Sender authentication & zombies (was Re: Time to check the rate limits on your mail servers)
Douglas Otis
dotis at mail-abuse.org
Sat Feb 5 20:57:28 UTC 2005
On Sat, 2005-02-05 at 09:39 -0800, J.D. Falk wrote:
> On 02/04/05, Douglas Otis <dotis at mail-abuse.org> wrote:
>
> > SPF does nothing, and could actually damage the reputation of those
> > domains that authorize the provider for their mailbox domain using
> > SPF. These records can be read by the spammers and then exploited.
> > Repairing this reputation could be next to impossible.
>
> You touch on some basic realities here:
>
> 1. spam coming out of your network will affect your reputation.
>
> 2. spam coming out of your own mail machines will affect your
> reputation even more immediately.
>
> Neither are affected by any of the domain authentication schemes
> currently in play (SPF, SenderID, DomainKeys, etc.) The spam
> itself may include forgeries, but that's a different issue.
SPF and Sender ID do not indicate who administers the machine. It is
important to understand that SPF and Sender-ID entities are completely
unrelated to server administration or ownership. Authentication, and
not just authorization, is required to prevent forgeries. Yahoo's
DomainKeys or Cisco's IIM could be enhanced to include a unique account
identifier, perhaps directly derived from the access server, which would
enable a means to directly confront this threat.
DK or IIM makes it clear who is administering the server and this
authentication permits reputation assessment. Add an account
identifier, and the problem is nailed. Reputation is required to abate
spam. SPF and Sender-ID CAN NOT support reputation because they REALLY
CAN NOT prevent forgeries. There isn't even a consensus which entity
should be checked with these schemes.
-Doug
More information about the NANOG
mailing list