On Wed, Jan 28, 2004 at 11:40:53PM +0100, Fabian Wenk wrote: > Hello Andy > > Andy Smith wrote: > > SPF is not meant to stop spam but is in fact meant to only > > authenticate who the sender is. Any domain registered just for spam > > will quickly find its reputation trashed and will end up in DNSBLs > > The spammers usually use hacked/backdoored Computers (mostly Windows), > or for example open proxy servers to relay there spam through, so they > have almost every day new boxes to use for relaying. If I understand SPF > right, the receiving mail server checks if the IP of the host where the > email is coming from is in the DNS of the sender domain.
Yes. > DNSBLs usually list the IPs of known spam sending hosts, but it is like > the anti virus software, they are always a step behind. This is true, but the point of SPF is to require spammers to burn the reputation of a domain that they own in the process of doing their spamming, and to eradicate forging of innocent peoplke's email addressing basically making non-spammer's lives easier. > > quickly. Spammers will be forced to keep buying domains to cycle > > through and then discard forever. DNSBLs will start going by the > > They will do, as they make enough money from one run of sending out > spam. It would still be incomparably better to how it is now, where DNSBLs must list IP addresses because all domain names are forged. There are a lot more IP addresses than domain names. > > nameservers used instead of the domains themselves, and this will > > A few month ago there was a posting on bugtraq about a way how spammers > misuse other people dns servers. Because often the dns servers from > spammers get DOS'ed, they are trying to feed other dns servers with the > own zone infos (with a big enough TTL) an then switching the dns at the > domain registrar over to the dns of somebody else. Not all domain > registrar do check the dns server if they are really authoritative or > not for the domain. You really cannot blame SPF for the failings of other processes. As I say the point of SPF is only to authenticate a sender, nothing more. Once we are able to say with some degree of certainty that a mail that came from [EMAIL PROTECTED] really did come from the people in charge of example.com, then pressure can be exerted on every service provider for example.com. Right now, this can't be done easily, it requires masses of research. SPF will make life so much better for anti-spammers that I am willing to cheerlead for it like this to all those who think "this won;'t fix spam => it is pointless". > > put pressure on the registrars to terminate customers who regularly > > buy domains through them and then use the domains only for spam. > > Do you really think they register a domain with their own postal > addresses? When you buy something from someone, the vendor at least gets your credit card. If spammers are forced to become criminals and use stolen cards then that's good (easier to put them in jail). If they don't then the registrar has a credit card that is valid, and nothing stops registrars from putting penalty clauses in their terms of service, for example. Registrars who don't deal with their spamming customers might find themselves in more trouble compared to those who do. > Around 2 years ago 2 of my own domains were misused to send spam in > german with advertising for something like a "Partnervermittlung" (they > tried to install a dialer). They were using sender addresse > [EMAIL PROTECTED] I did a lot of digging out where the spam > ist coming from to advice the police (as recommanded from my legal > protection insurance) with all the informations I could get. The traces > where long, and also some .ch domains where involved, but with domain > holder outside of switzerland. > > So it should be easy to hide the traces of the real spamer, and if you > pay the domain with eg. a stolen credit card number and put postal > address of somebody else in and use only a email address of a free > webmail service it should be possible. I have heard that putting locks on doors and in cars is also pointless against criminals who are willing to wait until you are are not there before breaking in anyway. > > None of the above Good Things are possible whilst spammers can use > > any domain they choose in the email addresses they use. > > Sure, SPF will rise the level of work to do to send out spam, but it > will not stop them. Currently I'm happy with SpamAssassin, it keeps my > inbox almost free of spam. > > But to use SPF at least almost all non-spammers should use it, or it > won't be usefull. In reality it would only need a couple of the large email service providers to use it before spammers are economically affected. If the likes of AOL, MSN, Yahoo!, Outblaze, and a few large broadband ISPs would start to use it then it doesn't matter what all the rest of the companies in the world combined use, this is enough to force spammers to change. I have heard rumours that most of the companies I have named above are working on their own SPF-like scheme which will not be open like SPF, will not take much input from the internet community at large, and on the whole will probably not be as nice for others to conform with as SPF is. You will conform with it anyway because you cannot say to your customers, "sorry, we aren't able to send your email to AOL anymore". So in the near future I see it either that the Internet community embraces an open standard or else it has a closed standard forced on it by the AOL/MSN/Yahoo!s of this world. > > > This could also be only IP ranges of other ISPs on which he use machines > > > with an open proxy or else hacked/backdoored boxes. > > In this case the trojan will have to: > > - work out the correct domain to use for the box it has been > > installed on > > Not the trojan is sending out spam, it is only working as a mail relay > for the spammer to send out his spam. It will send out the spam with the > domain the spammer acquired and set up for sending out spam. In a world where something like SPF is widespread, there will be so much more that recipients can do about cases like this. For a start the recipient can send email that comes from domains with 0/0 in their SPF, or with no SPF, through much harsher content filters. Also once there are "domain trust" databases available, email from domains with no established history can also be treated as suspicious. Those are just a couple of the most obvious approaches that come to mind. As I said, SPF is meant to work with other antispam technqieues, not as a silver bullet by itself. > > SPF does have limitations and problems but these that you have > > mentioned aren't the worst by far. > > I guess it needs to be used by all domains from which you would like to > receive email? There is no reason why you would stop accepting email from domains that do not have SPF records. What you did about them would be a policy decision for you, just like many people take policy decisions on mail from IPs that have broken reverse DNS, or that give a wrong/invalid host in their HELO. It is just one more metric that we can use to decide how to handle mail, but it is an immensely useful one. > > For a real problem with SPF, think about how this will affect people > > who need to travel a lot and send email that has the domain of the > > company they work for. Also think about forwarding services where > > This is illustrated at http://spf.pobox.com/ they should use the mail > server of there company which use SMTP Auth (eg. sendmail with SASL) to > sending out eMails. I have this setup already running here (at my setup > it works only when connected with SSL/TLS). Well, *I* know how to fix it, I am a supporter of SPF afterall.[1] :) What I'm saying is, these are real problems with SPF that will cause problems for the business models of many people who would like to use it, as opposed to the things you are saying which to me are just complaints about how "SPF won't kill spam so SPF is pointless". But all of this is answered by the various documents on that site, and if not then the SPF mailing list would be better. However, I don't think you will be convinced, so I'll leave it there. -- "Welcome to the future - it's broken!" -- The League Against Tedium [1] And yes, I know I have not implemented SPF for my own domains yet, just haven't had time to alter our setup so it will actually work. Doesn't stop me believing it is a Good Thing. :) ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
