Spammers Are Early Adopters of SPF Standard 249
nazarijo writes "In an article entitled Spammers using sender authentication too, study says, Infoworld reports that a study by CipherTrust shows that SPF and Sender ID (SID) aren't nearly as effective as we expected them to be when combatting spam. The reason? Spammers are able to publish their own records, too. 'Spammers are now better than companies at reporting the source of their e-mail,' says Paul Judge, noted spam researcher and CipherTrust CTO. Combined with low adoption rates of either SID or SPF (31 of the Fortune 1000 according to CipherTrust), this means that the common dream of SPF or SID clearing up the spam problem wont be coming true. Wong, one of the original authors of SPF and a co-author of SID, says that it was never intended to combat all spam. Weng, another researcher in the space, says that this is just one of the many pieces of the puzzle needed to combat spam. Various SID implementations exist, including a new one from Sendmail.net based on their milter API, making it easy for you to adopt SID and try this for yourself."
We can still use it as a spam prevention tool (Score:5, Funny)
Re:We can still use it as a spam prevention tool (Score:3, Funny)
Oh wait...
The point of SPF (Score:5, Insightful)
Re:The point of SPF (Score:4, Insightful)
This point needs to be emphasized. The whole point of SPF is to prevent spammers from falsifying return addresses. If they want to publish their own legitimate SPF records, then by all means let them. Then we can just block them by their domain names without any fear of blocking legitimate email.
"just block domain names"?! (Score:3, Insightful)
It won't help anything. Many of them will use stolen credit cards, or register under other false information, register 300 domains, and use them until they are blocked. Then move on.
So the problem of scanning each and every e-mail for spammishness will still prevail.
Re:"just block domain names"?! (Score:2)
Fine by me (Score:3, Insightful)
True, this doesn't stop those inital messages, but it gets all the rest and cuts down on the number. One needs not eliminate SPAM enitrely, just reduce it to a level where it's unprofitable. If software becomes good to the point that only 1 in 100,000 SPAM messages reach a person, that'll severely cut pr
Re:The point of SPF (Score:3, Insightful)
get a free ipod! [freeipods.com] This really works... [iamit.org] 2 more gmail invites left!
Re:The point of SPF (Score:2, Informative)
even spammers (Score:4, Funny)
Article Poster Doesn't Understand SPF (Score:5, Informative)
Re:Article Poster Doesn't Understand SPF (Score:2)
Hey, if dolphins don't want piss in the ocean they should just hold it until they find a restroom like the rest of us are supposed to.
KFG
Isn't this what we want? (Score:5, Insightful)
Re:Isn't this what we want? (Score:3, Informative)
Re:Isn't this what we want? (Score:4, Insightful)
Well, a quick off-the-cuff idea is thus: Expand SPF or its moral equivalent to offer a web-of-trust style interface. That is: Each piece of email comes with a pointer that says, in effect, This piece of email is from mydomain.com ... people who think that mydomain.com is cool are yourisp.com otherisp.com white-hat-geeks.net
So, I suppose what I'm proposing is a distributed whitelist.
Re:Isn't this what we want? (Score:2)
Re:Isn't this what we want? (Score:4, Insightful)
24 domains/day * 365 days/year * $12/domain = $105,120
That's a hundred thousand dollars they didn't used to need to spend each year. Automated blacklisting in five minutes boosts the costs to well over a million dollars a year.
Re:Isn't this what we want? (Score:4, Insightful)
Compare what it used to be with how it is now. It used to be that spammers could use any domain they want. Now they can only use domains they own (assuming they're using SPF), and as soon as one domain is RBL'd, they're going to need another domain. More work for the spammers. And more cost too.
What I'm trying to say is that, yes, domains are cheap. But now they're paying for domains that they didn't have to before.
Re:Isn't this what we want? (Score:3, Insightful)
What I like about SPF is that as larger ISPs adopt it, I can stop worrying about accid
damnit! (Score:2)
Thin the herd out. (Score:2)
Great! Fewer spammers is a Good Thing (TM).
There isn't any single solution to spam. But different solutions will whittle the big problem down, bit by bit.
The SPF faq on Throwaway domains. (Score:3, Interesting)
Re:Isn't this what we want? (Score:2)
Weng and Wong are the same person. (Score:4, Informative)
Wow (Score:2, Insightful)
Oh well, at least filters are getting VERY good at catching 99% of it.
Re:Wow (Score:2)
Re:Wow (Score:2, Informative)
The point is to not trust mail from domains having SPF records, where the sending server is not listed.
Whether or not AOL *has* an SPF record is not relevant. What is relevant is that *if* AOL has an SPF record, any mail with an AOL envelope sender should come from a server covered by that SPF listing.
Re:Wow (Score:2)
with spam still remains: the sheer number of message s which must be accepted and filtered.
Does anyone have any idea what the real cost of spam
is in terms of dollars, bandwidth and time?
Understanding SPF (Score:5, Informative)
It'll cut down on problems where forged senders are the main symptom, dramatically. That both includes viruses ( virii ) and some spammers.
But, as is stated, it's completely possible for spammers to keep their dns records updated too.
Now, if only we could get the whois accurate.
Re:Understanding SPF (Score:4, Informative)
Re:Understanding SPF (Score:4, Interesting)
And there in lies the wonderful synergy of SPF and blacklists. Without From address forging it becomes much to perform the follow sequence:
1. I received a Spam message from domainx.com, either:
(a) sender was a verified user of domainx.com, spf records check out
(b) no spf, sender likely forged
In case (a) inform the ISP of domainx.com, if further verified Spam messages are received from domainx.com, blacklist it.
In case (b) if SPF is in widespread use for ligitimate mail then the soam message is easier to mark as such (less need to resort to expensive statistics on the body). If SPF is not widespread there is less benefit.
Regards
Alex
Re:Understanding SPF (Score:3, Interesting)
Blocking one form of attack will most likely mean an increase in another, or a new one entirely.
I doubt very much that SPF will be an end to spam, even if it is widespread.
People need to be taking away the incentive for spammers to bother. Would _you_ send out millions of emails if you weren't going to make any money?
This is a social problem, not a technical one.
Re:Understanding SPF (Score:3, Insightful)
SPF is intended to vastly reduce spam from it's current levels. If it's use were widespread then all the zombies spewing out mail with forged addresses & all the open relays become much less effective.
Basically by making From address spoofing much much harder it becomes much easier to identify spammers and stomp on them.
We can never
Re:Understanding SPF (Score:2)
As to whether that is the actual case....
Re:Understanding SPF (Score:2)
Yeah, IF you got adoption, it would cut down on some viruses. But the few that forge addresses would just adapt to use an email address on the machine in question. Which, in all likelihood, will be a valid one, sent from a valid ip address.
No one claimed it would end spam (Score:3, Insightful)
But that's not the point of SPF (Score:5, Insightful)
In other words, SPF is working correctly, brighter tomorrow expected, move along, nothing to see here.
Re:But that's not the point of SPF (Score:2)
It just limits the domains that the spoofed addresses can originate from.
That's why I don't like SPF and hope it fails miserably. We need something stronger.
What I'd like to see is that the SMTP server requires users to authenticate themselves to send e-mail and signs the e-mail to assert that the from e-mail address really is the address of the sender.
For example, suppose you have an account at example.com, hypnagogue@example.com, and so do I, eric76@exampl
Re:But that's not the point of SPF (Score:2)
Re:But that's not the point of SPF (Score:2)
SenderID != Spam Solution (Score:4, Insightful)
You can not guarantee that an E-Mail originated from the source it said it did.
Which effectively makes black-lists useless.
With SenderIDs you are able to build effective Black-Lists/White-Lists because you can guarantee that an E-Mail came from the location it said it did. And thus decrease the amount of spam.
I'm not sure who wrote this 'study' but the fact that I know more than them says a lot.
Agreed (Score:2)
But on the whole, technical solutions are just treating the symptoms. There is only one, and one only way to remove spam, and that is to make it illegal. Its a DDOS on an essential communication medium; so put the Patriot act to some good use and have it labelled "terrorism", the very same as if some group hijacked a TV station.
Having done that, follow the money trail, which should lead directly to the spammers and their (often unsuspecting) clients. They have to store the money in a bank account somewher
SURBL SPF (Score:2, Informative)
All the more reason... (Score:3, Funny)
"What good is Viagra if you
Re:All the more reason... (Score:2)
If you've castrated the spammer properly, shouldn't that have been "fuckee" and not "fucker"? ;)
Re:All the more reason... (Score:2)
No. Would YOU fuck a spammer, castrated or not? Neither would anyone else.
Re:All the more reason... (Score:3, Funny)
> five. 7-3-2 is completely unharmonious.
These adds you spam me
To enhance my sex prowess
Wont help you, fucker.
You need the support of your DNS provider (Score:4, Informative)
Re:You need the support of your DNS provider (Score:2)
Re:You need the support of your DNS provider (Score:2)
Move your DNS to someone like www.xname.org who support the whole lot, and the service is free (supported by donations)
This doesn't mean you have to change your REGISTRAR, just where the DNS is delegated to for your domain.
switch DNS providers (Score:2)
Re:You need the support of your DNS provider (Score:2)
Re:You need the support of your DNS provider (Score:2)
Appearantly, some people missed the point... (Score:4, Insightful)
That was the entire point.
In combination with anti-spam laws, now we have the ability to actually identify the spammers flooding our inboxes and take legal action against them for doing so.
There is no technological means that will allow random people to email you and yet prevent them from emailing you spam. Technology is simply not capable of distinguishing spam from non-spam with a 100% success rate. We can get really close, but there will always be false-positives and false-negatives in any system. And any system is vulnerable to clever hacking around the filter. You can make it terribly difficult to do so, but you can't make it impossible.
The goal of SPF never was to stop spam, it was to force somebody who sends you email to be accountable for doing so, by providing a method to track down who they are. At least, it's a good start for this sort of thing.
Re:Appearantly, some people missed the point... (Score:2)
Re:Appearantly, some people missed the point... (Score:3, Interesting)
In other news (Score:4, Funny)
Good thing too... (Score:2)
SPF is an anti-forgery tool, not an anti-spam tool (Score:5, Interesting)
SPF doesn't and can't block spam.
it has a different purpose. it prevents some email address forgeries. its main use is to allow a domain owner (e.g. an individual or an organisation or a corporation such as a bank) to specify exactly which hosts are allowed to send mail claiming to be from that domain.
in other words, it can be used to block forgeries such as phishing spams and viruses, but it is not a general purpose spam blocker.
it does that job reasonably well (or, it will when it is implemented by enough mail servers). to complain that it doesn't do a job it was never designed to do is just absurd.
Re:SPF is an anti-forgery tool, not an anti-spam t (Score:2, Interesting)
I have a university e-mail address that ends with @msstate.edu. But I don't live on campus, I live in the surrounding town and so am not on the msstate.edu domain. My SMTP host is nctv.com.
Right now, I can just set up my mail client to use email_address@msstate.edu and send it through nctv.com. Will SPF prevent me from doing that and force me to use webmail or something equally inconvenient?
Re:SPF is an anti-forgery tool, not an anti-spam t (Score:2)
Re:SPF is an anti-forgery tool, not an anti-spam t (Score:2)
Then tell your mail client to route all mail through smtp.msstate.edu (or whatever their SMTP server is running on), and presto! The outside world will see mail come from an SPF-authorized msstate.edu mail relay, with an @msstate.edu sender.
Now, if msstate.edu turns on SPF and *doesn't* turn on something like this, then rig
It's not meant to stop spam (Score:2)
SPF not an effective anti-joe-job tool (Score:2)
The reason SPF isn't good at anti-joe-jobbing is that there is no trusted map for users between a domain name and a company identity. If I send an email from @boa-international.com or @bankofamerica.banknetwork.com, end users won't consider the fact that it doesn't come from @bankofamerica.com. SPF is fundamentally tied to domain names. Furth
These are only the easy solutions (Score:2)
The only real way to combat spam is to also stop sites and spammers from selling email addresses to each other. If the spammers don't have their most precious commodity, they can't spam.
Important notice: please update your USBank info! (Score:5, Insightful)
SPF can be circumvented in the ways we're already seeing for the first category, but it should knock out the second two (and probably related) problems.
As for the final one... law enforcement may still not take phishing seriously. But I bet Citibank, US Bank, et al do. They're probably losing millions of dollars cleaning up the mess left by phishers, and that money would go a long way towards making phisher's lives miserable and cautionary tales for others. These organizations are large enough that phishers can't even hide behind international borders - piss of Citibank by protecting phishers and that bank may decide that it's not worth doing any business in your country.
Well, duh (Score:2)
No system that is under the technical control (like SPF) will reduce spam, since the spammers will simply comply. In the case of SPF, all the need do is add in a new section to the script they use to automate signing up for dozens of new domain names at a time, to add the SPF records. (These scripts already add in the other DNS records, so this is trivial.)
And no system that is under the control of someone other than the domain holder
Thoughts from the peanut gallery (Score:2, Insightful)
Second, I'd have thought that it would be obvious that trivial authentication would be useless. It's like using the existance of an X.509 certificate as proof that a site is genuine, notwithstanding that anybody can download a roll-your-own certification program and generate their own.
Third, it's ironic that corporations (who lose millions, if not billions, to fraud each year) aren't the
impossible (Score:2)
A zombie PC will rapidly move from a low emmission of emails to a much more rapid rate. If the upstream email routers rate limit email transmission based on historical information you strangle the spam at source.
Spam isn't eliminated, but it's seriously limited hopefully to the point where it is
unprofitable.
All other methods do not address the major characteristic of spam, the large number of emails and the very
SPF working perfectly (Score:2)
If they fake their address to a domain publishing SPF records then the SPF check fails and the message gets flagged for aggressive filtering them.
Either way they're screwed.
Let me explain this (Score:3, Informative)
These sender id schemes won't stop spam at all. It's easy for a spammer to modify his dns to show the correct records and allow him to send.
But, here's the thing: HE DOES IT TO HIS OWN DOMAIN. We can then blacklist his domains and force him to keep coming up with new ones. Whack-a-mole, yes, but at least the "moles" aren't at legitimate domains.
You can complain all you want about how this isn't going to stop spam. Maybe it won't for you, but it will cut down the worthless junk hitting my mail server.
SPF + Reputation = No Spam (Score:3, Insightful)
However, once SPF is adopted it allows several things:
I fully expect the anti-spam vendors to eventually come up with reliable whitelists based upon SPF eventually.
First comes the sender verfication (Score:2)
all about the porn (Score:2)
Misunderstood Reasoning (Score:2)
If you accept without question mail from SPF verified senders, you're just asking for trouble. There's not and has never been anything in the SPF standard the recommends this practice.
However, If you reject mail based of the SPF records of the sending domain, you can make a difference. If ticketmaster.com does not want mail sent from anything but their
SPF ignorance is rampant (Score:5, Informative)
Anyone with clue can see this is another tool in the toolbox. Each piece of incoming mail is ranked with a score indicating its probability of being spam. SPF, whitelists, bayesian filters, being in html, coming from china, etc affect the score. There's no magic bullet to stop spam.
Anyone who has spent time as a systems admin of a mail server, should know this.
You won't stop it! (Score:2)
Yes, this doesn't cut down on the congestion on the int
SPF (Score:2)
Spammer Promoted First
SPF is step one (we knew this already) (Score:3, Informative)
This primarily helps in two ways: first, it helps fight off certain kinds of social attacks. E-Mail can't claim to be from your bank; if it does, the MUA would display a big warning box stating the mail appears to be forged.
Second, it guarantees that people can't spam or send viruses using your domain name. The spammers have to (just as the article says) identify who they are; they can't claim to be someone else.
So no, obviously, that doesn't stop spam. It might block certain kinds of (soon to be obsolete) spam. You no longer have to blacklist all of aol.com, for example, since only real AOL users could send mail from @aol.com if we all used SPF.
This does, however, make it possible to do *MUCH* more accurate RTBL (Real Time Block Lists). The spammers have to identify themselves; once you have their identity, block all their mail. You got spam from @spammer.com? Block spammer.com. The guy at spammer.com can't pretend to be anyone else, so you've got him successfully blocked. Sure, he can register multiple domains, but with a good RTBL that isn't too much of a problem. Good RTBL already block most of the registered spammers - SPF makes their job easier since all spammers will be identifiable.
Mix SPF with a RTBL service and you *will* see a massive drop in spam. Over 80% of all incoming connections to my mail server are now blocked; most of the stuff that does get through is legit (lots of large mailing lists and traffic).
Patent encumbered (Score:2)
And no, I don't have any answers either other than RBL + greylisting seems to be a
private postage (Score:2)
That system will discourage spammers, who get us to pay for their abuse, but would have to pay more than their low-yield spams are worth, acro
SID is supposed to be the caller ID of email? (Score:2)
Not so surprising (Score:2)
With the ab
This is well-known (Score:3, Insightful)
From the moment SPF was implemented, people knew that this could happen. SPF doesn't aim to stop spam outright, it aims to HELP stop spam.
First off, if SPF is used, it cuts out 'joe jobs.' I can't send you mail purporting to be from Yahoo through a mass mailer on my desktop, because SPF will catch it.
I see two issues with spam:
a.) Annoying commerical advertisements
b.) The above, sent fraudulently
SPF helps to cut out the second. If spammers send me spam, but do it from their own domain, it's still not hard to block them.
No one (that knew what they were talking about) ever claimed that SPF was a cure-all for spam. All it aimed to do was make spammers stop forging their addresses. And it sounds like it's succeeding.
Want to know what works? Look at who Spammers hate (Score:4, Interesting)
Re:A Change Needs to be made (Score:3, Interesting)
A more reasonable change would be SMTP-TLS, employing a policy of using authorized certificates like the secure websites. This protocol is already there, but it's the wide adoption that is the problem.
I won't pay $300/year to send mail (Score:4, Insightful)
Re:A Change Needs to be made (Score:4, Interesting)
About the only attacks that TLS would pervent would be IP spoofing. These days, that is very, very hard.
What would TLS add?
Re:A Change Needs to be made (Score:2)
Re:A Change Needs to be made (Score:2)
Re:A Change Needs to be made (Score:2)
some time ago...
-"the laws of Newton and Kepler don't explain the orbit of Mercury. The theory itself needs a change."
-"oh teh no3s U R teh fl4meba!tz0rrrzzzzz!!!!!one"
Sometimes something new is needed. This is called progress and is strongly associated with the concept of learning from your mistakes.
Re:A Change Needs to be made (Score:2, Insightful)
"The laws of Newton and Kepler don't explain the orbit of Mercury. This whole 'science' stuff needs to change. It was created a long time ago, and it's time to throw it all out and start with something new."
Maybe that's not flamebait, but it is silly. Changing theories to match new data metaphorically maps very well to adding SPF to SMTP -- not to throwing the whole thing away.
Re:A Change Needs to be made (Score:2)
just like General Relativity was an entirely new theory but gives the same results as Newton so long as you don't have large masses/high speeds etc.
Re:A Change Needs to be made (Score:4, Insightful)
Why can't these changes be integrated into SMTP-as-we-know-it?
It's all very nice to say "it needs to change", but until you explain why changing it is the best solution - or even vaguely useful - it's not going to happen.
Fixing SMTP is like Fixing Weather (Score:3, Interesting)
Th
Re:A Change Needs to be made (Score:2)
It's like Rumsfeld says (I never thought I'd quote him on slashdot :-):
known knowns: solved SMTP protocol issues.
unknown knowns: bugs in proposed SMTP modifications.
known unknowns: the solution to the spam problem.
unknown unknowns: other mail problems.
If you scrap SMTP just because of spam, then the next thirty years w
Re:A Change Needs to be made (Score:2)
If they don't get a bounce message, they try jdoe1@*
but in some ways it works against them.
because you can get spam even if you never post your address, spam filtering software companies can set up honeypots, that are soon innundated with spam, and they know it's all spam, because they never told anyone about the address.
Re:This surprises anyone? (Score:2)
Re:This surprises anyone? (Score:5, Informative)
SMTP AUTH over SSL/TLS to your work's mail server and you can send all the work e-mail from home you want.
Charles
It does reduce spam. (Score:2)
SPF does not, however, eliminate spam. Sorry.