Spammers Are Early Adopters of SPF Standard 249
nazarijo writes "In an article entitled Spammers using sender authentication too, study says, Infoworld reports that a study by CipherTrust shows that SPF and Sender ID (SID) aren't nearly as effective as we expected them to be when combatting spam. The reason? Spammers are able to publish their own records, too. 'Spammers are now better than companies at reporting the source of their e-mail,' says Paul Judge, noted spam researcher and CipherTrust CTO. Combined with low adoption rates of either SID or SPF (31 of the Fortune 1000 according to CipherTrust), this means that the common dream of SPF or SID clearing up the spam problem wont be coming true. Wong, one of the original authors of SPF and a co-author of SID, says that it was never intended to combat all spam. Weng, another researcher in the space, says that this is just one of the many pieces of the puzzle needed to combat spam. Various SID implementations exist, including a new one from Sendmail.net based on their milter API, making it easy for you to adopt SID and try this for yourself."
A Change Needs to be made (Score:1, Insightful)
The point of SPF (Score:5, Insightful)
Isn't this what we want? (Score:5, Insightful)
Wow (Score:2, Insightful)
Oh well, at least filters are getting VERY good at catching 99% of it.
No one claimed it would end spam (Score:3, Insightful)
But that's not the point of SPF (Score:5, Insightful)
In other words, SPF is working correctly, brighter tomorrow expected, move along, nothing to see here.
SenderID != Spam Solution (Score:4, Insightful)
You can not guarantee that an E-Mail originated from the source it said it did.
Which effectively makes black-lists useless.
With SenderIDs you are able to build effective Black-Lists/White-Lists because you can guarantee that an E-Mail came from the location it said it did. And thus decrease the amount of spam.
I'm not sure who wrote this 'study' but the fact that I know more than them says a lot.
Appearantly, some people missed the point... (Score:4, Insightful)
That was the entire point.
In combination with anti-spam laws, now we have the ability to actually identify the spammers flooding our inboxes and take legal action against them for doing so.
There is no technological means that will allow random people to email you and yet prevent them from emailing you spam. Technology is simply not capable of distinguishing spam from non-spam with a 100% success rate. We can get really close, but there will always be false-positives and false-negatives in any system. And any system is vulnerable to clever hacking around the filter. You can make it terribly difficult to do so, but you can't make it impossible.
The goal of SPF never was to stop spam, it was to force somebody who sends you email to be accountable for doing so, by providing a method to track down who they are. At least, it's a good start for this sort of thing.
Re:But that's not the point of SPF (Score:1, Insightful)
And we all know how effective blacklists are, right?
The problem with SPF is that it breaks one of the features of SMTP that makes it useful - the ability to send mail from a different location without having to change your email address. If my employer implemented SPF, I wouldn't be able to send work email from home.
If blacklists are the ultimate answer, RBLs are much more effective at stopping spam, and they don't break any features of SMTP.
Re:A Change Needs to be made (Score:4, Insightful)
Why can't these changes be integrated into SMTP-as-we-know-it?
It's all very nice to say "it needs to change", but until you explain why changing it is the best solution - or even vaguely useful - it's not going to happen.
Important notice: please update your USBank info! (Score:5, Insightful)
SPF can be circumvented in the ways we're already seeing for the first category, but it should knock out the second two (and probably related) problems.
As for the final one... law enforcement may still not take phishing seriously. But I bet Citibank, US Bank, et al do. They're probably losing millions of dollars cleaning up the mess left by phishers, and that money would go a long way towards making phisher's lives miserable and cautionary tales for others. These organizations are large enough that phishers can't even hide behind international borders - piss of Citibank by protecting phishers and that bank may decide that it's not worth doing any business in your country.
Re:Isn't this what we want? (Score:4, Insightful)
Well, a quick off-the-cuff idea is thus: Expand SPF or its moral equivalent to offer a web-of-trust style interface. That is: Each piece of email comes with a pointer that says, in effect, This piece of email is from mydomain.com ... people who think that mydomain.com is cool are yourisp.com otherisp.com white-hat-geeks.net
So, I suppose what I'm proposing is a distributed whitelist.
Thoughts from the peanut gallery (Score:2, Insightful)
Second, I'd have thought that it would be obvious that trivial authentication would be useless. It's like using the existance of an X.509 certificate as proof that a site is genuine, notwithstanding that anybody can download a roll-your-own certification program and generate their own.
Third, it's ironic that corporations (who lose millions, if not billions, to fraud each year) aren't the least bit interested in authentication of any kind, whereas spammers (who probably make a very livable income from fraud) are adopting it in droves.
This last one is the most bothersome. Many (but by no means all) corporate websites use SSL for credit card info, but that's about it. And even then, usually only the server has a certificate. Client-side authentication is extremely rare.
Even for business-to-business networking, where you would have thought it very important that both ends of the connection are who they say they are, it's extremely rare to find even the most basic of security measures. IPSec? Kerberos? Nah. I've worked for companies - and even Government agencies - that were quite confident that their
It's a sad day, when the only e-mail you can be sure is genuine is the e-mail that's pure crap.
Re:Isn't this what we want? (Score:4, Insightful)
24 domains/day * 365 days/year * $12/domain = $105,120
That's a hundred thousand dollars they didn't used to need to spend each year. Automated blacklisting in five minutes boosts the costs to well over a million dollars a year.
Re:Isn't this what we want? (Score:4, Insightful)
Compare what it used to be with how it is now. It used to be that spammers could use any domain they want. Now they can only use domains they own (assuming they're using SPF), and as soon as one domain is RBL'd, they're going to need another domain. More work for the spammers. And more cost too.
What I'm trying to say is that, yes, domains are cheap. But now they're paying for domains that they didn't have to before.
I won't pay $300/year to send mail (Score:4, Insightful)
SPF + Reputation = No Spam (Score:3, Insightful)
However, once SPF is adopted it allows several things:
I fully expect the anti-spam vendors to eventually come up with reliable whitelists based upon SPF eventually.
Re:The point of SPF (Score:4, Insightful)
This point needs to be emphasized. The whole point of SPF is to prevent spammers from falsifying return addresses. If they want to publish their own legitimate SPF records, then by all means let them. Then we can just block them by their domain names without any fear of blocking legitimate email.
Re:The point of SPF (Score:3, Insightful)
get a free ipod! [freeipods.com] This really works... [iamit.org] 2 more gmail invites left!
Re:A Change Needs to be made (Score:2, Insightful)
"The laws of Newton and Kepler don't explain the orbit of Mercury. This whole 'science' stuff needs to change. It was created a long time ago, and it's time to throw it all out and start with something new."
Maybe that's not flamebait, but it is silly. Changing theories to match new data metaphorically maps very well to adding SPF to SMTP -- not to throwing the whole thing away.
Re:Isn't this what we want? (Score:3, Insightful)
What I like about SPF is that as larger ISPs adopt it, I can stop worrying about accidently filtering their domains just because of the domain name on the From: header. I'm fully aware I'm still going to have to filter, but it's nice to know that "tightvagina@yahoo.com" actually came from an authorized Yahoo mail server. Combine that with any number of of rational filtering schemes, and you have a much lower false positive rate, with the bonus being that you didn't have to take the whole message from a sender who fails the SPF check.
Re:Understanding SPF (Score:3, Insightful)
SPF is intended to vastly reduce spam from it's current levels. If it's use were widespread then all the zombies spewing out mail with forged addresses & all the open relays become much less effective.
Basically by making From address spoofing much much harder it becomes much easier to identify spammers and stomp on them.
We can never completely remove the incentive to spam, it's a very extreme example of the Last Mile Problem. There will always be a few morons out of the millions, who pay money for PEN!S 3NL4RGM£NT P!LL5 after receiving a piece of Spam. All we can do is reduce the incentive and increase the costs to the spammers - by identifying then blacklisting, suing, arresting and cluebatting them into the ground.
This is well-known (Score:3, Insightful)
From the moment SPF was implemented, people knew that this could happen. SPF doesn't aim to stop spam outright, it aims to HELP stop spam.
First off, if SPF is used, it cuts out 'joe jobs.' I can't send you mail purporting to be from Yahoo through a mass mailer on my desktop, because SPF will catch it.
I see two issues with spam:
a.) Annoying commerical advertisements
b.) The above, sent fraudulently
SPF helps to cut out the second. If spammers send me spam, but do it from their own domain, it's still not hard to block them.
No one (that knew what they were talking about) ever claimed that SPF was a cure-all for spam. All it aimed to do was make spammers stop forging their addresses. And it sounds like it's succeeding.
"just block domain names"?! (Score:3, Insightful)
It won't help anything. Many of them will use stolen credit cards, or register under other false information, register 300 domains, and use them until they are blocked. Then move on.
So the problem of scanning each and every e-mail for spammishness will still prevail.
Fine by me (Score:3, Insightful)
True, this doesn't stop those inital messages, but it gets all the rest and cuts down on the number. One needs not eliminate SPAM enitrely, just reduce it to a level where it's unprofitable. If software becomes good to the point that only 1 in 100,000 SPAM messages reach a person, that'll severely cut profits, making it much less attractive.
Also if the spammers start breaking more laws like using stolen credit cards, it just increases their chances of getting busted. Every time you break the law, it's another chance you get caught. Do it all the time, it becomes almost a sure thing.
SPAM prosecution is still new and those responsible for prosecuting it still have problems understanding how to go about that really. Credit card fraud is old hat and they are pros. Plenty of people get put away for credit card fraud. Also, usually when you get nailed for something in relation to another crime, they stack everything they can on you.
It's not a panacea, but SPF sounds like another useful tool.