Hello Andy Andy Smith wrote: > On Tue, Jan 27, 2004 at 08:15:05PM +0100, Fabian Wenk wrote: > > It won't work. What if the spamer just registers a domain to only use > > for spaming, an configures IP ranges (worst case 0.0.0.0/0) for spf > > which he is using to relay his mails out in the DNS for this domain? > SPF is not meant to stop spam but is in fact meant to only > authenticate who the sender is. Any domain registered just for spam > will quickly find its reputation trashed and will end up in DNSBLs
The spammers usually use hacked/backdoored Computers (mostly Windows), or for example open proxy servers to relay there spam through, so they have almost every day new boxes to use for relaying. If I understand SPF right, the receiving mail server checks if the IP of the host where the email is coming from is in the DNS of the sender domain. DNSBLs usually list the IPs of known spam sending hosts, but it is like the anti virus software, they are always a step behind. > quickly. Spammers will be forced to keep buying domains to cycle > through and then discard forever. DNSBLs will start going by the They will do, as they make enough money from one run of sending out spam. > nameservers used instead of the domains themselves, and this will A few month ago there was a posting on bugtraq about a way how spammers misuse other people dns servers. Because often the dns servers from spammers get DOS'ed, they are trying to feed other dns servers with the own zone infos (with a big enough TTL) an then switching the dns at the domain registrar over to the dns of somebody else. Not all domain registrar do check the dns server if they are really authoritative or not for the domain. > put pressure on the registrars to terminate customers who regularly > buy domains through them and then use the domains only for spam. Do you really think they register a domain with their own postal addresses? Around 2 years ago 2 of my own domains were misused to send spam in german with advertising for something like a "Partnervermittlung" (they tried to install a dialer). They were using sender addresse [EMAIL PROTECTED] I did a lot of digging out where the spam ist coming from to advice the police (as recommanded from my legal protection insurance) with all the informations I could get. The traces where long, and also some .ch domains where involved, but with domain holder outside of switzerland. So it should be easy to hide the traces of the real spamer, and if you pay the domain with eg. a stolen credit card number and put postal address of somebody else in and use only a email address of a free webmail service it should be possible. > None of the above Good Things are possible whilst spammers can use > any domain they choose in the email addresses they use. Sure, SPF will rise the level of work to do to send out spam, but it will not stop them. Currently I'm happy with SpamAssassin, it keeps my inbox almost free of spam. But to use SPF at least almost all non-spammers should use it, or it won't be usefull. > > This could also be only IP ranges of other ISPs on which he use machines > > with an open proxy or else hacked/backdoored boxes. > In this case the trojan will have to: > - work out the correct domain to use for the box it has been > installed on Not the trojan is sending out spam, it is only working as a mail relay for the spammer to send out his spam. It will send out the spam with the domain the spammer acquired and set up for sending out spam. > - check that domain's SPF records to see what IPs it can relay > from Not needed, as the spammer configures in his (only for this spam registered) domain the entry 0.0.0.0/0 (the whole internet) for SPF. > - Try to find the mail relay within those IP ranges and then use it see above > All of that is possible, and does happen today, but it still raises > the bar by making it harder, and it still results in the ISP If the spammer still can make money this way, the bar will not be high enough to cross over. The best would be to tell all people not to buy anything from somebody who offers you anything through spam, and the spam would just go away. Some friend of mine says "legalise Viagra" so it can be bought at the Kiosk and has not to be advertised through spam anymore. > concerned seeing their own customers send the spam, which means that > other antispam measures like rate-limiting customers, forcing all > customers through own relays, etc. will be more effective. The ISP's can not take the responsibility away from their customer, or it would be the best to put all customers behind a NAT box, and let them use the internet only through your proxy server. I know, it sounds not really good if I tell, that a ISP should discontinue the service for a customer which does send out spam (even if his box was misused from somebody else). When all ISPs would do this, the customer will learn to maintain his computer right so that he can use it on the internet again. I know, a computer is to cheap for the complexity it has, but you also bring your car to the car service for maintenance and don't do it yourself. People should hire somebody which maintains there computer, or learn how to keep there Computer up to date and secure. I like my ISP which keeps all ports open to the Internet, because I'm running a mail and webserver here for me and family/friends (nothing commercially). > It seems like some people want a single magic silver bullet that > ends spam. I'm sorry to say that those expectations are > unreasonable. This won't happen as long as "stupid" people are buying anything from spammers. > SPF does have limitations and problems but these that you have > mentioned aren't the worst by far. I guess it needs to be used by all domains from which you would like to receive email? > For a real problem with SPF, think about how this will affect people > who need to travel a lot and send email that has the domain of the > company they work for. Also think about forwarding services where This is illustrated at http://spf.pobox.com/ they should use the mail server of there company which use SMTP Auth (eg. sendmail with SASL) to sending out eMails. I have this setup already running here (at my setup it works only when connected with SSL/TLS). > they receive mail for foo.org and must relay it on tonthe real email > account of bar.org. Then read the SPF literature for how they > suggest this is solved. So I guess, it would be just easier to forget SPF an look maybe for some complete new way to send email or fight with the current SMTP against spam. I use SpamAssassin with DCC, Razor and Pyzor included, this gives some pretty good information about how often the same email (the same or almost same text) is received at other places and is taged accordingly. PS: Please don't think I'm a spammer, as I seemed almost to think like one. I don't like the spam in my inbox neither, but a good idea what a spammer is able to do will help to choose over a mechanism to fight against it. And as far as I can see SPF is it not. Probably it would be a good thing to discuss this topic sometimes on a SwiNOG Beer Event, it is probably easier then in writing. bye Fabian ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/