Mailing List Archive

On Sat, 24 Feb 2007, bill ries-knight wrote:

> The issue I have concerns about is the hiding of a company behind SPF
> while "following the rules" to continue sending spam. When the
> companmy uses SPF the mailers of the world are fooled into accepting
> more spam.
>
> What is in the SPF to prevent this kind of abuse?

Reputation. Reputation. Reputation.

Here is the last entry in my log from the 11000+ per day of such a spammer:

2007Feb24 17:15:47 [7681] connect from ip122.humanfacility.com at ('66.207.172.122', 47624) EXTERNAL
2007Feb24 17:15:47 [7681] hello from ip122.humanfacility.com
2007Feb24 17:15:47 [7681] mail from <n.7502.208138529@humanfacility.com> ()
2007Feb24 17:15:47 [7681] Received-SPF: pass (mail.bmsi.com: domain of humanfacility.com designates 66.207.172.122 as permitted sender) client_ip=66.207.172.122; envelope_from="n.7502.208138529@humanfacility.com"; helo=ip122.humanfacility.com; receiver=mail.bmsi.com; mechanism="ip4:66.207.172.0/24"; identity=mailfrom
2007Feb24 17:15:47 ham: 4, spam: 23
2007Feb24 17:15:47 ID humanfacility.com:SPF reputation: -60.671340,2.474461
2007Feb24 17:15:47 [7681] X-GOSSiP: cd3lwjxuWiOAgMgoUJ3DCg,-60,2
2007Feb24 17:15:47 [7681] rcpt to <%redacted%@bmsi.com> ()
2007Feb24 17:15:47 [7681] REJECT: REPUTATION

Yes, they were able to send 27 spams. The first 4 got by the content filter
until it auto-trained (based on spam sent to honey pot addresses). After
23 quarantined spams, we don't accept any more email from that domain.
The connections are cut off in SMTP envelope.

SPF makes this kind of score keeping possible. If I kept score on domains
without SPF, then I would start rejecting innocent domains every time spammers
decided to forge them.

In fact, I wouldn't call this, spammers "hiding" behind SPF, I'd call it
finally being forced out from the shadows of forged emails.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

On 2/24/07, Stuart D. Gathman <stuart@bmsi.com> wrote:
> On Sat, 24 Feb 2007, bill ries-knight wrote:
>
> > The issue I have concerns about is the hiding of a company behind SPF
> > while "following the rules" to continue sending spam. When the
> > companmy uses SPF the mailers of the world are fooled into accepting
> > more spam.
> >
> > What is in the SPF to prevent this kind of abuse?
>
> Reputation. Reputation. Reputation.


Reputation is of no use as it is now. The point is SPF is domain based
and each mailer, to validate reputation, should have an SPF
recognition that ties the mailer to the domain used and the IP address
used. Additional domains used by the mailer are under his umbrella of
reputation. The end result being we don't have to retrain by content
on each new domain.

to be truly useful the dialog should proceed something like this.

I am Alpha Mail. <-- The source of reputation.
I am handling mail for the Beta.com domain. <----- A resource under
the reputation umbrella
I am using 1.2.3.4/24 as a valid block. <----- A resource under the
reputation umbrella

We could then determine that everything coming in as spam from the
domain or the IP block as belonging to Alpha Mail. Next time any of
those three appears in an SPF header it could be blocked. Unless I
have missed something, we do not identify Alpha Mail in any form or
fashion.

Therefore there is no real reputation.
>
> Here is the last entry in my log from the 11000+ per day of such a spammer:
>
> 2007Feb24 17:15:47 [7681] connect from ip122.humanfacility.com at ('66.207.172.122', 47624) EXTERNAL
> 2007Feb24 17:15:47 [7681] hello from ip122.humanfacility.com
> 2007Feb24 17:15:47 [7681] mail from <n.7502.208138529@humanfacility.com> ()
> 2007Feb24 17:15:47 [7681] Received-SPF: pass (mail.bmsi.com: domain of humanfacility.com designates 66.207.172.122 as permitted sender) client_ip=66.207.172.122; envelope_from="n.7502.208138529@humanfacility.com"; helo=ip122.humanfacility.com; receiver=mail.bmsi.com; mechanism="ip4:66.207.172.0/24"; identity=mailfrom
> 2007Feb24 17:15:47 ham: 4, spam: 23
> 2007Feb24 17:15:47 ID humanfacility.com:SPF reputation: -60.671340,2.474461
> 2007Feb24 17:15:47 [7681] X-GOSSiP: cd3lwjxuWiOAgMgoUJ3DCg,-60,2
> 2007Feb24 17:15:47 [7681] rcpt to <%redacted%@bmsi.com> ()
> 2007Feb24 17:15:47 [7681] REJECT: REPUTATION
>
> Yes, they were able to send 27 spams. The first 4 got by the content filter
> until it auto-trained (based on spam sent to honey pot addresses). After
> 23 quarantined spams, we don't accept any more email from that domain.
> The connections are cut off in SMTP envelope.
>
> SPF makes this kind of score keeping possible. If I kept score on domains
> without SPF, then I would start rejecting innocent domains every time spammers
> decided to forge them.
>
> In fact, I wouldn't call this, spammers "hiding" behind SPF, I'd call it
> finally being forced out from the shadows of forged emails.
>
> --
> Stuart D. Gathman <stuart@bmsi.com>
> Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
> "Confutatis maledictis, flammis acribus addictis" - background song for
> a Microsoft sponsored "Where do you want to go from here?" commercial.
>
> -------
> Sender Policy Framework: http://www.openspf.org/
> Archives at http://archives.listbox.com/spf-discuss/current/
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?list_id=735
>


Bill Ries-Knight
Stockton, CA

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

On Sat, 24 Feb 2007, bill ries-knight wrote:

> Reputation is of no use as it is now. The point is SPF is domain based

It is extremely useful to me and my clients now. Applying domain based
reputation halves the size of the quarantines. Roughly, of the 11000
emails arriving each day just at the server for our 5 person company,
all but 300 are rejected for lack of any kind of validated domain (rDNS,
HELO, SPF, and guessed SPF are currently accepted). Big win right from
the start. 100 more are rejected due to bad reputation of their
validated domain. 100 are quarantined, and 100 are delivered - nearly
100% spam free.

> We could then determine that everything coming in as spam from the
> domain or the IP block as belonging to Alpha Mail. Next time any of
> those three appears in an SPF header it could be blocked. Unless I
> have missed something, we do not identify Alpha Mail in any form or
> fashion.

You have missed something. There is no "mailer" in SMTP envelope (rfc2821).
DKIM provides one in rfc2822. And S/MIME and PGP/MIME identify the author.
SPF is not supposed to be the only authentication system in town. It is the
front line defence. It allows you to reject most spam based on domain
reputation before having to receive the entire message. Then you can validate
DKIM and PGP/S/MIME, and run the DKIM "mailer" and PGP/S/MIME author through
your bozo filter.

But domain reputation is currently so effective, the next levels aren't
worth doing for me.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

bill ries-knight wrote:

> I have been wondering for some time now on the true value of SPF in
> the real world. I feel that, out of the starting gate, SPF is broke.
> The issue I have concerns about is the hiding of a company behind SPF
> while "following the rules" to continue sending spam. The continued
> use of SPF by spammers to merely authenticate their servers.

That's not pointless. Most spam (not your example) today uses forged
envelope sender addresses. If you don't reject it immediately you're
forced to either drop it later (bad if it was legit mail, also known as
false positive), or to bounce it later (bad if the envelope sender was
bogus, you'd hit innocent bystanders with your bounces).

For your example (SPF PASS turns out to be spam) you can bounce it
later, it won't hit an innocent bystander. Based on the SPF PASS you
can accept the "mail or spam", and use more expensive checks _behind_
your MX (e.g. on a separate box), because you know that bounces would
work.

In theory you could also note PASSing domains sending spam as "known
spammer", a kind of mini-reputation system. But I doubt that this
makes sense for something like rmcdcjrgqb@yarnbasketball.com - it's
a typical "Leo" domain name.

An SPF PASS from an unknown stranger isn't much, but it's still more
than nothing, it gives you the time for post-SMTP checks.

Frank


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

bill ries-knight wrote:
> I have been wondering for some time now on the true value of SPF in
> the real world. I feel that, out of the starting gate, SPF is broke.

I've seen immediate benefits from using SPF. While true it isn't a
fix-all, what is? As part of a score-based filtering system like
SpamAssassin it's another very useful metric.

Every so often one of my domains will be picked on by a spammer and I
used to get flooded with bounces from them spamming around. With SPF
I've seen this significantly reduced and the more email providers that
start using it the better.

For less savvy users I'm sure SPF will be very useful for protecting
against phishing and fraud when more banks and sites like PayPal start
to use it.

I for one am thankful for the SPF project and hope to see it and similar
mechanisms more widely adopted.


Dave Cardwell.
http://perlprogrammer.co.uk/e-mail/how-to-set-up-spf-sender-id-records-with-123-reg.html

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

Stuart,

How are you generating your reputation numbers?

Thanks,

Dan



Please respond to spf-discuss@v2.listbox.com

To: spf-discuss@v2.listbox.com
cc: (bcc: Dan Mitton/YD/RWDOE)
Subject: Re: [spf-discuss] out of the starting gate, SPF is broke
LSN: Not Relevant
User Filed as: Not a Record

On Sat, 24 Feb 2007, bill ries-knight wrote:

> The issue I have concerns about is the hiding of a company behind SPF
> while "following the rules" to continue sending spam. When the
> companmy uses SPF the mailers of the world are fooled into accepting
> more spam.
>
> What is in the SPF to prevent this kind of abuse?

Reputation. Reputation. Reputation.

Here is the last entry in my log from the 11000+ per day of such a
spammer:

2007Feb24 17:15:47 [7681] connect from ip122.humanfacility.com at
('66.207.172.122', 47624) EXTERNAL
2007Feb24 17:15:47 [7681] hello from ip122.humanfacility.com
2007Feb24 17:15:47 [7681] mail from <n.7502.208138529@humanfacility.com>
()
2007Feb24 17:15:47 [7681] Received-SPF: pass (mail.bmsi.com: domain of
humanfacility.com designates 66.207.172.122 as permitted sender)
client_ip=66.207.172.122;
envelope_from="n.7502.208138529@humanfacility.com";
helo=ip122.humanfacility.com; receiver=mail.bmsi.com;
mechanism="ip4:66.207.172.0/24"; identity=mailfrom
2007Feb24 17:15:47 ham: 4, spam: 23
2007Feb24 17:15:47 ID humanfacility.com:SPF reputation:
-60.671340,2.474461
2007Feb24 17:15:47 [7681] X-GOSSiP: cd3lwjxuWiOAgMgoUJ3DCg,-60,2
2007Feb24 17:15:47 [7681] rcpt to <%redacted%@bmsi.com> ()
2007Feb24 17:15:47 [7681] REJECT: REPUTATION

Yes, they were able to send 27 spams. The first 4 got by the content
filter
until it auto-trained (based on spam sent to honey pot addresses). After
23 quarantined spams, we don't accept any more email from that domain.
The connections are cut off in SMTP envelope.

SPF makes this kind of score keeping possible. If I kept score on domains
without SPF, then I would start rejecting innocent domains every time
spammers
decided to forge them.

In fact, I wouldn't call this, spammers "hiding" behind SPF, I'd call it
finally being forced out from the shadows of forged emails.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703
591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

On Mon, 26 Feb 2007 Dan_Mitton@Notes.YMP.GOV wrote:

> How are you generating your reputation numbers?

pygossip - implements the GOSSiP protocol. Tracks the last N (currently 1024)
messages from an ID (domain-spec:qualifier) as to ham or spam (or NULL) status.
Here is the reputation score code:

def reputation(self):
"""Compute reputation score."""
n = self.bcnt
if not n: return 0.0
#N = float(self.maxobs)
N = float(n)
k = 2
ham = self.hcnt
spam = n - ham - self.ncnt
log.info("ham: %d, spam: %d"%(ham, spam))
ph = ham / N
ps = spam / N

log.debug("P(h) = %f P(s) = %f"%(ph, ps))
num = math.exp(k * (ph - ps))
denom = 1 + math.exp(k * (ph - ps))

return 200 * ((num / denom) - 0.5)

When gossiping with peers about the reputation of an ID, peer scores
are aggregated as follows:

def aggregate(agg,offset=0):
"""Aggregate reputation and confidence scores.
>>> [round(x,1) for x in aggregate([(-76.159416,0.219053),(0,0)])]
[-76.1, 0.2]
"""
n = len(agg)
if n < 1: return (0.0,0,0)
if n == 1: return agg[0]
wavg,wcfi,wvar = weighted_stats(agg,offset)
if wvar <= 0: # only one non-zero cfi
return weighted_average([(rep,cfi) for rep,cfi in agg if cfi > 0])
stddev = math.sqrt(wvar * n / (n - 1)) # sample standard deviation
# remove outliers (more than 3 * stddev from mean) and return means
return weighted_average([.(rep,cfi) for rep,cfi in agg
if abs(rep - wavg) <= 3*stddev],offset)

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735

SPF is a tool, not a silver bullet. Tools that are helpful are
often worthwhile even if they do not do the entire job.

-dgl-

>bill ries-knight wrote:
>
>> I have been wondering for some time now on the true value of SPF in
>> the real world. I feel that, out of the starting gate, SPF is broke.
>> The issue I have concerns about is the hiding of a company behind SPF
>> while "following the rules" to continue sending spam. The continued
>> use of SPF by spammers to merely authenticate their servers.
>
>That's not pointless. Most spam (not your example) today uses forged
>envelope sender addresses. If you don't reject it immediately you're
>forced to either drop it later (bad if it was legit mail, also known as
>false positive), or to bounce it later (bad if the envelope sender was
>bogus, you'd hit innocent bystanders with your bounces).
>
>For your example (SPF PASS turns out to be spam) you can bounce it
>later, it won't hit an innocent bystander. Based on the SPF PASS you
>can accept the "mail or spam", and use more expensive checks _behind_
>your MX (e.g. on a separate box), because you know that bounces would
>work.
>
>In theory you could also note PASSing domains sending spam as "known
>spammer", a kind of mini-reputation system. But I doubt that this
>makes sense for something like rmcdcjrgqb@yarnbasketball.com - it's
>a typical "Leo" domain name.
>
>An SPF PASS from an unknown stranger isn't much, but it's still more
>than nothing, it gives you the time for post-SMTP checks.
>
>Frank
>
>
>-------
>Sender Policy Framework: http://www.openspf.org/
>Archives at http://archives.listbox.com/spf-discuss/current/
>To unsubscribe, change your address, or temporarily deactivate your subscription,
>please go to http://v2.listbox.com/member/?list_id=735

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=735