falling yet again into another argument which is probably more annoying than a thorned thong.
Re: Spammers Skirt IP Authentication Attempts
On Mon, Sep 06, 2004 at 07:19:01PM -0400, Mark Jeftovic wrote: I'm not sure the people behind this concept (SPF, RMX, et al) ever intended it to be the FUSSP, but a lot of the ensuing enthusiasm built it up to that. Consider that the people behind SPF made this statement (upon introducing it): Spam as a technical problem is solved by SPF. If, therefore, there is an overabundance of enthusiasm for that concept, then it seems to be very clear where full responsibility for that rests. I've *never* viewed SPF as an antispam methodology, but considered it an inevitable utility of the DNS system. Other methods are evolving to deal with spam, don't confuse them with what SPF is, which is essentially an authentication/identification framework that has the ability to mitigate one of the more popularly used spam obfuscation techniques. I'll agree with you that it may mitigate one of the more popularly used spammer obfuscation techniques, but that particular technique is a minor problem (considering spam/abuse as a whole) and not all that worth solving -- since *other* spammer obfuscation techniques which SPF (and DomainKeys and SenderID et.al.) don't address are already available and being used. (Why aren't they used more? Spammers haven't needed to. But if pressed, they will. Rapidly.) The bigger problem isn't the spammer obfuscation technique: it's the backscatter from all the mail systems which bounce instead of reject, Bouncing was not all *that* unreasonable until we started to operate in an environment with massive SMTP forgery (from spam/viruses/etc.) -- several years ago. It's now much more desirable to reject whenever possible, saving everyone bandwidth/cycles/grief. I don't think I like the idea of wallpapering over this problem with SPf/DomainKeys/etc.: I think I'd rather see those mail systems fixed to deal with the environment they find themselves in. [ Especially because the other spammer obfuscation techniques I referred to are available, and will be used if and when SPF or DomainKeys or any of these are widely deployed. Thus, mail systems will *still* inhabit an environment of massive forgery and should be prepared to deal with it as best they can...where I think one approach to that is don't make it any worse. ] Yeah, that may be a lot of work to complete -- although there are a myriad of simple techniques available to at least mitigate it, if not eliminate it entirely, and any relief would be welcome. That spammers are publishing SPF records is in no way indicative of an inherent flaw in SPF's objectives or a failure in its implementation, in fact, I welcome spammers who publish SPF data detailing the originating points of their email. If more known spam domains did this, a handy DNSBL could be constructed out of such data (with a few caveats of course, it would also potentially open the door to a type of DoS attack). RHSBLs (i.e. DNSBLs which list domain names instead of IP addresses, thus Right-Hand-Side BL's) have already been built. See www.surbl.org and www.ahbl.org, for example. But this tactic doesn't work -- as an anti-spam technique -- as well as we might hope, for three reasons: 1. Spammers have an [effectively] infinite supply of domains. This won't change because spammers who burn through domains rapidly (and thus need to purchase more) are some of the registrars' best customers. They're also early adopters of obfuscated registration, so much so that it's becoming increasingly likely that any domain thus registered is declaring intent to abuse. [1] 2. Spammers control a large -- as in tens of millions -- number of zombies. [2] This won't change because none of the three entities who could do anything about it (the zombies' former owners, consumer broadband ISPs, Microsoft) are willing to step up, admit there's a problem, and do whatever it takes to fix it. 3. Mail from a forged sender is operationally indistinguishable from mail from an unforged but unknown sender. [3] This won't change either. And because of #1, spammers have an essentially infinite number of domains to do it with, and because of #2, they have a large number of systems to do it from. And as a result, a *lot* of things that we could try, not just SPF/DomainKeys/et.al., just won't work. (Example? Oh, take the various hashcash ideas that have been floated: getting into a computing cycle contest with spammers is a guaranteed loss.) ---Rsk [1] For example, one group of pirate-software spammers appears to be burning through domains at the rate of one every 24-48 hours, and has been doing this for months. [2] It's hard to know how many systems are zombies, but tens of millions is probably the right order of magnitude. I did a back-of-the-envelope calculation a few months and came up with 10 to 20 million; Carl Hutzler (of AOL Policy Enforcement) provided an estimate of 50-100
Re: Spammers Skirt IP Authentication Attempts
For the second one: no. Because knowing that sender is unforged/real doesn't, in and of itself, do you any good *with respect to stopping spam*. You ALSO need a way to know that 56trf5.com is a spam source domain. I see that 56trf5.com is a real domain. Does this mean that the domain name registries and DNS are now being polluted with piles of garbage entries in the same way that Google searches have been polluted with tons of pages full of nothing but search keywords and ads? --Michael Dillon
Re: Spammers Skirt IP Authentication Attempts
On Wed, 8 Sep 2004, David Cantrell wrote: Sure. But then, SPF is not meant to prevent all spam. s/all// It would (if widely deployed) have a very wide effect on spam with forged senders though, and the consequent bounces to innocent third parties. I agree bounce reduction would be a good thing. But, I'm sure I've mentioned it already, *SRS achieves same thing* without breakage. To put it as an analogy (seems the done thing), I can use a plank of wood (SPF) to bang nails into a wall, but given the existence of hammer (SRS), the plank doesnt cut it ;) (and handing out planks so other people can make shelves isnt interesting). The hype does not come from the people working on SPF, but from clueless hangers-on who apparently can't read. Possible ;) Anyway, enough. The topic is indeed OT, and i'm just a net.kook. regards, -- Paul Jakma [EMAIL PROTECTED] [EMAIL PROTECTED] Key ID: 64A2FF6A Fortune: Publishing a volume of verse is like dropping a rose petal down the Grand Canyon and waiting for the echo.
Re: Spammers Skirt IP Authentication Attempts
On Wed, 8 Sep 2004 13:52:59 +0100 [EMAIL PROTECTED] asked: I see that 56trf5.com is a real domain. Does this mean that the domain name registries and DNS are now being polluted with piles of garbage entries in the same way that Google searches have been polluted with tons of pages full of nothing but search keywords and ads? Yes. Hadn't you noticed? Statistically speaking there are now more domains with fake contact records than there are with genuine contact records, and certain registrars have been allowing new domains to be registered using contact addresses that have previously been proved to be bogus. -- Richard Cox
Re: Spammers Skirt IP Authentication Attempts
True, but bounces, and anything else with NULL return path, can be taken care of with SRS. SRS is probably a higher pairwise deployment barrier than SPF. but in any case you should take this argument to the IETF MARID WG, since getting agreement on nanog@ (assuming it's possible) won't stop the SPF steamroller. See: http://www.libsrs2.org/ http://www.libsrs2.org/srs/srs.pdf http://asarian-host.net/srs/sendmailsrs.htm And be happy, and realise SPF is worthless ;) SRS looks like a better technical solution than SPF, but it's less deployable. for one thing, There Can Be Only One SRS-like thing. there are already many SPF-like things, each with its own adherent-base, and there will be many more. Is it really worth it for every domain owner on the planet (including spammers!) to implement SPF records in DNS, and the resulting forwarding breakage, simply to provide some fairly intangible dilution protection for, primarily, the very small subset of widely-known domains out there? no. it's the same kind of cost/benefit assymetry as spam, where everybody has to pay a higher cost but only a few get a significant benefit from it. however, beta was better than vhs, too. and tully's is way Way better than starbucks. being better isn't as relevant as having better marketing. with microsoft backing SPF++ (is it sender-id now?), SPF will be widely deployed and the costs and benefits be damned. ... i'm glad that companies bigger and richer than i am find it in their own selfish best interests to push something like SPF -- that means it'll happen. ... Well that depends. At the moment it looks like the clients will implement a standard that most of the servers will not! i've begun to hear privacy related concerns, as well. even with jim miller's MAIL-FROM proposal, there's a way to look at the DNS query stream and find out what servers are presently being spammed using your domain name as the source. this is an information leak but i'm willing to live with it. many MTA operators will not be willing to live with this. (maybe some large ones.) it's useful, just not for the advertised reasons, or a universal reason. Ah, absolutely yes. so, i'll take your SPF is worthless! statement under advisement.
Re: Spammers Skirt IP Authentication Attempts
[EMAIL PROTECTED] (vijay gill) writes: ... That means that if I do get a mail purporting to be from citi from randomgibberish, I can junk it without hesitation. agreed, that is what it means. however, and this is the important part so everybody please pay attention, if you can junk something without hesitation, then spammers will stop sending that kind of something. they make their money on clickthroughs, final sales, and referrals, which translates to one thing and one thing only: volume. if the way to keep their volume up means put SPF metadata in for the domains they use or even just stop forging mail from domains that have SPF metadata then that is exactly what they will do. guaranteed. there's a bet here. you could bet that by closing off this avenue, SPF will force spammers to use other methods that are more easily detected/filtered, and that if you play this catmouse game long enough, it will drive the cost of spam so high (or drive the volume benefit so low) that it'll just die out. i lost that bet during my MAPS years. your mileage may vary, but to me, SPF is just a way to rearrange the deck chairs on the Titanic. we won't have decent interpersonal batch digital communications again before whitelists; everything we do in the mean time is just a way to prove that to the public so they'll be willing to live with the high cost of fully distributing trust. -- Paul Vixie
Re: Spammers Skirt IP Authentication Attempts
On Wed, 8 Sep 2004, Paul Jakma wrote: Yes, all we need for SPF to work is for spammers to play along and cooperate, and we'll be able to filter out the spam they send. doesnt matter if they do, the point is this provides a type of whitelisting for major domains that are being abused eg phishing, and scales down so you can even flag up fakes for minor domains just another weapon in the arsenal and what i like is that its very low overhead unlike some techniques, and is also managed by the domain admin Steve
Re: Spammers Skirt IP Authentication Attempts
On Wed, 2004-09-08 at 09:59, Paul Vixie wrote: [EMAIL PROTECTED] (vijay gill) writes: ... That means that if I do get a mail purporting to be from citi from randomgibberish, I can junk it without hesitation. agreed, that is what it means. however, and this is the important part so everybody please pay attention, if you can junk something without hesitation, then spammers will stop sending that kind of something. they make their money on clickthroughs, final sales, and referrals, which translates to one thing and one thing only: volume. if the way to keep their volume up means put SPF metadata in for the domains they use or even just stop forging mail from domains that have SPF metadata then that is exactly what they will do. guaranteed. there's a bet here. you could bet that by closing off this avenue, SPF will force spammers to use other methods that are more easily detected/filtered, and that if you play this catmouse game long enough, it will drive the cost of spam so high (or drive the volume benefit so low) that it'll just die out. i lost that bet during my MAPS years. your mileage may vary, but to me, SPF is just a way to rearrange the deck chairs on the Titanic. we won't have decent interpersonal batch digital communications again before whitelists; everything we do in the mean time is just a way to prove that to the public so they'll be willing to live with the high cost of fully distributing trust. The first step along this path is to ensure a means of obtaining a name that can be used to establish a history of use. Neither SPF or Sender-ID provides a domain name without making unverifiable assumptions of the mail channel integrity. The CSV proposal, now in the MARID group, provides a means of obtaining both an authenticated and authorized name useful for establishing a history without the high overhead associated with tracking addresses. SPF and Sender-ID expect the recipient to expend perhaps hundreds of DNS queries and execute complex macros that are seemingly designed to hide the scope of the outbound SMTP addresses, where a single wildcard record and random sub-domains will devour the recipient's resolver. Neither Sender-ID nor SPF stop the citibank.com spoofing, as the last header checked is the RFC2822 From. Spoofers only need to employ a few simple tricks, and the phishing continues, but now with a receiving MTA burning more than twice the network and iron. Sender-ID seems to be a means of injecting Microsoft IPR and to place a foot in the door to allow never-ending feature creep and DNS bloat. -Doug
Re: Spammers Skirt IP Authentication Attempts
From [EMAIL PROTECTED] Wed Sep 8 12:05:02 2004 To: [EMAIL PROTECTED] Subject: Re: Spammers Skirt IP Authentication Attempts From: Paul Vixie [EMAIL PROTECTED] Date: 08 Sep 2004 16:59:51 + [EMAIL PROTECTED] (vijay gill) writes: ... That means that if I do get a mail purporting to be from citi from randomgibberish, I can junk it without hesitation. agreed, that is what it means. however, and this is the important part so everybody please pay attention, if you can junk something without hesitation, then spammers will stop sending that kind of something. they make their money on clickthroughs, final sales, and referrals, which translates to one thing and one thing only: volume. if the way to keep their volume up means put SPF metadata in for the domains they use or even just stop forging mail from domains that have SPF metadata then that is exactly what they will do. guaranteed. there's a bet here. you could bet that by closing off this avenue, SPF will force spammers to use other methods that are more easily detected/filtered, and that if you play this catmouse game long enough, it will drive the cost of spam so high (or drive the volume benefit so low) that it'll just die out. I, for one, don't think that SPF is a FUSSP (tm vernon), or anything close to it. I _do_ think that it is _a_step_ 'in the right direction'. I'd *love* to see SPF-type data returned on rDNS queries -- that would practically put the zombie spam-sending machines out of business. SPF _can_ serve a 'useful function' in spam-fighting. As follows: SPF verification query gets returns one of three kinds of result: 1) MISMATCH on point-of-origin vs domain 'authorized' senders. *VERY* probably spam. Need a white-list check of the specific sender e-mail, and if that fails, an SMTP-session rejection is indicated. 2) MATCH on point-of-origin for domain vs domain 'authorized' senders. 'reliable' data-point that the domain owner 'authorized' the use of the domain-name. Now it makes sense to query an _internally_ _maintained_ database of 'familiar to me' domains, to see what types of prior mail from this domain have been seen. This is a much simpler, quicker, less CPU-intensive test than the 'full' set of spam checks. Match on 'known spammer' domain causes immediate SMTP-time rejection; match on 'known NON-ISP, non-spammer' domain and one is quite 'safe' in accepting the message without further checks. Messages from 'unfamiliar' domains, and/or 'ISP' domains, get the full spam-check treatment. 3) NO DATA. In this scenario, doing the full set of spam checks, is unavoidable. Unless you reject traffic based on the lack of SPF data; which is a non-starter strategy, until such time as SPF is near-universally deployed. If _nobody_ published SPF data, then the situation degenerates into case 3), as a worst-case scenario. This is no worse than the situation _without_ SPF checking. (For the nit-pickers, yes, it is a _little_ worse, by the overhead of the 100% no-constructive-date SPF queries.) If a 'non trivial' share of the incoming message traffic falls into case 1) and/or case 2), then the use of SPF is a net 'win' for the recipient. *IF* the time comes when SPF deployment is near-univeral, then case 3) drops out of the picture. _IN_THAT_CASE_, spammers pretty much _have_ to publish SPF data for their outgoing mail sources, to have any 'hope' of delivery. Whereupon, either they're sending from 'known spammer' domains, or the 'unfamiliar domain' handling kicks in. It aint the (or even 'a') FUSSP, But it is a _big_ win for places that handle large volumes of e-mail. For those big shops, it doesn't take long for a spammer domain to get out of the 'unrecognied' category, and into the 'known spammer' class. Whereupon, one SPF check, plus one internal database dip, and they can dump the mail as from 'known spammers'. The savings in system resources, by using such an approach on several _billion_ pieces of mail per day is definitely non-trivial. It takes a while for wide-spread acceptance/implementation, but when that state of affairs _is_ achieved, large-scale spammers have a serious problem: Messages claiming to be from sources lacking SPF validation get rejected. Messages with SPF-mismatch get bit-bucketed. Messages with SPF-validation from identified spammer domains get bit-bucketed What's an _honest_ spammer to do? muffled snicker
Re: Spammers Skirt IP Authentication Attempts
[EMAIL PROTECTED] wrote: I see that 56trf5.com is a real domain. Does this mean that the domain name registries and DNS are now being polluted with piles of garbage entries in the same way that Google searches have been polluted with tons of pages full of nothing but search keywords and ads? Yes - and there's a list of such domains that we track published as the ob.surbl.org zonefile (http://www.surbl.org for details) srs
Re: Spammers Skirt IP Authentication Attempts
Dan: SPF, SpamAssassin, and other measures are all steps in the right direction in making spam less of a problem than it is today. I applaud you for taking part in their respective forums. What you fail to realize is that spam is a problem best stopped within your domain of control. According to Google, it appears as though you have a problem with terminating spamming customers, in accordiance with your own AUP: http://groups.google.com/groups?q=ezzi+spamhl=enlr=ie=UTF-8sa=Nscoring=d What I found more alarming were this the double standards set forth by this post: http://groups.google.com/groups?q=hl=enlr=ie=UTF-8selm=5a29bb5.0202260613.3addb4ce%40posting.google.comrnum=2 I'm sorry, but you aren't entitled to anything. If you'd like to be removed from the DNSBL's, you need to remove your offending customers. You can't just say these customers are spammers, block them, don't block anyone else and keep collecting a check from them at the end of the month. A los tontos no les dura el dinero. ---Ricardo On Wed, 8 Sep 2004 07:46:30 -0400 (EDT), Dan Mahoney, System Admin [EMAIL PROTECTED] wrote: On Wed, 8 Sep 2004, vijay gill wrote: And randomgibberish.comcast.net will still be in all the dynamic blacklists. I'm subscribed to both the SpamAssassin list, and this one. This is getting seriously off-topic. If you like SPF, embrace it. If not, don't. This may very well be one of the things that time will tell on, much like open relays, which were considered harmless, or things like telnet, which used to be a complete standard, and now, my *remote reboot* units come SSH capable. Spamassassin and other spam control technologies are choosing to. It's ONE PIECE of a very large solution. It's a solution to domain forging, not to spam. (nothing in this paragraph is anything new to this list in the past week). Can we please get on with our lives? Thanks -Dan Mahoney On Wed, Sep 08, 2004 at 11:54:32AM +0100, Paul Jakma wrote: Except that, SPF records are as easy to setup for a spammer, as for you and I. If the above is a spammer, then SPF for foobar.com will list randomgibberish.comcast.net as an authorised sender. SPF will absolutely not have any effect on spam. But if instead of foobar.com, it is vix.com or citibank.com, then their SPF records will not point at randomgibberish.comcast.net as an authorized sender. That means that if I do get a mail purporting to be from citi from randomgibberish, I can junk it without hesitation. /vijay -- It's three o'clock in the morning. It's too late for 'oops'. After Locate Updates, don't even go there. -Paul Baecker January 3, 2k Indeed, sometime after 3AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: Spammers Skirt IP Authentication Attempts
On Wed, 8 Sep 2004, Ricardo Rick Gonzalez wrote: Ricardo, I *do* stop spam within my domain of control. I terminate spammers as I find them. In the event a customer appears spammish in his entirety, I kill them. In the event spam originates from a single ip, or a single customer-hosted domain name, I give the customer the chance to clean up the mess and get it off our network. Bonus points are of course added if the customer is willing to prove their innocence by pointing the domain somewhere bad (like 127.0.0.1), instead of moving it off to be a landing site elsewhere. There *are* of course instances where machines are compromised, or clueless people install old versions of formmail (which is continually compromised in new ways), and I get those abuse reports as well, and tend to them as well. On occasion it's taken longer than necessary to kill spammers for a couple of interesting legal reasons I'm not at liberty to discuss in this forum, but I keep us clean enough that we're not on any of the major blacklists. All this, however, is secondary to my real reason for even replying to your mail at all. I'd like to applaud you personally for taking a list that I'm posting to with my personal email address, and dragging my job into it (there's a separation, there). It shows a level of maturity I'd reserve for the frag-server customers we host. This topic is still getting older, further off topic, and further and further away from the spirit of the list. -Dan Mahoney Dan: SPF, SpamAssassin, and other measures are all steps in the right direction in making spam less of a problem than it is today. I applaud you for taking part in their respective forums. What you fail to realize is that spam is a problem best stopped within your domain of control. According to Google, it appears as though you have a problem with terminating spamming customers, in accordiance with your own AUP: http://groups.google.com/groups?q=ezzi+spamhl=enlr=ie=UTF-8sa=Nscoring=d What I found more alarming were this the double standards set forth by this post: http://groups.google.com/groups?q=hl=enlr=ie=UTF-8selm=5a29bb5.0202260613.3addb4ce%40posting.google.comrnum=2 I'm sorry, but you aren't entitled to anything. If you'd like to be removed from the DNSBL's, you need to remove your offending customers. You can't just say these customers are spammers, block them, don't block anyone else and keep collecting a check from them at the end of the month. A los tontos no les dura el dinero. ---Ricardo On Wed, 8 Sep 2004 07:46:30 -0400 (EDT), Dan Mahoney, System Admin [EMAIL PROTECTED] wrote: On Wed, 8 Sep 2004, vijay gill wrote: And randomgibberish.comcast.net will still be in all the dynamic blacklists. I'm subscribed to both the SpamAssassin list, and this one. This is getting seriously off-topic. If you like SPF, embrace it. If not, don't. This may very well be one of the things that time will tell on, much like open relays, which were considered harmless, or things like telnet, which used to be a complete standard, and now, my *remote reboot* units come SSH capable. Spamassassin and other spam control technologies are choosing to. It's ONE PIECE of a very large solution. It's a solution to domain forging, not to spam. (nothing in this paragraph is anything new to this list in the past week). Can we please get on with our lives? Thanks -Dan Mahoney On Wed, Sep 08, 2004 at 11:54:32AM +0100, Paul Jakma wrote: Except that, SPF records are as easy to setup for a spammer, as for you and I. If the above is a spammer, then SPF for foobar.com will list randomgibberish.comcast.net as an authorised sender. SPF will absolutely not have any effect on spam. But if instead of foobar.com, it is vix.com or citibank.com, then their SPF records will not point at randomgibberish.comcast.net as an authorized sender. That means that if I do get a mail purporting to be from citi from randomgibberish, I can junk it without hesitation. /vijay -- It's three o'clock in the morning. It's too late for 'oops'. After Locate Updates, don't even go there. -Paul Baecker January 3, 2k Indeed, sometime after 3AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --- -- ...Somebody fed you sugar. Shit! --Tracy, after noticing Gatorade on my desk. Ezzi Computers, October 18th 2003 Approx 11PM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: Spammers Skirt IP Authentication Attempts
I see that 56trf5.com is a real domain. Does this mean that the domain name registries and DNS are now being polluted with piles of garbage entries in the same way that Google searches have been polluted with tons of pages full of nothing but search keywords and ads? Yes - and there's a list of such domains that we track published as the ob.surbl.org zonefile (http://www.surbl.org for details) the way i can prove that this methodology is only employed by a minority of very-smart MTA operators is: that it's effective. if it were widely used, such that it affected global spam volume and thus spammer revenue, then the spammers would switch to different tricks. MAPS RBL was intended to be immune to this reflexive failure mode because it targetted address space, which was a scarcer commodity than domain names. i recommend against deployment of anti-spam methodologies whose only guaranteed effect is to force spammers to have to be smarter. (they will!) -- Paul Vixie
Re: Spammers Skirt IP Authentication Attempts
Folks, let's stop this thread. We've veered away from the operational towards ... well, it's hard to define. Anti-social?
Re: Spammers Skirt IP Authentication Attempts
On Mon, 6 Sep 2004, Tom (UnitedLayer) wrote: I think SPF is an important step in getting rid of people pretending to be someone else. If you have SPF records, and they match the mail, chances are you are who you say you are. Not really. For that you need X.509 or PGP and web-of-trust. Also, SPF doesnt tell you whether it is spam. Indeed, apparently majority of SPF-valid email at moment is spam! Finding out who you are behind domain records/etc, thats a different story... SPF is worthless. Joe-job protection can be done in far better ways, eg SRS. regards, -- Paul Jakma [EMAIL PROTECTED] [EMAIL PROTECTED] Key ID: 64A2FF6A Fortune: Zombie processes haunting the computer
Re: Spammers Skirt IP Authentication Attempts
On Tue, Sep 07, 2004 at 11:32:11AM +0100, Paul Jakma [EMAIL PROTECTED] wrote a message of 24 lines which said: Also, SPF doesnt tell you whether it is spam. Of course. It never pretended to do so. Indeed, apparently majority of SPF-valid email at moment is spam! No. Where did you find the figures?
Re: Spammers Skirt IP Authentication Attempts
On Tue, 7 Sep 2004, Stephane Bortzmeyer wrote: Also, SPF doesnt tell you whether it is spam. Of course. It never pretended to do so. Right, but a lot of seem people to be under the mistaken impression it will have some effect on spam. No. Where did you find the figures? http://www.techworld.com/security/news/index.cfm?NewsID=2154 regards, -- Paul Jakma [EMAIL PROTECTED] [EMAIL PROTECTED] Key ID: 64A2FF6A Fortune: A healthy male adult bore consumes each year one and a half times his own weight in other people's patience. -- John Updike
Re: Spammers Skirt IP Authentication Attempts
On 09/07/04, Paul Jakma [EMAIL PROTECTED] wrote: On Tue, 7 Sep 2004, Stephane Bortzmeyer wrote: Also, SPF doesnt tell you whether it is spam. Of course. It never pretended to do so. Right, but a lot of seem people to be under the mistaken impression it will have some effect on spam. And every time those people speak up, someone who knows better corrects them. Thus is wisdom gained. -- J.D. Falk...one of the worst signs of our danger [EMAIL PROTECTED] is we can't imagine the route from here to utopia. -- Kim Stanley Robinson
Re: Spammers Skirt IP Authentication Attempts
[EMAIL PROTECTED] (Paul Jakma) writes: SPF is worthless. i don't agree. i think it's overengineered and that a simpler solution like the one at http://sa.vix.com/~vixie/mailfrom.txt should have been deployed years ago, but i don't think SPF, or things like SPF, are at all worthless. every time someone forges one of my domains or e-mail addresses as a spam source, i get all kinds of bot-mail telling me that what the spammer tried to do didn't work. quite a lot of challenge/response nonsense. quite a few majordomo/etc listbot error messages. a whole pile of mailer-daemon@ errors. the right way to resolve this would be to make all errors synchronous to the smtp session where they occur. but this would prevent secondary-mx, or any kind of asynchronous mail forwarding. so, mail that requires a robotic reply has to cause a new envelope to hold this reply, and if the source was forged, then some innocent bystander is going to get that reply. if all mailbots learned to speak something like SPF, and my domains all advertise the nec'y metadata to enable something like SPF, then i would find it far easier to filter the remaining drivel in my inbox, which would just be spam and e-mail (listed in order by volume) -- no more mailbot responses to messages i never sent. the economic benefit that will actually cause something like SPF to come into wide use is different yet again -- it's not to make it easier to filter the remainder, and it's not to stop spam. it's to protect trademarks owned by large e-mail providers (@hotmail.com being one, @yahoo.com being another) from dilution. everything that happens on the internet these days happens for economics-related reasons. i'm glad that companies bigger and richer than i am find it in their own selfish best interests to push something like SPF -- that means it'll happen. that my own reasons differ from theirs is immaterial. that they have to mismarket it as a spamstopper to get corporate and investor support for it is also immaterial. the fact is, it's coming -- and it's useful, just not for the advertised reasons, or a universal reason. -- Paul Vixie
Re: Spammers Skirt IP Authentication Attempts
On Tue, 7 Sep 2004, Paul Vixie wrote: i don't agree. i think it's overengineered and that a simpler solution like the one at http://sa.vix.com/~vixie/mailfrom.txt oh, hear hear. Then there's Sender-ID. Bulky XML in DNS, sigh. should have been deployed years ago, but i don't think SPF, or things like SPF, are at all worthless. every time someone forges one of my domains or e-mail addresses as a spam source, i get all kinds of bot-mail telling me that what the spammer tried to do didn't work. quite a lot of challenge/response nonsense. quite a few majordomo/etc listbot error messages. a whole pile of mailer-daemon@ errors. True, but bounces, and anything else with NULL return path, can be taken care of with SRS. Bogus bounces are probably the most annoying non-spam email problem, and we do not need SPF to kill those. Hence, given a better solution to the only pressing problem we know SPF can solve, SPF is worthless. For the other problems, well, SPF just isnt going to solve them. So SPF will tell you that client.acme.net is indeed allowed to send mail from foobar.com, but that describes only trust between foobar.com-client.acme.net. I am no wiser at all as to whether foobar.com is worthy enough to send me email. And given that there are *millions* of domains, and they can be registered by anyone within minutes, I'm unlikely *ever* to be able to make any use of the knowledge that foobar.com allows client.acme.net to send mail on their behalf to discriminate between genuine and spam email. (other than whitelisting clients i trust - but i dont need SPF for that). Indeed, you've been saying this for years. ;) (which is largely how i've come to my own opinion ;) ) if all mailbots learned to speak something like SPF, and my domains all advertise the nec'y metadata to enable something like SPF, then i would find it far easier to filter the remaining drivel in my inbox, which would just be spam and e-mail (listed in order by volume) -- no more mailbot responses to messages i never sent. See: http://www.libsrs2.org/ http://www.libsrs2.org/srs/srs.pdf http://asarian-host.net/srs/sendmailsrs.htm And be happy, and realise SPF is worthless ;) the economic benefit that will actually cause something like SPF to come into wide use is different yet again -- it's not to make it easier to filter the remainder, and it's not to stop spam. it's to protect trademarks owned by large e-mail providers (@hotmail.com being one, @yahoo.com being another) from dilution. Ah, ok. Yes, I've read you making above argument before and, aye, it's a very fair point. But, is it enough of a reason? It seems like a fallback reason, for use when other answers to what actual real problems does SPF solve? are not forthcoming. Is it really worth it for every domain owner on the planet (including spammers!) to implement SPF records in DNS, and the resulting forwarding breakage, simply to provide some fairly intangible dilution protection for, primarily, the very small subset of widely-known domains out there? It would prevent joe-jobs, yes. But how bothersome are those, given that the bounces can be dealt with with the far less intrusive SRS? everything that happens on the internet these days happens for economics-related reasons. i'm glad that companies bigger and richer than i am find it in their own selfish best interests to push something like SPF -- that means it'll happen. that my own reasons differ from theirs is immaterial. that they have to mismarket it as a spamstopper to get corporate and investor support for it is also immaterial. the fact is, it's coming -- and Well that depends. At the moment it looks like the clients will implement a standard that most of the servers will not! Also, I doubt I'll be implementing SPF myself. Indeed, to implement SPF I would have to list the MTAs of at least several irish ISPs, and probably more, as I have users who only receive email via my systems, but dont send it via systems. yes yes, MSA.. but I dont even know most of these people except as usernames in a password file, they're mostly non-technical, and I dont intend to track them down one by one and go visit them to reconfigure their MUAs for them. And even if i did, no doubt they also have /other/ email addresses, eg one from their ISP, and many popular, particularly older versions of, MUAs have problems with allowing one to configure SMTP/MSA according to From address, sigh. it's useful, just not for the advertised reasons, or a universal reason. Ah, absolutely yes. regards, -- Paul Jakma [EMAIL PROTECTED] [EMAIL PROTECTED] Key ID: 64A2FF6A Fortune: It does not matter if you fall down as long as you pick up something from the floor while you get up.
Re: Spammers Skirt IP Authentication Attempts
On 09/07/04, Paul Jakma [EMAIL PROTECTED] wrote: Then there's Sender-ID. Bulky XML in DNS, sigh. No, that was CallerID. SenderID uses a format that looks and smells almost exactly like SPF. I only mention this to reduce the FUD. -- J.D. Falk...one of the worst signs of our danger [EMAIL PROTECTED] is we can't imagine the route from here to utopia. -- Kim Stanley Robinson
Re: Spammers Skirt IP Authentication Attempts
Henry Linneweh [EMAIL PROTECTED] wrote: This is not a good beginning http://www.eweek.com/article2/0,1759,1642848,00.asp It's a predictable response by the spammers. Did anybody really expect the spammers to go oh, well, that's it, we'd better shut up shop now? I'm an advocate of SPF, but not because it's the magic bullet that stops spam. It does however allow innocent domains to say no, I didn't send that and thus avoid the double-bounced backwash from a spammer forging their domain as the sender. -- PGP key ID E85DC776 - finger [EMAIL PROTECTED] for full key
Re: Spammers Skirt IP Authentication Attempts
On Mon, Sep 06, 2004 at 04:26:04AM -0700, Henry Linneweh [EMAIL PROTECTED] wrote a message of 4 lines which said: This is not a good beginning http://www.eweek.com/article2/0,1759,1642848,00.asp Bad paper. The CipherTrust story, which is mentioned, is very weak: it contains several big mistakes (such as mentioning SenderID records... which do not exist yet since the working group is in the last call state) so I question its credibility. Regarding the facts, testing on my spam mailbox, I can see SPF records from spammers but it is very uncommon (there is no incentive for them to publish SPF immediately, because few sites will test them). Otherwise, SPF is not anti-spam by itself. In the same way that network security is not provided by a firewall alone, anti-spam protection is not provided by SPF alone. SPF is an enabler: it allows you to be more confident in the authenticity of the domain, giving reputation systems (whilelists and blacklists) a better chance to succeed.
Re: Spammers Skirt IP Authentication Attempts
On Mon, Sep 06, 2004 at 12:04:45PM +, Peter Corlett wrote: Henry Linneweh [EMAIL PROTECTED] wrote: This is not a good beginning http://www.eweek.com/article2/0,1759,1642848,00.asp I'm an advocate of SPF, but not because it's the magic bullet that stops spam. It does however allow innocent domains to say no, I didn't send that and thus avoid the double-bounced backwash from a spammer forging their domain as the sender. It's also a step towards making domain-based whitelists / blacklists more practical (and, as pointed out recently on spam-l, which might be a more appropriate place for this discussion, makes more aggressive filtering of non-whitelisted domains and domains without SPF records more possible). It should hopefully help with viruses that forge the sender-address and should help reduce bouncebacks due to spam and viruses with forged sender addresses. It can help make phishing scams more difficult to pull off. It makes it easier for someone to say this domain will NEVER send any legitimate email traffic. Will spammers register tons of new domains, setting up SPF for each? Probably. Will they start spoofing other domains hosted by the same provider? . Will they register look-alike domains? Will viruses get smarter, and start sending themselves out via providers' SMTP servers? Probably. But all of these cases are still an improvement over the current situation, and help make life easier for existing email filtering / processing tools. I don't personally believe that [s]pam as a technical problem is solved by SPF[1], but I do think it has the potential to reduce some existing problems with email (some of which are related to spam). I'm cautiously optimistic that it /may/ be a good thing. Victor Duchovni made some interesting points about SPF on spam-l that are worth checking out if you can access the archives. Some excerpts (please edit attributions if you're quoting / replying to this - I didn't write this): What everyone is forgetting is that the biggest proponents of SPF are large mailbox providers, and their real motivation is actually not so much deterring spam, but lowering the administrative cost of maintaining white-lists! White-listing IP addresses loses, because legitimate bulk mailers (and some no so legitimate ones, but that is not the point) who are whitelisted by the ISPs occasionally move their outbound relays to new address pools. Also some providers host multiple sender domains, some that one wants to whitelist and some that one does not. [...] This does nothing to block spam, this merely decentralizes whitelist management. With more up-to-date (reliable?) whitelists, one can afford to spend more resources on aggressive filters of mail that is not white-listed, and not worry as much about false positives. [1] http://www.interesting-people.org/archives/interesting-people/200401/msg00034.html -- Since when is skepticism un-American? Dissent's not treason but they talk like it's the same... (Sleater-Kinney - Combat Rock)
Re: Spammers Skirt IP Authentication Attempts
On Mon, 6 Sep 2004, Peter Corlett wrote: I'm an advocate of SPF, but not because it's the magic bullet that stops spam. It does however allow innocent domains to say no, I didn't send that and thus avoid the double-bounced backwash from a spammer forging their domain as the sender. Envelope cookie schemes on outbound email, like SRS, can achieve that, far better (*you* know whether the bounce is legit, rather than relying on the bouncer to do the checking) and without the collateral damage of SPF. regards, -- Paul Jakma [EMAIL PROTECTED] [EMAIL PROTECTED] Key ID: 64A2FF6A Fortune: The American Dental Association announced today that most plaque tends to form on teeth around 4:00 PM in the afternoon. Film at 11:00.
Re: Spammers Skirt IP Authentication Attempts
HL Date: Mon, 6 Sep 2004 04:26:04 -0700 (PDT) HL From: Henry Linneweh HL This is not a good beginning HL HL http://www.eweek.com/article2/0,1759,1642848,00.asp Yawn. If the sender domain isn't forged, the mail isn't spam is incredibly stupid logic. I suppose the next big news article will be that spammers also prefer forging domains that lack SPF records. (Will miracles never cease?) Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.
Re: Spammers Skirt IP Authentication Attempts
On Mon, 6 Sep 2004, Edward B. Dreger wrote: Yawn. If the sender domain isn't forged, the mail isn't spam is incredibly stupid logic. No Kidding! I suppose the next big news article will be that spammers also prefer forging domains that lack SPF records. (Will miracles never cease?) Amazing :) I think SPF is an important step in getting rid of people pretending to be someone else. If you have SPF records, and they match the mail, chances are you are who you say you are. Finding out who you are behind domain records/etc, thats a different story...
Re: Spammers Skirt IP Authentication Attempts
Although SenderID (or whatever the final name is) is not completed yet, SPF has been around for a while and some people have been using it. But who? Do domains with SPF records have fewer phishing attacks? Fewer virus bounce-backs? Fewer spam forgiers? According to the Anti-Phishing Working Group, these are the most phished companies. How many are using SPF? I checked the most obvious domain name for the companies (.COM and their country variant e.g. .CO.UK) Company NameHas SPF TXT record CitibankNO eBayNO US Bank NO Paypal NO Fleet NO LLoyds NO BarclaysNO AOL YES Halifax NO Westpac NO FirstUSANO VISANO Earthlink YES e-gold NO Bank OneNO Bendigo NO HSBCNO MBNANO SuntrustNO Verizon NO
Re: Spammers Skirt IP Authentication Attempts
On Mon, 6 Sep 2004, Sean Donelan wrote: Hrmmm, perhaps this hasn't been thought of yet, but this is a serious idea for things like spamassassin, or the like. For this list of domains, a decent twofold effort could happen: 1) A decent push on the part of pobox.com (previously, their focus has been on protecting lots of senders, like AOL, or Earthlink), rather than commonly-forged-phishers, to get these folks on board. 2) A big old warning (possibly for these domains themselves to opt into) as a we know we're high risk but we have an SPF record, please check it RDNSL. It could even be used in some cases with SpamAssassin to inject a link into the email for the location to report such forgeries. (Such info could be kept in the RDNSL, for example). Knowledge is Power. -Dan Although SenderID (or whatever the final name is) is not completed yet, SPF has been around for a while and some people have been using it. But who? Do domains with SPF records have fewer phishing attacks? Fewer virus bounce-backs? Fewer spam forgiers? According to the Anti-Phishing Working Group, these are the most phished companies. How many are using SPF? I checked the most obvious domain name for the companies (.COM and their country variant e.g. .CO.UK) Company NameHas SPF TXT record CitibankNO eBayNO US Bank NO Paypal NO Fleet NO LLoyds NO BarclaysNO AOL YES Halifax NO Westpac NO FirstUSANO VISANO Earthlink YES e-gold NO Bank OneNO Bendigo NO HSBCNO MBNANO SuntrustNO Verizon NO -- there is no loyalty in the business, so we stay away from things that piss people off -The Boss, November 12, 2002 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: Spammers Skirt IP Authentication Attempts
* [EMAIL PROTECTED] (Dan Mahoney, System Admin) [Mon 06 Sep 2004, 22:19 CEST]: Hrmmm, perhaps this hasn't been thought of yet, but this is a serious idea for things like spamassassin, or the like. For this list of domains, a decent twofold effort could happen: [snip] No, SPF is not feasible for integration into SpamAssassin. Some links: http://www.apache.org/foundation/docs/sender-id-position.html http://www.debian.org/News/2004/20040904 http://www.imc.org/ietf-mxcomp/mail-archive/msg03884.html On Mon, 6 Sep 2004, Sean Donelan wrote: Company Name Has SPF TXT record [..] Earthlink YES This tells a slightly different story regarding EarthLink's commitment to adapting Sender ID, though: http://www.imc.org/ietf-mxcomp/mail-archive/msg04258.html -- Niels.
Re: Spammers Skirt IP Authentication Attempts
Niels Bakker [EMAIL PROTECTED] wrote: [...] No, SPF is not feasible for integration into SpamAssassin. Some links: http://www.apache.org/foundation/docs/sender-id-position.html http://www.debian.org/News/2004/20040904 Microsoft's encumbered Sender ID and SPF are not the same. http://www.imc.org/ietf-mxcomp/mail-archive/msg03884.html This URL confirms that Sender ID will not go into Exim, but there is already SPF support. -- That will happen 2 weeks after pigs fly. I hear the government has funded a jet-pig initiative... Well, thats one way for the politicians to justify more pork in the budget. - Various in alt.folklore.computers
Re: Spammers Skirt IP Authentication Attempts
On Mon, 6 Sep 2004 22:55:07 +0200 Niels Bakker [EMAIL PROTECTED] wrote: This tells a slightly different story regarding EarthLink's commitment to adapting Sender ID, though: http://www.imc.org/ietf-mxcomp/mail-archive/msg04258.html as a general rule, you will find that the M$ license agreement for Sender ID functions as a poison pill in the context of GPL, BSD, and Apache style licensing. the restrictions on redistribution are completely incompatible with traditional open source redistribution policies. i will be very curious to see what the IETF does or does not do to resolve this issue. richard -- Richard Welty [EMAIL PROTECTED] Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
Re: Spammers Skirt IP Authentication Attempts
This is not a good beginning http://www.eweek.com/article2/0,1759,1642848,00.asp every time i see another Final and Ultimate Solution to the Spam Problem (FUSSP, (tm) VJS) get some traction and then fall well short of its goals, i've had the same emotion: well what the h--- did you think was going to happen? -- Paul Vixie
Re: Spammers Skirt IP Authentication Attempts
JB Date: Mon, 06 Sep 2004 13:42:22 -0600 JB From: Jawaid Bazyar JB 1) Domains spammers own will quickly become blacklisted. JBSpammers will be forced to purchase register tons of JBdomains in order to continue spamming. However their Or use SPF-less domains. JB 2) Pressure will quickly mount on domains that don't JBfacilitate authentication, with the effect snowballing JBover time. This will ensure system-wide adoption of close JBto 100% fairly quickly. There's a spark of optimism buried deep inside me that really wants to believe that. SAV has made me more cynical. :-/ JB There's something else you're not granting here, however. JB Once the domains that are commonly used for forged headers JB get protected with an authentication mechanism, I as a JB system administrator no longer have to spend excessive time JB and effort trying to distinguish between spam with that JB domain name and legitimate email with that domain name. Agreed entirely; IIRC, I think I said something similar a few weeks back. SPF is a useful data point -- we use ~19 RBLs as data inputs, and no one can authoritatively nail email as spam. Even if SPF pass is totally useless, I'd be surprised if SPF fail didn't indicate a high probability of spam. JB Instead of lookups on numerous RBLs and numerous other CPU JB and network-intensive checks, I can simply trust email from JB aol.com, msn.com, hotmail.com, yahoo.com - and these comprise JB enough of my email load that I will get an instant resource JB utilization benefit from knowing that email from @yahoo.com JB is really from @yahoo.com and short-circuiting all the spam JB checks I usually do. Very good point. No disagreement here. However, I didn't like the article's overgeneralized News flash! whitelisting all 'SPF pass' entries will let spam by! attitude. Anyone whitelisting mail that has a valid SPF entry is nuts. JB Thus even if authentication should never become 100% and even JB if it doesn't stop spam, I still get a net benefit. Definitely. It's increased information... not enough for perfect decisions, but enough for better decisions. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita
Re: Spammers Skirt IP Authentication Attempts
On Mon, 6 Sep 2004, Paul Vixie wrote: This is not a good beginning http://www.eweek.com/article2/0,1759,1642848,00.asp every time i see another Final and Ultimate Solution to the Spam Problem (FUSSP, (tm) VJS) get some traction and then fall well short of its goals, i've had the same emotion: well what the h--- did you think was going to happen? I'm not sure the people behind this concept (SPF, RMX, et al) ever intended it to be the FUSSP, but a lot of the ensuing enthusiasm built it up to that. I've *never* viewed SPF as an antispam methodology, but considered it an inevitable utility of the DNS system. Other methods are evolving to deal with spam, don't confuse them with what SPF is, which is essentially an authentication/identification framework that has the ability to mitigate one of the more popularly used spam obfuscation techniques. That spammers are publishing SPF records is in no way indicative of an inherent flaw in SPF's objectives or a failure in its implementation, in fact, I welcome spammers who publish SPF data detailing the originating points of their email. If more known spam domains did this, a handy DNSBL could be constructed out of such data (with a few caveats of course, it would also potentially open the door to a type of DoS attack). But at the end of the day, none of this is surprising and none of it constitutes a failure or setback for SPF (quite the contrary in fact). -mark -- Mark Jeftovic [EMAIL PROTECTED] Co-founder, easyDNS Technologies Inc. ph. +1-(416)-535-8672 ext 225 fx. +1-(416)-535-0237
