Spammers Are Early Adopters of SPF Standard 249
nazarijo writes "In an article entitled Spammers using sender authentication too, study says, Infoworld reports that a study by CipherTrust shows that SPF and Sender ID (SID) aren't nearly as effective as we expected them to be when combatting spam. The reason? Spammers are able to publish their own records, too. 'Spammers are now better than companies at reporting the source of their e-mail,' says Paul Judge, noted spam researcher and CipherTrust CTO. Combined with low adoption rates of either SID or SPF (31 of the Fortune 1000 according to CipherTrust), this means that the common dream of SPF or SID clearing up the spam problem wont be coming true. Wong, one of the original authors of SPF and a co-author of SID, says that it was never intended to combat all spam. Weng, another researcher in the space, says that this is just one of the many pieces of the puzzle needed to combat spam. Various SID implementations exist, including a new one from Sendmail.net based on their milter API, making it easy for you to adopt SID and try this for yourself."
Re:A Change Needs to be made (Score:3, Interesting)
A more reasonable change would be SMTP-TLS, employing a policy of using authorized certificates like the secure websites. This protocol is already there, but it's the wide adoption that is the problem.
SPF is an anti-forgery tool, not an anti-spam tool (Score:5, Interesting)
SPF doesn't and can't block spam.
it has a different purpose. it prevents some email address forgeries. its main use is to allow a domain owner (e.g. an individual or an organisation or a corporation such as a bank) to specify exactly which hosts are allowed to send mail claiming to be from that domain.
in other words, it can be used to block forgeries such as phishing spams and viruses, but it is not a general purpose spam blocker.
it does that job reasonably well (or, it will when it is implemented by enough mail servers). to complain that it doesn't do a job it was never designed to do is just absurd.
Re:Understanding SPF (Score:4, Interesting)
And there in lies the wonderful synergy of SPF and blacklists. Without From address forging it becomes much to perform the follow sequence:
1. I received a Spam message from domainx.com, either:
(a) sender was a verified user of domainx.com, spf records check out
(b) no spf, sender likely forged
In case (a) inform the ISP of domainx.com, if further verified Spam messages are received from domainx.com, blacklist it.
In case (b) if SPF is in widespread use for ligitimate mail then the soam message is easier to mark as such (less need to resort to expensive statistics on the body). If SPF is not widespread there is less benefit.
Regards
Alex
Re:Understanding SPF (Score:3, Interesting)
Blocking one form of attack will most likely mean an increase in another, or a new one entirely.
I doubt very much that SPF will be an end to spam, even if it is widespread.
People need to be taking away the incentive for spammers to bother. Would _you_ send out millions of emails if you weren't going to make any money?
This is a social problem, not a technical one.
Re:SPF is an anti-forgery tool, not an anti-spam t (Score:2, Interesting)
I have a university e-mail address that ends with @msstate.edu. But I don't live on campus, I live in the surrounding town and so am not on the msstate.edu domain. My SMTP host is nctv.com.
Right now, I can just set up my mail client to use email_address@msstate.edu and send it through nctv.com. Will SPF prevent me from doing that and force me to use webmail or something equally inconvenient?
Re:Appearantly, some people missed the point... (Score:3, Interesting)
SPF will do nothing to stop, or even slow down, spam. And the more people who use SPF to whitelist, the more it will increase spam getting through.
Re:A Change Needs to be made (Score:4, Interesting)
About the only attacks that TLS would pervent would be IP spoofing. These days, that is very, very hard.
What would TLS add?
The SPF faq on Throwaway domains. (Score:3, Interesting)
Basically you end up only accepting mail from known trusted domains. If you are just starting a domain then your mail may be held up or even bounced by some users. Just as new car drivers get higher insurance so can new email domains have to pay in boun
Want to know what works? Look at who Spammers hate (Score:4, Interesting)
Fixing SMTP is like Fixing Weather (Score:3, Interesting)
The biggest things I've seen that "somebody" needs to fix about SMTP and DNS are 8-bit cleanness, and unfortunately Verisigh's trying to add international domain names by radically breaking DNS for web-only use, and Unicode complicates the details of any character set support issues (not that that's a bad thing, it's just exposing the fact that the job is harder than it looks.)