Spammers Skirt IP Authentication Attempts

Edward B. Dreger eddy+public+spam at noc.everquick.net
Mon Sep 6 22:36:54 UTC 2004


JB> Date: Mon, 06 Sep 2004 13:42:22 -0600
JB> From: Jawaid Bazyar

JB> 1) Domains spammers own will quickly become blacklisted.
JB>    Spammers will be forced to purchase register tons of
JB>    domains in order to continue spamming. However their

Or use SPF-less domains.


JB> 2) Pressure will quickly mount on domains that don't
JB>    facilitate authentication, with the effect snowballing
JB>    over time. This will ensure system-wide adoption of close
JB>    to 100% fairly quickly.

There's a spark of optimism buried deep inside me that really
wants to believe that.  SAV has made me more cynical. :-/


JB> There's something else you're not granting here, however.
JB> Once the domains that are commonly used for forged headers
JB> get "protected" with an authentication mechanism, I as a
JB> system administrator no longer have to spend excessive time
JB> and effort trying to distinguish between spam with that
JB> domain name and legitimate email with that domain name.

Agreed entirely; IIRC, I think I said something similar a few
weeks back.  SPF is a useful data point -- we use ~19 RBLs as
data inputs, and no one can authoritatively nail email as spam.
Even if "SPF pass" is totally useless, I'd be surprised if "SPF
fail" didn't indicate a high probability of spam.


JB> Instead of lookups on numerous RBLs and numerous other CPU
JB> and network-intensive checks, I can simply trust email from
JB> aol.com, msn.com, hotmail.com, yahoo.com - and these comprise
JB> enough of my email load that I will get an instant resource
JB> utilization benefit from knowing that email from @yahoo.com
JB> is really from @yahoo.com and short-circuiting all the spam
JB> checks I usually do.

Very good point.  No disagreement here.  However, I didn't like
the article's overgeneralized "News flash! whitelisting all 'SPF
pass' entries will let spam by!" attitude.  Anyone whitelisting
mail that has a valid SPF entry is nuts.


JB> Thus even if authentication should never become 100% and even
JB> if it doesn't stop spam, I still get a net benefit.

Definitely.  It's increased information... not enough for
"perfect" decisions, but enough for "better" decisions.


Eddy
--
Everquick Internet - http://www.everquick.net/
A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita




More information about the NANOG mailing list