Spammers Skirt IP Authentication Attempts

• Previous message (by thread): Spammers Skirt IP Authentication Attempts
• Next message (by thread): Spammers Skirt IP Authentication Attempts
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 7 Sep 2004, Paul Vixie wrote:

> i don't agree.  i think it's overengineered and that a simpler 
> solution like the one at <http://sa.vix.com/~vixie/mailfrom.txt>

oh, hear hear.

Then there's Sender-ID. Bulky XML in DNS, sigh.

> should have been deployed years ago, but i don't think SPF, or 
> things like SPF, are at all worthless.

> every time someone forges one of my domains or e-mail addresses as 
> a spam source, i get all kinds of bot-mail telling me that what the 
> spammer tried to do didn't work.  quite a lot of challenge/response 
> nonsense.  quite a few majordomo/etc listbot error messages.  a 
> whole pile of mailer-daemon@ errors.

True, but bounces, and anything else with NULL return path, can be 
taken care of with SRS.

Bogus bounces are probably the most annoying non-spam email problem, 
and we do not need SPF to kill those. Hence, given a better solution 
to the only pressing problem we know SPF can solve, SPF is worthless.

For the other problems, well, SPF just isnt going to solve them. So 
SPF will tell you that client.acme.net is indeed allowed to send mail 
from foobar.com, but that describes only trust between 
foobar.com->client.acme.net. I am no wiser at all as to whether 
foobar.com is worthy enough to send me email. And given that there 
are *millions* of domains, and they can be registered by anyone 
within minutes, I'm unlikely *ever* to be able to make any use of the 
knowledge that foobar.com allows client.acme.net to send mail on 
their behalf to discriminate between genuine and spam email. (other 
than whitelisting clients i trust - but i dont need SPF for that).

Indeed, you've been saying this for years. ;)

(which is largely how i've come to my own opinion ;) )

> if all mailbots learned to speak something like SPF, and my domains 
> all advertise the nec'y metadata to enable something like SPF, then 
> i would find it far easier to filter the remaining drivel in my 
> inbox, which would just be spam and e-mail (listed in order by 
> volume) -- no more mailbot responses to messages i never sent.

See:

 	http://www.libsrs2.org/
 	http://www.libsrs2.org/srs/srs.pdf
 	http://asarian-host.net/srs/sendmailsrs.htm

And be happy, and realise "SPF is worthless" ;)

> the economic benefit that will actually cause something like SPF to 
> come into wide use is different yet again -- it's not to make it 
> easier to filter the remainder, and it's not to stop spam.  it's to 
> protect trademarks owned by large e-mail providers ("@hotmail.com" 
> being one, "@yahoo.com" being another) from dilution.

Ah, ok. Yes, I've read you making above argument before and, aye, 
it's a very fair point. But, is it enough of a reason? It seems like 
a fallback reason, for use when other answers to "what actual real 
problems does SPF solve?" are not forthcoming.

Is it really worth it for every domain owner on the planet (including 
spammers!) to implement SPF records in DNS, and the resulting 
forwarding breakage, simply to provide some fairly intangible 
"dilution protection" for, primarily, the very small subset of 
widely-known domains out there?

It would prevent joe-jobs, yes. But how bothersome are those, given 
that the bounces can be dealt with with the far less intrusive SRS?

> everything that happens on the internet these days happens for 
> economics-related reasons.  i'm glad that companies bigger and 
> richer than i am find it in their own selfish best interests to 
> push something like SPF -- that means it'll happen.  that my own 
> reasons differ from theirs is immaterial.  that they have to 
> mismarket it as a spamstopper to get corporate and investor support 
> for it is also immaterial.  the fact is, it's coming -- and

Well that depends. At the moment it looks like the clients will 
implement a standard that most of the servers will not!

Also, I doubt I'll be implementing SPF myself. Indeed, to implement 
SPF I would have to list the MTAs of at least several irish ISPs, and 
probably more, as I have users who only receive email via my systems, 
but dont send it via systems.

yes yes, MSA.. but I dont even know most of these people except as 
usernames in a password file, they're mostly non-technical, and I 
dont intend to track them down one by one and go visit them to 
reconfigure their MUAs for them. And even if i did, no doubt they 
also have /other/ email addresses, eg one from their ISP, and many 
popular, particularly older versions of, MUAs have problems with 
allowing one to configure SMTP/MSA according to From address, sigh.

> it's useful, just not for the advertised reasons, or a universal 
> reason.

Ah, absolutely yes.

regards,
-- 
Paul Jakma	paul at clubi.ie	paul at jakma.org	Key ID: 64A2FF6A
Fortune:
It does not matter if you fall down as long as you pick up something
from the floor while you get up.

• Previous message (by thread): Spammers Skirt IP Authentication Attempts
• Next message (by thread): Spammers Skirt IP Authentication Attempts
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]