ISP phishing

Wed Jun 29 06:47:52 UTC 2005

At 4:30 AM +0200 2005-06-29, Paul Wouters wrote:

>  It would have been better if he had just installed SPF, and published DNS
>  records for his own domain, and rejected them based on that. Then other
>  people receiving forged emails with his domain would also be able to just
>  drop those emails.

	I disagree.  Publishing SPF records of that nature would mean 
that any customers of his who may be roaming would be unable to send 
e-mail as themselves, and would create the known problems with 
forwarding.  Since you're unlikely to be getting any phishing 
attempts claiming to come from j-random-user at hisdomains.example.com, 
the publishing of SPF records in this instance would not do anything 
measurable to stop spam coming from his systems nor would it have any 
visible impact on phishing attempts from his systems.

	SPF is not a panacea.

	In fact, it is pretty much totally worthless, unless you are the 
sole owner of a given domain and you can guarantee that all mail you 
ever send will always be routed through the machines that you own and 
control, and you know that you don't ever forward e-mail for any of 
your other accounts.

	In that case, SPF can be useful to reduce the damage caused by 
joe-job attacks on you at your domain, but that's about it.

	And i think you're doing yourself and the entire community a 
grave disservice by painting SPF as the FUSSP.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.