Lead Developer of SPF Anti-Spam Scheme Interviewed 214
penciling_in writes "CircleID has a great two-part interview with Meng Wong, lead developer of the anti-spam authentication scheme Sender Policy Framework (SPF). He has responded to various questions (which also touches on issues previously raised by Slashdot folks), including the merger with Microsoft's Caller ID, incompatibility of SPF with email forwarding services, and what he thinks about Yahoo's DomainKeys, as well as where he believes the fight against spam is headed. (He has also confirmed that the name SPF and references to sunblock are intentional!) In response to the first question in the interview on how SPF got started, Meng says: 'In 2002 Paul Vixie, the brains behind BIND, wrote a short paper titled 'Repudiating Mail-From'. That inspired two other proposals, 'Reverse MX' by Hadmut Danisch and 'Designated Mailer Protocol' by Gordon Fecyk. In late 2003 I combined the best of both proposals and called the result SPF.' Vixie replies to this reference in comments following the first article."
If I got $0.01 (Score:3, Funny)
SPF (Score:5, Informative)
the recipient checks that the sender has authoritiy to send out email for the domain, i.e. if you send an email from whatever.com via SMTP server 123.123.123.123, the recipient checks that 123.123.123.123 has the authority to send email for whatever.com by checking it's SPF record (which similar to an ordinary DNS record).
So, we all have to set up SPF records for our domains or our emails will get rejected by some ISPs. Is my understanding right?
Re:SPF (Score:3, Informative)
When SPF discovers that a domain doesn't have an SPF record, it returns a code that says just that. The recipient chooses what to do next. So it is conceivable that once SPF uptake is near universal, some people may choose to reject mail from domains without a record. However, that's some way off yet.
Re:SPF (Score:5, Informative)
However, right now, if someone claims to be "@stonehenge.com", and sends that mail from somewhere other than the machines from which such mail should originate, any SPF-checking-recipient will rightfully reject such mail. That's because I took about five minutes to add the right SPF record to my server.
SPF is not a comprehensive solution. It's merely a solution to help us from getting joe-jobbed, having spam "appear" to come from us. Until you voluntarily add SPF records for your domain, you will continute to get joe-jobbed unknowingly.
Re:SPF (Score:3, Informative)
Also, many people use a different e-mail address from their ISP but are forced to route their mail through their ISP's SMTP server. How would they get around SPF?
Re:SPF (Score:4, Informative)
some of them have my work from-address. Wouldn't this system obstruct that?
Only if you don't send them through your job email server
Also, many people use a different e-mail address from their ISP but are forced to route their mail through their ISP's SMTP server. How would they get around SPF?
Tunneling / Adding your ISPs mail server to your works SPF info / Asking your ISP nicely
Re:SPF (Score:2)
Your ISP can't do a thing about what senders are valid for your work email address.
The real solution is to convince your work of the need to be able to send from other addresses and get them to end their SPF record with ?all (neutral) instead of -all (hard fail).
Re:SPF (Score:2)
You can't do this if your ISP is blocking port 25 out and forcing you to go through its own mailrouters.
See the last paragraph of the post you replied to, and add the option "Changing ISP"
Re:SPF (Score:3, Insightful)
Re:SPF (Score:2)
You should be VPN'ing into your work LAN and sending the work e-mails via your employer's SMTP server. If you're officially working from home, then the company is responsible for making sure that you are able to do so. (Such as being able to send e-mail out as an agent on behalf of the company.)
But that's only if your employer publishes restrictive SPF records for their domain. If they choose not to publish, well, nobody is forcing them to. Your company j
good luck with that (Score:3, Insightful)
my webmail [fastmail.fm] rightly lets me send with whatever From: field I choose
So I can emailwise be both at work and at play from the same webmail
for spamming from a zombie (with an IP of 111.222.123.124)
From: zombie@111.222.123.124
Subject: Stop spam now!
or it wouldn't be too much trouble to look up the MX record of 111.222.123.124 and set an appropriate From: header accordingly
This scheme is as temporary as any other and it also prevents me from sending mail with my own computer, I will have to route my mail thro
Re:good luck with that (Score:5, Interesting)
What's your problem with doing that? If you're coming from DSL, cable, dialup, or some other residential service then you should be relaying through your ISP and your ISP should be blocking outbound port 25. It doesn't hurt you to relay through an additional hop and add an additional 5 seconds to your e-mail. If your ISP introduces intolerable delay then find a new one or complain that their service is unacceptable. If you're worried about relaying SSL mail to work for business purposes so you can post with your @work.com address then you should be using port 465 (smtps) anyway with authentication to connect to your work's mail server, authenticate via cram-md5 or even just a password so it opens relaying for you and then out you go.
Re:good luck with that (Score:2)
I have 4 accounts at different domains set up in Mozilla, and use different addresses to send depending on which account the mail is relevant to. But Mozilla only lets me specify one SMTP server. See the problem yet?
Re:good luck with that (Score:2)
Moron. (Score:2, Insightful)
Re:Moron. (Score:2)
It's a start. (Score:2)
Re:It's a start. (Score:3, Informative)
Most domains out there are defaulting to "neutral" or "softfail" as the default in their SPF records for now until sites that do mail forwarding or web mail (preserving the original envelope FROM address) implement SRS [pobox.com]. If you have fairly solid control over where mail from your domain comes from
Re:It's a start. (Score:2)
Wayne Schlitt
So you can fail any mail with non-matching spf. Individuals will get bounces if using old-style unix
Re:It's a start. (Score:2)
Re:SPF (Score:2)
Agreed.
It's merely a solution to help us from getting joe-jobbed, having spam "appear" to come from us. Until you voluntarily add SPF records for your domain, you will continute to get joe-jobbed unknowingly
No. SPF does not even do this. For this to happen, the following must occur:
(a) The user must be able to know that email that originates from a server is trusted in content. SPF cannot do anything below domain granularity. If a machine on an "authorized-to-s
Re:SPF (Score:2)
Re:SPF (Score:5, Informative)
Yep, that's right
So, we all have to set up SPF records for our domains or our emails will get rejected by some ISPs. Is my understanding right?
Nope, that's wrong.
Messages only get rejected when a SPF does exist for the claimed domain and the MTA transmitting the message is not a valid sender for the claimed domain. Messages are NOT rejected simply because the claimed domain fails to publish a SPF record.
If you do not publish a SPF record, no messages claiming to be from your domain get rejected. This is true today, and it is likely to remain true even after SPF is widely deployed.
Of course, if you have a domain name, it is certainly in your best interest to publish a SPF record. Well, that is if your all email transmits from certain servers or one of the many other very flexible ways SPF's syntax can specify. Publishing a SPF record is the only way you can cause SPF-aware receivers to reject messages that claim to be from your domain, but are actually forged by spammers, virus programs, phishing scammers, and so on.
Re:SPF (Score:2)
Re:SPF (Score:2)
How is this supposed to stop spam, then? The spammers will simply make sure they
Re:SPF (Score:2)
Here's a overly simple example:
Assume all mail gets bounced with a score over 5.
Email Text:
Buy some Herbal Viagra (tm) at http://scam.artist
-----------
Keyword 'Viagra' +5
Valid SPF record -2
Total score: 3
Keyword 'Viagra' +5
No spf record 0
Total score: 5
Keyword 'Viagra' +5
Invalid SPF record: +10
Total score: 15
Re:SPF (Score:2)
Re:SPF (Score:2)
In that case, there is an unfair penalty to those of us who can't use SPF, and we risk getting our legitimate email blocked. Which makes me question whether this is really an altruistic effort from Meng Wong and Microsoft, or just a method to capitalize on the spam problem, proposing a solutio
Re:SPF (is not an anti-spam scheme) (Score:2)
Simply put, it won't stop spam. (There, I've said it.)
It's not supposed to. The goal of SPF (and the other reverse-MX proposals) is to allow a domain owner to put a dent in joe-jobbing by whitelisting all of the mail servers that are authorized to send e-mail on behalf of the domain. As a mail admin, it lets me say: "Don't bother accepting any e-mail purporting to be from my do
Re:SPF (is not an anti-spam scheme) (Score:2)
That won't help the Joe much, when the MTA's block a message due to the SPF, an
Re:SPF (Score:3, Informative)
Yes, it is very flexible, with many other alternatives.
like digital signing with a hidden key whose pair is regestered in the DNS?
This isn't an option, but there are many alternatives [pobox.com].
Firstly, you must own a domain name. If you don't have a domain name and you're sending email using someone else's domain name, you need to contact the adminstrator for the domain you are using.
Let's assume you have a domain name
ok... (Score:2)
Re:ok... (Score:2)
- + pass
- ? neutral
- ~ soft-fail
- - hard-fail
Facist admins could still theoretically block neutral, but SPF is not intended to be a full spam blocking system, all it should do is reduce the load on the server by doing less checks on "pass" and blocking "hard-fail", and treat "soft-fail" as already probable spam at the start of other spam checks.Re:SPF (Score:3, Insightful)
For the foreseeable future, if you don't publish SPF, your email will still work. But if you do publish SPF, you help prevent forgery of your domain's name by spammers, people doing "joe jobs" to get you in trouble, and all the damn virus and worm email lately that pretends to be from you
Re: (Score:2)
Re:SPF (Score:2)
Will Silly sPam Fighter help then?
I say we need to have a no-email week. Send everything to dev/null.
The only way to deal with spammer is by forcing the government to hand out 10 year prison sentences for spammers. Send 1000 emails in one day, go to jail.
First offense: Letter in the mail.
Second offense: a visit by 2 FBI agents.
Third offence: get a lawyer and some K-Y jelly, yo
Re:SPF (Score:2)
This is another thing wrong with SPF.
For a protocol to work on the vastly disorganized and chaotic Internet, it needs to work when members are not fully compliant with the protocol or are acting oddly.
SPF is much like the existing massive effort to try to stop open relays (which has been going on for a long time and clearly has not stopped spam). Both methods are predicated on being able to make everyone fully and correctl
Why do I need a Microsoft license for this? (Score:5, Insightful)
IANAL, but the text of this agreement seems to indicate that this implementation license applies to any products that "implement and are compliant with" Sender ID (section 1.2), and that Microsoft may subsequently terminate the license (section 3).
Anybody familiar with this? Is there a RFC for Sender ID?
Re:Why do I need a Microsoft license for this? (Score:3, Informative)
See the RFC background reading [pobox.com] page for links to SPF RFCs. To the best of my knowledge there is no SenderID RFC yet.
In the mean time (and it may be some time), it is advised that SPF records are published since Microsoft has agreed that SenderID will be back compatible with such records.
Re:Why do I need a Microsoft license for this? (Score:5, Informative)
IANAL either but SPF predates Sender ID and the details were made public without licensing requirements. Therefore, I'm pretty sure that most jurisdications won't require you to have a license from Microsoft or anybody else to implement SPF.
Remember, there are already over 20,000 domains publishing with SPF plugins for the major MTAs. Just pop over to pobox [pobox.com] for details.
Re:Why do I need a Microsoft license for this? (Score:4, Informative)
While it's not a RFC yet and nothing has been finalized, here's the latest on the subject in terms of a draft submitted by both Wong and MS:
http://www.ietf.org/internet-drafts/draft-ietf-
Some related documents:
http://www.ietf.org/internet-drafts/d
http://www.ietf.org/internet
http://www.ietf.org/internet-d
As for why you'd need a license for this, it may the case that MS has a number of pending patents on the concept (orginally termed Caller ID) and the license mentioned prior is meant to assure people that if this makes it out there as a standard, they will have a license to practice with having to pay royalties. How much trust can you put in that
Locate the servers off-shore instead (Score:3, Interesting)
Rather than give tacit support of software licenses to Microsoft (or anyone else), I'd rather just locate my DNS and mail server overseas, in a sane regime that doesn't recognize software patents,
Vixie: SPF will not slow spam (Score:4, Insightful)
Paul Vixie's comment:
I'd have to disagree with Paul Vixie here. Most of the spam today comes through compromised home machines on a broadband line. Of course, spammers could include the zombie they're using in their SPF record and use their own domain in the "Purported Return Address", but that would make them so traceable that they might as well spam from their own systems.
So I'd definitely disagree that SPF/SenderID will not discourage spammers. It will certainly discourage the worst of them: the guys who don't want to be found out.
Re:Vixie: SPF will not slow spam (Score:5, Informative)
Without SPF, you don't know who your email is really from so you can't do domain based reputation.
FOAF-based reputation system (Score:2)
That's interesting! I'd like to plug two bug reports of mine (I wish I had time to hack, but I haven't). Friend-of-a-friend [foaf-project.org] makes great start for a reputation system, at least for whitelisting people you know well.
So, I there's a Spamassassin bug [spamassassin.org] on this, and it has generated some interest.
Now, the problem is to generate
Re:Vixie: SPF will not slow spam (Score:2)
Yes, but with SPF, a spammer just has to register plenty of disposible domains, and have a bare-bones DNS server running. Then, the spam gets through, and it's always comming from a different domain...
Re:Vixie: SPF will not slow spam (Score:2)
Very, very little. And you can use each one to spam a LOT of people.
Anyone with a brain. No domain would have the opportunity to get a good reputation if you don't let the first few emails get through.
And, if you are operating on a whitelist, you're not really using e-mail. E-mail is supposed to allow you to be contacted by people who haven't contacted you before... Whitelists make email almost com
Re:Vixie: SPF will not slow spam (Score:2)
Re:Vixie: SPF will not slow spam (Score:2)
Additionally, even a live check will only work if somebody has already classified it as SPAM... Surely people aren't checking their email every minute, and even if so, probably not individuals that you "trust", so I still believe a lot of spam can get through before there's time to block it.
Re:Vixie: SPF will not slow spam (Score:2)
SPF is the least trustworthy of the the current Big Three domain authentication schemes -- DomainKeys is ahead. None of them are particularly great authentication schemes, especially since all of them are limited to domain-level granularity (one machine with an authorized IP at a company gets compromised, outsiders have to ban the entire company's domain, rather than just the sending key).
Basically, it's aw
Re:Vixie: SPF will not slow spam (Score:2, Informative)
But usually those zombies connect directly to port 25 of the recipient's SMTP server. That would be prevented by SPF if the sender domain doesn't include the zombie machine's IP in its SPF record. If the zombie is actually using the user's proper (sender) domain and sending through the ISPs mail server, then SPF doesn't help directly, but it gives the ISP the power to simply monitor what is sent and shut the zombie down if s
Then SPF contributes nothing. (Score:2)
If the zombie is actually using the user's proper (sender) domain and sending through the ISPs mail server, then SPF doesn't help directly, it gives the ISP the power to simply monitor what is sent and shut the zombie down if spam is being sent.
So, SPF contributes nothing. ISPs already have the ability to monitor their clients for spam and shut them down. It also shows that Vixie is not correct about the only benefit he sees for SPF, prevention of d
Re:Vixie: SPF will not slow spam (Score:2)
As more people add them, the chances of a un-spf'd domain being spam increases yet more, so we can weight it t
Re:Vixie: SPF will not slow spam (Score:2)
Confused (Score:5, Interesting)
OK, I'm worried; unless I've completely missed something here, it seems as though the 'little guy' could get hit quite badly by SPF.
Let me explain; my domain is handled by a hosting provider here in the UK. Because I don't have a static IP address (and also because I don't want the hassle of handling a publicly visible SMTP server), I've set up a single mailbox with the hosting provider that acts as a catch-all account.
Locally, behind my firewall, I use fetchmail to retrieve the contents of this account, and I use qmail to distribute the mail into various IMAP folders; naturally I'm also using ClamAV and SpamAssassin as well.
All well and good, but the problem is that my domain hosting provider does not allow SMTP relay *at all*. Therefore, I use the SMTP relay service provided by my ADSL provider.
Obviously, neither my local qmail system nor my ADSL providers' SMTP relay will be listed in any SPF records; how will I be able to carry on locally managing my mail without automatically being rejected by SPF-aware mail servers?
Re:Confused (Score:2, Informative)
If the DNS provider for your domain doesn't enable you to publish an SPF (needs a 'txt' record), you'll need to ask them to, or change providers. But something tells me the laggard will quickly figure it out, since SPF is nearing critical mass.
Re:Confused (Score:2)
Re:Confused (Score:5, Insightful)
1) If your provider's SMTP relay isn't listed in an SPF record, then it will still work (for now) until people start saying "i only accept mail from servers with valid SPF authentication".
2) When that day comes around, you can publish your own SPF info for your "vanity" domain using the sfp include syntax and pointing to your provider - basically saying "whoever can send mail for my provider's domain can send mail for my domain as well"
Re:Confused (Score:2)
I think they are saying they want you have to rewrite your headers in a sane way this part is callerID and you can use SRS workaround
meanwhile in the REAL world...
as far ass I can see SPF is going to be extra work for ISP and host providers
your hosting provider is going to have to provide a SMTP server that you can post msg's through and make it secure (via SSL etc so you dont send passwd plaintext)
AOL love this because they have very few m
Why not everyone use PGP ? (Score:5, Interesting)
if you are going to HAVE to use ESMTP why not add the ability to look up public key for domain ?
if you are doing the domain why not query for user ?
finger server or in DNS record ?
is this in the spec ?
in the future then everyone can use weak crypto for emails and not send everything plain text
(speak to the person in internet cafe or bussiness and they dont understand that their msg is transmited plaintext and maybe through other peoples servers who may or may not read the email )
it would be nice to say we thought of providing keys but people dont have to use them...
regards
John Jones
Re:Why not everyone use PGP ? (Score:2)
If thats not enough for you, what would happen if a virus started sending out illegal material and someone had signed it with your key?
Re:Why not everyone use PGP ? (Score:3, Interesting)
One issue that comes to mind is that signature verification is relatively expensive. Another is that it's fragile: regular PGP users often see their signatures fail to verify because an MUA changed the line wrapping. I think we need a standard for canonicalizing messages before hashing, but that's just my opinion.
"If you think cryptography can solve your problem, then you don't understand your problem an
Re:Why not everyone use PGP ? (Score:2)
Because it's a pain in the ass to use. You ever tried it? The only client I've seen where it's remotely usable is mozilla+enigmail -- even mutt has serious issues.
For PGP/GPG to be widely used, major clients must:
* Support automatic key downloading.
* Support automatic encryption/signing (*not* having to manually do so on a per message basis or copy/pasting or hitting a special key to decrypt)
* Supp
Re:Why not everyone use PGP ? (Score:2)
So zombies reply they send it. Big deal.. (Score:2, Insightful)
He won't know why his box is just a bit slower than usual. Soo he thinks DSL is all bull because is hardly faster than his ol' dial-up.
Get a thousand zombies sending a hundred spam a minute and you see that its not so tough to send a hundred ACK signals as well...
Potential end result: 1,440,000,000 spams/day from ONE infected net.
Go after the spammer's clients instead. Spam and you get jail time and a whopping big fine, paid locally, regardl
Re:So zombies reply they send it. Big deal.. (Score:2)
I'm not certain that I understand your point.
SPF states that the DNS server of the sending domain says who is permitted to send mail. Unless spammers' zombie machines are DNS servers, they'll never get a chance to reply that they sent the messages or send ACK signals or anything of the sort.
Going after the spammers' clients is a good idea, but there's also value in pursuing technical solutions such as this.
Crypto - the magic fairy dust (Score:5, Insightful)
For a moment, neglect the high costs, complexity, worldwide legality and PKI problems of crypto, which are all solvable at some cost. They aren't the fundamental problem.
Strong authetication answers the question:
That's a very nice to know if you need to place a high level of trust in the message, such as correspondance from your bank. Today email is virually worthless (in the absence of PGP) for trusted messages.
Saddly, the answer to this question is not valuable for filtering out junk. The question that needs to be answered instead is:
PGP does not answer this question. Neither does Yahoo's DomainKeys. There are many circumstances where the signature can not be verified. You can not use the failure to verify a PGP signature as a reliable means to filter out junk.
SPF and MS Caller ID are designed to answer this second question reliably enough to discard forged messages. They answer this question for all domains that publish SPF records (aol.com, gmail.com, etc) regardless of whether SPF is widely adopted by the rest of the world.
When the claimed domain published a list of designated senders, and the sending MTA's IP number isn't among them, you can be certain the message is a forgey and discard it (or close the connection before the data phase, saving bandwidth).
PGP and other crypto signature schemes simply do not deliver this ability to detect forgey. They only detect authenticity.
Re:Crypto - the magic fairy dust (Score:2)
Ashcroft and others won't be happy with this. Of course, PKI/PGP/... can be used in non-encryption mode only to sign messages. BUT, they can also be used to encrypt. As soon as this kind of software is ubiquitous, wiretapping would be much more difficult for the NSA [nsa.gov] and other agencies.
Re:Crypto - the magic fairy dust (Score:2)
With SPF success, the mail is accepted as usual, and with SPF failure, the message is (I assume) bounced. Correct me if that's incorrect.
With PGP success (veri
what a load... (Score:3, Insightful)
ever heard of key signing ?
so you end up with a web of trust...
SPF and Caller ID are a solution until you end up sending emails from your outlook automatically...
oh wait thats been done before
OpenPGP and email clients that support it, go a long way to solving the problem i.e. set your boundrys
I trust bob
bob trusts jane
jane trusts bart
bart trusts lisa
so I think that I want only 3 degrees and everyone else has to tell me via phone fax and friends they want to email then I trust them and their friends..
Re:Crypto - the magic fairy dust (Score:2)
A lot of us are arguing that strong crypto is *necessary*, not that it is *sufficient* on its own.
For a moment, neglect the high costs, complexity, worldwide legality and PKI problems of crypto, which are all solvable at some cost.
The high costs? How many, exactly, CPU cycles would you spend to avoid bandwidth from spam?
Worldwide legality? Get real. Rus
Re:Crypto - the magic fairy dust (Score:2)
PGP does not answer this question. Neither does Yahoo's DomainKeys. There are many circumstances where the signature can not be verified. You can not use the failure to verify a PGP signature as a reliable means to filter out junk.
SPF and MS Caller ID are designed to answer this second question reliably enough to discard forged messages. They answer this question for all domains that publish SPF records (aol.com, gmail.com, etc) regardless of
Too early... it so sad. (Score:2, Insightful)
I am not convinced that SRS does not introduce ugly bugs, which enables spammers to circumvent SPF alltogether.
Specifically I think SRS can as easily be forged as mails can be forged today, as noone hinders you to fake a forward which hasnt taken place in t
Please RTFFAQ (Score:2, Informative)
A lot of very smart people just like you have spent a lot of time thinking through the problems. Much of their thinking is captured in essays and FAQs available online.
http://www.libsrs2.org/docs/
Has anyone actually SEEN a zombie spamming PC? (Score:2)
Maybe I just didn't know it.
Has anyone seen one? What applications are running on them? It seems like maybe we could mess with the spammers if we knew what they were using.
Can't send email via port 25? (Score:3, Informative)
RFC 2554 for more information.
Re:Can't send email via port 25? (Score:2)
Sure, so now the traveling executive has to ask the company he visits "Excuse me, but could you please open port 587/tcp on your firewall, s
This isn't a new idea (Score:2)
Where we use MX records for sending, I proposed an MS record for authorized Mail Senders. That's all it did, but at least you could look to DNS to see if this remote system was actually a designated speaker for that domain.
Of course, he told me it would never work and that it was unreasonable to use DNS to provide such a service.
Oh well...
Re:This isn't a new idea (Score:2)
Hell, it's rather obvious once you suffer from a joe-job attack. After all, if you're able to specify which servers are authorized to handle incoming mail, why shouldn't you be able to specify which outbound servers are authorized as well?
The devil, of course, lies in the details of the implementation and how corner-cases are handled. (Witness the problems figuring out how to break forwarding in a minimal manner.)
Re:This isn't a new idea (Score:3, Insightful)
He's also dead-on right. There are many ways to simply bypass SPF; SPF-like schemes impose a number of limitations on regular email use; the use of DNS is a major part of the problem in SPF, as it's entirely inappropriate for a trusted transport.
The only reason anyone's deploying SPF, broken as it is, is because people will do *anything* at this point if someone promises them *any* reduction in sp
The irony... (Score:2)
Have the patent issues been resolved? (Score:3, Interesting)
So what's the story on the patent claims? Boycott Email caller id [boycott-em...ler-id.org] still seems wary, and I see no evidence that Eben Moglen's concerns [newsforge.com] (such as incompatibility with the GPL) have been addressed.
Any such patent application is likely to be granted, since Microsoft has lots of $$$ to press their case and the patent office has neither the knowledge or time to determine if they're obvious or in any other way counter them.
I remember the joys of dealing with GIF patents. We're better off without this combined approach if the patent applications will make it unworkable.
So, what's the situation?
Re:SMTP (Score:3, Informative)
It would be very difficult to replace something as as popular as SMTP. It would at least have to be backwards compatible with SMTP which means it would expose itself to the same problems as SMTP.
IMO SMTP does a good job apart from its obivous faults.
Re:Obligatory (Score:5, Insightful)
(x) It is defenseless against brute force attacks
Explain: how would you brute force it? One way would be to search until you find a domain without SPF information and fake addresses from that. That will reduce the pool of domains you can fake, and be an incentive for them to start using it. In a way it's shifting the damage over to those that doesn't try to help solving the problem, they decide to be easy targets they take the consequenses.
(x) It will stop spam for two weeks and then we'll be stuck with it
It will stop spam from beeing sent with faked addresses from a domain, if the owners of that domain wishes it. That means I will never se a bounce for spam using my address if the recieving end uses SPF, and the reciever willl not see spam that fakes my address as its sender
(x) Users of email will not put up with it
Why not, all I have to do is configure my mail program to use the correct mailserver for outgoing mail
(x) The police will not put up with it
The police has never cared about anything to do with spam, why should they care about this?
(x) Requires immediate total cooperation from everybody at once
Bull. Mail (allegedly) from domains that doesn't publish SPF information will get through, and mail to recievers that doesn't check SPF will come through. Domain owners will be encouraged to implement this because they will se fever (misdirected) abuse reports. Users will be encouraged to implement this because they will see less spam
(x) Lack of centrally controlling authority for email
The owner of a domain is the central controlling authority for email from that domain, that's all you need
(x) Ease of searching tiny alphanumeric address space of all email addresses
Eventually all spam will use a sender address from domains without SPF informations (or nonexistent domains), people will start dumping mail from domains without SPF (or give it a high spamassassin score) and those domains will effectively be forced to implement SPF or see their users unable to send email
(x) Asshats
Which is why you have to use additional measures, such as scoring mail without SPF low, blacklisting domains and ISPS that allow spammers and other kinds of filters. There is no tool that will block ALL spam, but the right combination will reduce it drastically
(x) Unpopularity of weird new taxes
No tax involved
(x) Huge existing software investment in SMTP
It's compatible (actually uses) SMTP, no software has to be replaced. (Unless it already sucks)
(x) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
And all the mail sent out to SPF using clients using from addresses with SPF domains will be dropped, eventually this number will rise as more people adopt SPF.
(x) Extreme profitability of spam
Making them work harder and reach less people will decrease the profitability, that will make the situation improve
(x) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
Eventually the spammers will have fewer domains to use for sender addresses, they will have to buy domains (increasing cost) or use domains without SPF. Both can be blacklisted
(x) Outlook
This can be implemented serverside, outlook is not an issue
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
None has ever been standardised and tried large scale
(x) We should be able to talk about Viagra without being censored
You can as long as you don't forge the sender domain. But if you try to sell it to someone a complaint may well make you lose access to that domain
(x) Countermeasures must work if phased in grad
Re:Obligatory (Score:2)
I was looking at seeing if sendmail could parse the records in the
Re:Obligatory (Score:2)
People are already scaning for open SPF records.
I can't say that I'm surprised
I can imagine that spam filters like spamassassin could check if the mail came from a domain with an open SPF record, it would simply be a matter of retrieving the record, doing a little parsing and assigning a score.
If a spamer gets paid $5000 to send out a million messages, a $15 throwaway domain is nothing...
The cost is also time to get the domain in place, less time spent on defeating other anti spam measures. If that
Re:Obligatory (Score:2)
Create a new bug that sends spam with the Outlook and you won't be able to differentiate between spam and real mail from the Outlook user.
Re:Obligatory (Score:2)
It does NOT account for Outlook.
A zombie machine (infected through outlook or any other means) would have to send mail with addresses it is allowed to send from. That would be a domain controlled by the spammer (can be blacklisted), a domain with an open / nonexistant SPF record(can be filtered on), or a domain it's already allowed to send for (the ISP, which means chances that the machine would be stopped are far greater, or the ISP risks getting blacklisted).
Comment removed (Score:4, Informative)
Re:Obligatory (Score:2)
Gads yes. That's probably one of the biggest issues with the entire SPF idea. People either mistakenly think that it's an anti-spam solution, or else they're mislead to think so by others.
(In fact, my biggest complaint about SPF and some of the extensions is that they stray too far from the anti-joe-job duty and are trying to do anti-spam stuff.)
Re:SPF is well marketed.... (Score:4, Insightful)
Complex or not, it's working just fine with quite an array of software.
# No sane firewall is going to let TXT records through
A firewall would need to examine the contents of packets to differentiate a TXT record from a, say, A record or cname. Comparable wizardry is already being performed by mail servers world wide, on a vast scale:
[smegma@cartman smegma]$ host -t txt 84.137.116.38.sbl.spamhaus.org
84.137.116.38.sbl.spamhaus.org text "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL1
# No sane firewall is going to let TCP DNS packets through
SPF does not rely on anything that every other app using DNS doesn't. Also see above.
# The parsing can loop forever
In a horribly written parser perhaps. The same could be said about IRC clients, Web Browsers and just about any application out there.
# It will increase DNS scaning as spamers hunt for broken SPF records
DNS is quite efficient. Unlike RBLs, SPF will work just fine with traditional SOA settings, so cache hits will be plentiful.
# Its too complex to be implimented inside the MTA where it needs to be done
Just where do you think it's already being implemented?
# It can't be properly parsed in sendmail
It is already being used with all popular MTAs, including sendmail, postfix, qmail, exim, courier and ms exchange.
# ISO 8839 8859 59-15 utf-8 issues for domain names may kill some dns servers
Huh?
Parsing complexity might become a bit of a concern with the advent of XML, but as of now, it's dead-simple.
3, Interesting? And I feel like I'm feeding a troll here!
Re:SPF is well marketed.... (Score:2)
Right now SPF is being done with a large library that gets linked in. I've been finding security holes in MTAs for 17 years and I don't like complex systems built into things that live on my network front door.
There is nothing that SPF does that DNSBL li
Re:SPF is well marketed.... (Score:2)
Really? [zvon.org] What rock have you been hiding under?
There is nothing that SPF does that DNSBL like systems can't do better using existing software and normal data packets.
I haven't yet seen a DNSBL system that says authoritatively that a given IP is allowed to send email for a certain domain, much less with the same kind of flexibility that is allowed in SPF.
Re:SPF is well marketed.... (Score:2)
No sane firewall is going to let TCP DNS packets through
That's a bit of a stretch. Why would you block TXT records? Also, TCP is a perfectly valid transport for DNS and by default most resolvers will use it for zone transfers and any other application where the expected response will be larger than 512 bytes. As a firewall admin wherever I've allowed incoming DNS over UDP, I allow DNS over TCP as well. Not doing so breaks DNS.
Its parsing is too comp
Re:SPF is well marketed.... (Score:2)
In short -- SPF has severe technical problems. Caller ID has almost all the same severe technical problems (and introduces at least the question of patents). DomainKeys has a large number of drawbacks, and even *it* is much better thought out than either SPF or Caller ID.
MOD PARENT UP (Score:2)
Re:This does NOTHING for SPAM (Score:2)
Re:This does NOTHING for SPAM (Score:2)
If you want to avoid phishing (especially the economic fraud that you're talking about here), the weak security of the SPF protocol is about enough to inspire a false sense of security without actually doing anything. At *least* use a pubkey-based signing system if you are trying to pull this off.
Hell, if you wanted to use SPF's poor domain-level-granularity and security-depending-upon-nobody-spoofing-DNS, you could just have a big flag for a domain that say
Re:Is this how Slashdot works? (Score:2)
I *have* read the FAQ. Some of my complaints about SPF are based on its content. I've steadily posted objections to Slashdot in most SPF stories -- at first, I spent ages on each post, writing out lengthy lists of issues. It was only after any SPF people failed to respond that I stopped listing item-by-item issues.
Re:Is this how Slashdot works? (Score:2)
I am very, very frusterated with SPF. Angry even, which is why I'm so combative. It reminds me of the Bulk Priority flag created by the Internet2 people -- the folks involved were just not *thinking* about how they're impacting existing people. I am fed up with mail servers rejecting email from my personal mail server because it's on dial-up (bad spam filtering idea #1), ISPs blocking my mail server from connecting out because "no reasonable h