Forgot your password?
typodupeerror
Spam The Internet IT

Spammers Are Early Adopters of SPF Standard 249

Posted by michael
from the doh dept.
nazarijo writes "In an article entitled Spammers using sender authentication too, study says, Infoworld reports that a study by CipherTrust shows that SPF and Sender ID (SID) aren't nearly as effective as we expected them to be when combatting spam. The reason? Spammers are able to publish their own records, too. 'Spammers are now better than companies at reporting the source of their e-mail,' says Paul Judge, noted spam researcher and CipherTrust CTO. Combined with low adoption rates of either SID or SPF (31 of the Fortune 1000 according to CipherTrust), this means that the common dream of SPF or SID clearing up the spam problem wont be coming true. Wong, one of the original authors of SPF and a co-author of SID, says that it was never intended to combat all spam. Weng, another researcher in the space, says that this is just one of the many pieces of the puzzle needed to combat spam. Various SID implementations exist, including a new one from Sendmail.net based on their milter API, making it easy for you to adopt SID and try this for yourself."
This discussion has been archived. No new comments can be posted.

Spammers Are Early Adopters of SPF Standard

Comments Filter:
  • by hchaos (683337) on Friday September 03, 2004 @06:06PM (#10153625)
    All we need to do is block emails from anyone using SPF or SID.
  • The point of SPF (Score:5, Insightful)

    by pikine (771084) on Friday September 03, 2004 @06:07PM (#10153631) Journal

    ... is not to block spam, but to identify the source of an e-mail. Spammers can definitely identify themselves if they so choose. I think it is still a welcoming trend.

    • by forevermore (582201) on Friday September 03, 2004 @06:46PM (#10153954) Homepage
      The point of SPF is ... to identify the source of an e-mail

      This point needs to be emphasized. The whole point of SPF is to prevent spammers from falsifying return addresses. If they want to publish their own legitimate SPF records, then by all means let them. Then we can just block them by their domain names without any fear of blocking legitimate email.

      • There's... ohh, you know. An unlimited amount of domain names you can have. Spammer sends out a few spam "campaigns" and simply changes domain names, SPF and all.

        It won't help anything. Many of them will use stolen credit cards, or register under other false information, register 300 domains, and use them until they are blocked. Then move on.

        So the problem of scanning each and every e-mail for spammishness will still prevail.
        • Number of domains spammer can use with proper SPF record Number of domains spammer is spoofing now. Therefore, learning anti-spam techniques benefit from more redundancy in spam.
        • Fine by me (Score:3, Insightful)

          by Sycraft-fu (314770)
          Because it can be automated. SPAM filtering software would work as such: If a sufficient amount of messages with valid SPF data from a given domain are marked as SPAM, block the domain from further sending.

          True, this doesn't stop those inital messages, but it gets all the rest and cuts down on the number. One needs not eliminate SPAM enitrely, just reduce it to a level where it's unprofitable. If software becomes good to the point that only 1 in 100,000 SPAM messages reach a person, that'll severely cut pr
    • by CodeMaster (28069)
      Exactly the point. I'd love to see that the spam I get is tagged with SPF - will make scripting and filtering the spam even easier with a way to actually track down precisely where the spam is coming from.

      get a free ipod! [freeipods.com] This really works... [iamit.org] 2 more gmail invites left!
    • I agree. With more spammers pretending to be themselves, then there should be less of them pretending to be us. That means that we may see less bounced messages.
  • by Anonymous Coward on Friday September 03, 2004 @06:07PM (#10153634)
    need sun protection
  • by Anonymous Coward on Friday September 03, 2004 @06:07PM (#10153636)
    Idiot. The point of Sender ID systems is to make it easy to track down spammers and enforce spam laws. Sender ID isn't meant to stop spam like spam filters or sender payment schemes but make laws enforcable.
  • by Carnildo (712617) on Friday September 03, 2004 @06:07PM (#10153641) Homepage Journal
    Isn't putting up SPF records exactly what we want spammers to do? If they've got SPF records, running an RBL against spam domains should be easier and more accurate.
    • You do realize how cheap it is to register a domain, right? Unless you can RBL one in under an hour it probably won't raise their cost of doing business all that much.
      • by YankeeInExile (577704) * on Friday September 03, 2004 @06:33PM (#10153847) Homepage Journal

        Well, a quick off-the-cuff idea is thus: Expand SPF or its moral equivalent to offer a web-of-trust style interface. That is: Each piece of email comes with a pointer that says, in effect, This piece of email is from mydomain.com ... people who think that mydomain.com is cool are yourisp.com otherisp.com white-hat-geeks.net

        So, I suppose what I'm proposing is a distributed whitelist.

      • by Carnildo (712617) on Friday September 03, 2004 @06:34PM (#10153866) Homepage Journal
        Assumed it takes an hour to add a domain to an automated blacklist. I think it could be done in five minutes or so, but let's be generous:

        24 domains/day * 365 days/year * $12/domain = $105,120

        That's a hundred thousand dollars they didn't used to need to spend each year. Automated blacklisting in five minutes boosts the costs to well over a million dollars a year.
      • by AtOMiCNebula (660055) on Friday September 03, 2004 @06:36PM (#10153884) Journal
        But now, spammers have to invest money in what they're doing. It doesn't matter if it's much or not, but it is something. It's more than what they were paying before, so unless they don't mind cutting into their profit margins, they're going to be affected by this.

        Compare what it used to be with how it is now. It used to be that spammers could use any domain they want. Now they can only use domains they own (assuming they're using SPF), and as soon as one domain is RBL'd, they're going to need another domain. More work for the spammers. And more cost too.

        What I'm trying to say is that, yes, domains are cheap. But now they're paying for domains that they didn't have to before.
        • You are partially correct. It does marginally increase the cost of doing business for spammers, but remember that the major spam houses have the capital to lease major bandwidth, and have for some time. Having to madly swap domains to get is only going to swamp smaller spammers with enough extra cost to kill them. The big boys are going to keep chugging along, and the big boys are the biggest source of spam (obviously).

          What I like about SPF is that as larger ISPs adopt it, I can stop worrying about accid

          • by mefus (34481)
            already taken.
          • "Having to madly swap domains to get is only going to swamp smaller spammers with enough extra cost to kill them."

            Great! Fewer spammers is a Good Thing (TM).

            There isn't any single solution to spam. But different solutions will whittle the big problem down, bit by bit.
      • From the SPF objections page at http://spf.pobox.com/objections.html

        Throwaway Domains

        (From John Levine:) Or spammers can register throwaway domains of their own, since burning an $8 domain for a 10 million message spam run isn't much of a deterrent.

        Throwaway domains can be listed in sender blacklists which respond in real time to automated discovery methods.

        SPF needs to work in hand with reputation schemes.

        There are many possibilities. The reputation scheme most familiar to people is the DNSBL,

    • Most spam comes from spammers who are already registering domains faster than you can possibly add them to a block list.
  • by Anonymous Coward on Friday September 03, 2004 @06:07PM (#10153644)
    The principal author of SPF is Meng Weng Wong. Just one person. Doofus.
  • Wow (Score:2, Insightful)

    by FiReaNGeL (312636)
    Spammers are like viruses, they adapt amazingly fast. You thought that this new technology would hinder their 'business', but they turn it to their advantage! Oh look, a valid sender ID... i'll just open this mail, it can't be spam, right? Right?

    Oh well, at least filters are getting VERY good at catching 99% of it.
    • The point of SPF is not to whitelist servers that have it. Instead, the purpose is to not trust (and possibly blacklist) servers that don't.
      • Re:Wow (Score:2, Informative)

        by Desert Raven (52125)
        Actually, that's not the point either.

        The point is to not trust mail from domains having SPF records, where the sending server is not listed.

        Whether or not AOL *has* an SPF record is not relevant. What is relevant is that *if* AOL has an SPF record, any mail with an AOL envelope sender should come from a server covered by that SPF listing.
  • Understanding SPF (Score:5, Informative)

    by grasshoppa (657393) <`gro.oc-onpt' `ta' `ydenneks'> on Friday September 03, 2004 @06:08PM (#10153647) Homepage
    Understanding SPF as I do, I can't see how any one expected this "end the spam problem".

    It'll cut down on problems where forged senders are the main symptom, dramatically. That both includes viruses ( virii ) and some spammers.

    But, as is stated, it's completely possible for spammers to keep their dns records updated too.

    Now, if only we could get the whois accurate. ;)
    • Re:Understanding SPF (Score:4, Informative)

      by aardvarkjoe (156801) on Friday September 03, 2004 @06:13PM (#10153699)
      You know, spammers don't just forge the sender for fun. It's an integral part of their methods of staying a step ahead of being shut down. If you can prevent them from doing it, then you make it that much more difficult to spam. (Of course, we haven't reached that point yet.)
    • Re:Understanding SPF (Score:4, Interesting)

      by moreati (119629) <alex@moreati.org.uk> on Friday September 03, 2004 @06:18PM (#10153754) Homepage
      It'll cut down on problems where forged senders are the main symptom, dramatically. That both includes viruses ( virii ) and some spammers


      And there in lies the wonderful synergy of SPF and blacklists. Without From address forging it becomes much to perform the follow sequence:
      1. I received a Spam message from domainx.com, either:
      (a) sender was a verified user of domainx.com, spf records check out
      (b) no spf, sender likely forged
      In case (a) inform the ISP of domainx.com, if further verified Spam messages are received from domainx.com, blacklist it.
      In case (b) if SPF is in widespread use for ligitimate mail then the soam message is easier to mark as such (less need to resort to expensive statistics on the body). If SPF is not widespread there is less benefit.

      Regards

      Alex
      • Re:Understanding SPF (Score:3, Interesting)

        by Jane_Dozey (759010)
        But then the main symptom is probably going to change rather than go away.
        Blocking one form of attack will most likely mean an increase in another, or a new one entirely.
        I doubt very much that SPF will be an end to spam, even if it is widespread.
        People need to be taking away the incentive for spammers to bother. Would _you_ send out millions of emails if you weren't going to make any money?
        This is a social problem, not a technical one.
        • by moreati (119629)
          I never claimed SPF will be an end to spam, as long as we have the possibility of unsolicited mail some of that unsolicited mail will be unwanted (spam, malware or other).

          SPF is intended to vastly reduce spam from it's current levels. If it's use were widespread then all the zombies spewing out mail with forged addresses & all the open relays become much less effective.

          Basically by making From address spoofing much much harder it becomes much easier to identify spammers and stomp on them.

          We can never
    • My personal opinion is the spammers are using SPF as a legal tactic. They can try to disavow liability if someone accuses them of sending unwanted spam. "Did it have our SPF data? No? It wasn't us." It makes them seem reasonable and staying on the straight and narrow.

      As to whether that is the actual case....

    • It'll cut down on problems where forged senders are the main symptom, dramatically. That both includes viruses ( virii ) and some spammers.

      Yeah, IF you got adoption, it would cut down on some viruses. But the few that forge addresses would just adapt to use an email address on the machine in question. Which, in all likelihood, will be a valid one, sent from a valid ip address.

  • by Anonymous Coward on Friday September 03, 2004 @06:08PM (#10153656)
    What it does end is domain spoofing (joe jobs), and it adds a level of accountability. If spammers are using their real domains, great. We go to their registrars, most of which have anti-spammer policies, and we get it yanked. If it costs the spammers money, it's a good thing.
  • by hypnagogue (700024) on Friday September 03, 2004 @06:10PM (#10153661)
    The point of SPF was not to eliminate spam, but to eliminate spoofing. If successful, this is enables effective and cheap spam filtering by forcing spammers to use domains that can easily be blacklisted.

    In other words, SPF is working correctly, brighter tomorrow expected, move along, nothing to see here.
    • Actually, it doesn't even eliminate spoofing.

      It just limits the domains that the spoofed addresses can originate from.

      That's why I don't like SPF and hope it fails miserably. We need something stronger.

      What I'd like to see is that the SMTP server requires users to authenticate themselves to send e-mail and signs the e-mail to assert that the from e-mail address really is the address of the sender.

      For example, suppose you have an account at example.com, hypnagogue@example.com, and so do I, eric76@exampl
    • The point of SPF was not to eliminate spam, but to eliminate spoofing
      That's what I thought too, but the people pushing SPF think otherwise [pobox.com], quoting from their page:
      "What do the customers want? They want to communicate with their friends and family; and they want to not get spam. They do not particularly care if a few eggs are broken along the way."
  • by Manip (656104) on Friday September 03, 2004 @06:12PM (#10153681)
    SenderID is not designed to combat spam (although many uninformed individuals think it is), it was designed to fix a fundamental problem with the E-Mail system.

    You can not guarantee that an E-Mail originated from the source it said it did.

    Which effectively makes black-lists useless.

    With SenderIDs you are able to build effective Black-Lists/White-Lists because you can guarantee that an E-Mail came from the location it said it did. And thus decrease the amount of spam.

    I'm not sure who wrote this 'study' but the fact that I know more than them says a lot.
    • But on the whole, technical solutions are just treating the symptoms. There is only one, and one only way to remove spam, and that is to make it illegal. Its a DDOS on an essential communication medium; so put the Patriot act to some good use and have it labelled "terrorism", the very same as if some group hijacked a TV station.

      Having done that, follow the money trail, which should lead directly to the spammers and their (often unsuspecting) clients. They have to store the money in a bank account somewher

  • SURBL SPF (Score:2, Informative)

    by DBA_01123 (770195)
    I have found SURBL - Spam URI Realtime Blocklists to be pretty effective the last while. While everything else is forged and loaded with junk text the actual links back to spammer web pages have to be at least partially valid.
  • by Mateito (746185) on Friday September 03, 2004 @06:12PM (#10153686) Homepage
    ... to declare open season on spammers.

    "What good is Viagra if you .. have no balls... .. fucker"
  • by smartin (942) on Friday September 03, 2004 @06:12PM (#10153687)
    I actually tried to set up SPF for my site this morning after reading another /. article. Turns out my DNS provider does not support TXT records and gave no indication of a willingness to do so. If it turns out that SPF and some other combination of technologies will prevent me from getting spam as well as prevent my email adress from being spoofed as the From: address on spam sent to others, i guess register.com is about to lose a customer.
    • Send them a question on it, via the website. If enough of their customers do this, maybe they will make a change. (I a register.com customer as well, and just sent off a question on it.)

    • Hmm. Sounds more like your "DNS Provider" doesn't support a way for you to put TXT records in place. The actual DNS software itself WILL support TXT records unless it is the worlds most bizarre DNS software :-)

      Move your DNS to someone like www.xname.org who support the whole lot, and the service is free (supported by donations)

      This doesn't mean you have to change your REGISTRAR, just where the DNS is delegated to for your domain.
    • I had my couple of domains at register.com which increasingly sucked. This was the last straw, and I finally switched over to pairnic [pairnic.net] and I've been much happier. Although I haven't gotten around to setting up SPF yet, they *do* let you set arbitrary TXT records.
    • Use Easydns. They've provided an interface for SPF for months. I've used them for 3.5 years and been very happy. Not the cheapest, but very reliable and good customer service.
      • Seconded... Since I have static IP but don't really want lookups being done over DSL, I've been using their secondary-only service, not listing my primary in the gtld-servers or NS records. Secondary is reasonably priced and working very nicely (support for bind notify or web-based reloads) - and of course in this case, as they're just doing a zone-transfer you can have whatever records you like. I used to use their more expensive web-based service which I was happy with too - I'd highly recommend easydns.
  • by Otto (17870) on Friday September 03, 2004 @06:13PM (#10153700) Homepage Journal
    If spammers are now forced to identify themselves in their emails, by means of having a domain and publishing SPF records for that domain, then good.

    That was the entire point.

    In combination with anti-spam laws, now we have the ability to actually identify the spammers flooding our inboxes and take legal action against them for doing so.

    There is no technological means that will allow random people to email you and yet prevent them from emailing you spam. Technology is simply not capable of distinguishing spam from non-spam with a 100% success rate. We can get really close, but there will always be false-positives and false-negatives in any system. And any system is vulnerable to clever hacking around the filter. You can make it terribly difficult to do so, but you can't make it impossible.

    The goal of SPF never was to stop spam, it was to force somebody who sends you email to be accountable for doing so, by providing a method to track down who they are. At least, it's a good start for this sort of thing.
    • Heh, so when a spammer has a SPF record that states the IP sending the spam (some Chinese proxy) is valid, what will that get us? Proof that they really are sending it from China?
    • Spammers already use automated systems to sign up for dozens of domain names at a time, using fake contact info. Nothing can be done about that, because the after life of a spam domain is less than the time it takes to detect the bogus contact info anyway. And the whole thing likely operates through a zombied proxy, making it impossible to track down the real point of origin. Add in a stolen credit card number (spammer would never do something criminal, would they?), and you have a system where adding in SP
  • by Dirtside (91468) on Friday September 03, 2004 @06:14PM (#10153707) Journal
    Wong, one of the original authors of SPF and a co-author of SID, says that it was never intended to combat all spam. Weng, another researcher in the space, says that this is just one of the many pieces of the puzzle needed to combat spam.
    Wung, on the other hand, claims that a variation of SPF will eventually win the day, while Wing, yet another researcher, believes that any acronym that can be confused with sunscreen will inevitably fail. And someone named "Wang" would like you to know that you can increase your penis size by 20% in just 2 hours!
  • ... that there's finally a broad consensus about standards adherence.
  • by cas2000 (148703) on Friday September 03, 2004 @06:15PM (#10153727)

    SPF doesn't and can't block spam.

    it has a different purpose. it prevents some email address forgeries. its main use is to allow a domain owner (e.g. an individual or an organisation or a corporation such as a bank) to specify exactly which hosts are allowed to send mail claiming to be from that domain.

    in other words, it can be used to block forgeries such as phishing spams and viruses, but it is not a general purpose spam blocker.

    it does that job reasonably well (or, it will when it is implemented by enough mail servers). to complain that it doesn't do a job it was never designed to do is just absurd.

    • Wait, wait. SPF prevents you from sending an email from one domain with a different @domain.com?

      I have a university e-mail address that ends with @msstate.edu. But I don't live on campus, I live in the surrounding town and so am not on the msstate.edu domain. My SMTP host is nctv.com.

      Right now, I can just set up my mail client to use email_address@msstate.edu and send it through nctv.com. Will SPF prevent me from doing that and force me to use webmail or something equally inconvenient?
      • That's up to the DNS admins of msstate.edu. Their domain, their sender policy. SPF merely allows them to express it in a way that remote MTA's can parse and check.
      • There's a solution (which I use for my domain): msstate.edu's mail servers need to turn on authentication (hopefully with SSL), and allow your mail to be relayed if it is authenticated.

        Then tell your mail client to route all mail through smtp.msstate.edu (or whatever their SMTP server is running on), and presto! The outside world will see mail come from an SPF-authorized msstate.edu mail relay, with an @msstate.edu sender.

        Now, if msstate.edu turns on SPF and *doesn't* turn on something like this, then rig
  • this means that the common dream of SPF or SID clearing up the spam problem wont be coming true.
    Argh! It's not meant to stop spam. It's meant to stop joe-jobs.
    • SPF is not an effective anti-joe-job mechanism either. I have posted analysis (very negative) of SPF's anti-spam and anti-joe-job capabilitites to Slashdot before.

      The reason SPF isn't good at anti-joe-jobbing is that there is no trusted map for users between a domain name and a company identity. If I send an email from @boa-international.com or @bankofamerica.banknetwork.com, end users won't consider the fact that it doesn't come from @bankofamerica.com. SPF is fundamentally tied to domain names. Furth
  • The only real way to combat spam is to also stop sites and spammers from selling email addresses to each other. If the spammers don't have their most precious commodity, they can't spam.

  • by coyote-san (38515) on Friday September 03, 2004 @06:25PM (#10153802)
    There are four separate "spam" problems:
    • Unsolicited but legal mail from a legitimate mail server
    • Unsolicited mail (legal or not) from hijacked systems, open mail relays, etc.
    • Viruses
    • Fradulent mail

    SPF can be circumvented in the ways we're already seeing for the first category, but it should knock out the second two (and probably related) problems.

    As for the final one... law enforcement may still not take phishing seriously. But I bet Citibank, US Bank, et al do. They're probably losing millions of dollars cleaning up the mess left by phishers, and that money would go a long way towards making phisher's lives miserable and cautionary tales for others. These organizations are large enough that phishers can't even hide behind international borders - piss of Citibank by protecting phishers and that bank may decide that it's not worth doing any business in your country.

  • How could anyone possibly have thought SPF would reduce spam in any way?

    No system that is under the technical control (like SPF) will reduce spam, since the spammers will simply comply. In the case of SPF, all the need do is add in a new section to the script they use to automate signing up for dozens of new domain names at a time, to add the SPF records. (These scripts already add in the other DNS records, so this is trivial.)

    And no system that is under the control of someone other than the domain holder
  • First, the two quoted experts are Weng and Wong. If somebody posts that they both work at Wang, I am going to scream.

    Second, I'd have thought that it would be obvious that trivial authentication would be useless. It's like using the existance of an X.509 certificate as proof that a site is genuine, notwithstanding that anybody can download a roll-your-own certification program and generate their own.

    Third, it's ironic that corporations (who lose millions, if not billions, to fraud each year) aren't the

  • The only reasonable spam solution is email acceptance rate limits by the major email routers.

    A zombie PC will rapidly move from a low emmission of emails to a much more rapid rate. If the upstream email routers rate limit email transmission based on historical information you strangle the spam at source.

    Spam isn't eliminated, but it's seriously limited hopefully to the point where it is
    unprofitable.

    All other methods do not address the major characteristic of spam, the large number of emails and the very
  • But that's the point isn't it! Its to stop spammers hiding behind faked addresses. If they publish proper SPF records then the spammer black list catches them.

    If they fake their address to a domain publishing SPF records then the SPF check fails and the message gets flagged for aggressive filtering them.

    Either way they're screwed.

  • Let me explain this (Score:3, Informative)

    by Trailer Trash (60756) on Friday September 03, 2004 @06:43PM (#10153928) Homepage
    Two of my domains are used in the from address of spams, to the point that I often get thousands of bounces per day. This is the "reward" for years of turning spammers in and getting them tossed from their ISP's.

    These sender id schemes won't stop spam at all. It's easy for a spammer to modify his dns to show the correct records and allow him to send.

    But, here's the thing: HE DOES IT TO HIS OWN DOMAIN. We can then blacklist his domains and force him to keep coming up with new ones. Whack-a-mole, yes, but at least the "moles" aren't at legitimate domains.

    You can complain all you want about how this isn't going to stop spam. Maybe it won't for you, but it will cut down the worthless junk hitting my mail server.
  • by Titusdot Groan (468949) on Friday September 03, 2004 @06:44PM (#10153934) Journal
    SPF was not, by itself, intended to stop spam. It was intended to stop spoofing and phishing (ie. somebody claiming to be from Citi Bank asking you to update your info).

    However, once SPF is adopted it allows several things:

    1. Whitelisting of well known domains that use spf (eg. ge.com, ibm.com, etc)
    2. Blacklisting of well known spammers who use spf (ie. workable rbls)
    3. More aggressive spam content filtering of everybody who isn't using SPF -- after all you've whitelisted a LOT of the important people already.

    I fully expect the anti-spam vendors to eventually come up with reliable whitelists based upon SPF eventually.

  • Then comes the blacklist of senders, so spammers can't send emails as joe@microsoft.com and instead have to send emails as joe@viagra4less.com and then you can just block viagra4less.com :)
  • Porn is always at the cutting edge of every media. Quite a bit of the spam is for porn so it is no suprise to see spammers adopt a standard before most everyone else.
  • The power of SPF is not in it's ability to authenticate senders, but in a domain owner's ability to specify who is allowed to send mail from their domain.

    If you accept without question mail from SPF verified senders, you're just asking for trouble. There's not and has never been anything in the SPF standard the recommends this practice.

    However, If you reject mail based of the SPF records of the sending domain, you can make a difference. If ticketmaster.com does not want mail sent from anything but their
  • by drwho (4190) on Friday September 03, 2004 @07:06PM (#10154092) Homepage Journal
    The number of idiotic posts here is just another example of the declining clue of slashdot users. SPF is an attempt to prevent email forgery. Lots of spam is forged, in an attempt to get by filters. More serious trouble is caused by various 'fishing' schemes, trying to get your bank account/credit card numbers by appearing to be from paypal ,etc. SPF will address the forgery of host &domain names. It does not address the problem of forged user IDs (though this is less of a problem than you may think, if the domain is legit). It does not address the idea of unwanted mail.

    Anyone with clue can see this is another tool in the toolbox. Each piece of incoming mail is ranked with a score indicating its probability of being spam. SPF, whitelists, bayesian filters, being in html, coming from china, etc affect the score. There's no magic bullet to stop spam.

    Anyone who has spent time as a systems admin of a mail server, should know this.
  • Spam is here to stay. You cannot stop it. I've been an avid user of email and the Internet for years now and ya' know how much spam I get in my mailbox? 4 or 5 messages per day. And these only blink in my inbox as Thunderbird (or Outlook with SpamBayes) quickly relegate my spam to my junk folder. Every email that ends up in my inbox is legitimate email that I want to receive. And even if it's not, one click and it's gone and my filter just got smarter.

    Yes, this doesn't cut down on the congestion on the int
  • by burtonator (70115)

    Spammer Promoted First :)
  • by DreadSpoon (653424) on Friday September 03, 2004 @07:47PM (#10154385) Journal
    SPF is only the first step. It's purpose is to authenticate that the sender is who they claim to be. Nothing more.

    This primarily helps in two ways: first, it helps fight off certain kinds of social attacks. E-Mail can't claim to be from your bank; if it does, the MUA would display a big warning box stating the mail appears to be forged.

    Second, it guarantees that people can't spam or send viruses using your domain name. The spammers have to (just as the article says) identify who they are; they can't claim to be someone else.

    So no, obviously, that doesn't stop spam. It might block certain kinds of (soon to be obsolete) spam. You no longer have to blacklist all of aol.com, for example, since only real AOL users could send mail from @aol.com if we all used SPF.

    This does, however, make it possible to do *MUCH* more accurate RTBL (Real Time Block Lists). The spammers have to identify themselves; once you have their identity, block all their mail. You got spam from @spammer.com? Block spammer.com. The guy at spammer.com can't pretend to be anyone else, so you've got him successfully blocked. Sure, he can register multiple domains, but with a good RTBL that isn't too much of a problem. Good RTBL already block most of the registered spammers - SPF makes their job easier since all spammers will be identifiable.

    Mix SPF with a RTBL service and you *will* see a massive drop in spam. Over 80% of all incoming connections to my mail server are now blocked; most of the stuff that does get through is legit (lots of large mailing lists and traffic).
    • Yes, I agree tat something must be done. No, I don't agree that should be an argument to allow submarine patents to become a fundamental part of the core Net infrastructure - that will go a big step to creating the exact have/have not divide we've been trying to prevent. The same problem exists with payments - how are you going to make sure such a payment does not encumber nations with low GDP from sending normal messages?

      And no, I don't have any answers either other than RBL + greylisting seems to be a
  • We need a micropayment scheme for email. Friends in your contacts list (whitelist) send for free, unknowns get autocharged a minimum (like $0.01), blacklisted spammers get charged more (like $5.00). Putting the payment into the authentication transaction between servers will let us continue to use the same client software, with upgrades only to servers run by admins.

    That system will discourage spammers, who get us to pay for their abuse, but would have to pay more than their low-yield spams are worth, acro
  • If SID is supposed to be the Caller ID of email, then isn't spammers adopting it a GOOD thing? Doesn't that mean that somebody can create a list of the SIDs of spammers, providing a super-effective spam filter for a mail server that only accepts SID identified mail?
  • Thats no so surprising really. At best, SPF and other technical solutions can buy us some time while the spammers catch up, but they aren't the silver-bullet that their designers make them out to be. Even the RBLs and bayesian filters only go so far to cure the problem. Such systems only buy us time - in this case maybe 6months or up to a year, as the spammers catch up to the technology and find ways to avoid it. Bear in mind that these people are very well-funded and therefore highly motivated.

    With the ab
  • This is well-known (Score:3, Insightful)

    by suwain_2 (260792) on Friday September 03, 2004 @09:17PM (#10154845) Journal
    The reason? Spammers are able to publish their own records, too.

    From the moment SPF was implemented, people knew that this could happen. SPF doesn't aim to stop spam outright, it aims to HELP stop spam.

    First off, if SPF is used, it cuts out 'joe jobs.' I can't send you mail purporting to be from Yahoo through a mass mailer on my desktop, because SPF will catch it.

    I see two issues with spam:
    a.) Annoying commerical advertisements
    b.) The above, sent fraudulently

    SPF helps to cut out the second. If spammers send me spam, but do it from their own domain, it's still not hard to block them.

    No one (that knew what they were talking about) ever claimed that SPF was a cure-all for spam. All it aimed to do was make spammers stop forging their addresses. And it sounds like it's succeeding.
  • by humankind (704050) on Friday September 03, 2004 @10:44PM (#10155263) Journal
    If you want to know what method works, look at what Spammers are doing. Look at which systems (i.e. osirisoft, spamcop, spamhaus) the spammers are attacking. They are almost exclusively launching attacks at the relay blacklists. This is because this is the one method by which they are SHUT DOWN. Forget legislation. Forget all the other efforts. RBLs work. The next generation is to go from relay blacklisting, to relay-whitelisting.

...when fits of creativity run strong, more than one programmer or writer has been known to abandon the desktop for the more spacious floor. - Fred Brooks, Jr.

Working...