Mailing List Archive

I think the article is wrong, because their source is wrong.

The spammer can't forge the machine address your server is connected to.
They can forge the reported IP but not the actual connect ID.

More BS in other words.

Cary Fitch

----- Original Message -----
From: "Danny" <nocmonkey@gmail.com>
To: <spf-help@v2.listbox.com>
Sent: Friday, September 10, 2004 10:11 AM
Subject: [spf-help] "Spammers love Sender ID"


> http://www.theinquirer.net/?article=18367 - thoughts?
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
subscription,
> please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Fri, Sep 10, 2004 at 11:11:32AM -0400,
Danny <nocmonkey@gmail.com> wrote
a message of 7 lines which said:

> http://www.theinquirer.net/?article=18367 - thoughts?

Usual BS. Unbacked figures and sensation title. "More than 16 percent
of spam already carries SPF records says MX Logic." is specially
stupid, anyone can check it is much lower. "Microsoft's anti-spam
sender-ID" is also a lie (it is IETF's Sender-ID).


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Fri, 10 Sep 2004 17:18:20 +0200, Stephane Bortzmeyer
<bortzmeyer@nic.fr> wrote:
> On Fri, Sep 10, 2004 at 11:11:32AM -0400,
> Danny <nocmonkey@gmail.com> wrote
>
>
> a message of 7 lines which said:
>
> > http://www.theinquirer.net/?article=18367 - thoughts?
>
> Usual BS. Unbacked figures and sensation title. "More than 16 percent
> of spam already carries SPF records says MX Logic." is specially
> stupid, anyone can check it is much lower. "Microsoft's anti-spam
> sender-ID" is also a lie (it is IETF's Sender-ID).

Good point - thanks for the clarification, guys. Is IETF's Sender-ID
considered SPF?

...D

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Fri, Sep 10, 2004 at 11:24:13AM -0400,
Danny <nocmonkey@gmail.com> wrote
a message of 25 lines which said:

> Good point - thanks for the clarification, guys. Is IETF's Sender-ID
> considered SPF?

No, they are different protocols (one more stupidity in the Inquirer
paper, which mixes them), although Sender-ID clearly borrowed a lot
from SPF.

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Fri, 10 Sep 2004, Danny wrote:

> http://www.theinquirer.net/?article=18367 - thoughts?

I think it's entirely wrong. For one thing, they're confusing SID and
SPF.

-Dennis

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On 9/10/2004 11:11, Danny wrote:

> http://www.theinquirer.net/?article=18367 - thoughts?

A retraction request has been sent to the author, referencing this thread.

~Jason

--

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Dennis Carr wrote:

> On Fri, 10 Sep 2004, Danny wrote:
>
>
>>http://www.theinquirer.net/?article=18367 - thoughts?
>
>
> I think it's entirely wrong. For one thing, they're confusing SID and
> SPF.

Unfortunately Yahoo is speading the same BS :-(

(in french)
http://fr.news.yahoo.com/040910/7/41r35.html

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Fri, 10 Sep 2004, Filip Supera wrote:

> Unfortunately Yahoo is speading the same BS :-(

Perhaps somebody could send a retraction request to Yahoo? Not sure how
to go about this....

-Dennis Carr

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Well Sender ID was not meant to be an anti-spam tool, it was meant to be
a forged domain tool, which references more along the lines of fraud and
phishing scams. However, the nice thing about sender ID will be if they
register their domain properly then it will be easy to blacklist them.

-----Original Message-----
From: owner-spf-help@v2.listbox.com
[mailto:owner-spf-help@v2.listbox.com] On Behalf Of Jason Gurtz
Sent: Friday, September 10, 2004 3:14 PM
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] "Spammers love Sender ID"

On 9/10/2004 11:11, Danny wrote:

> http://www.theinquirer.net/?article=18367 - thoughts?

A retraction request has been sent to the author, referencing this
thread.

~Jason

--

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com


--------------------------------------------------------------------------------
This email is intended only for the named recipents. All email is monitored and archived for compliance requirements.
The views or context in this message may not reflect the view or context of the company.
--------------------------------------------------------------------------------



-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Cary Fitch wrote:
> I think the article is wrong, because their source is wrong.
> The spammer can't forge the machine address your server is connected to.
> They can forge the reported IP but not the actual connect ID.
>
> More BS in other words.
>
> Cary Fitch
>
> ----- Original Message -----
> From: "Danny" <nocmonkey@gmail.com>
> Sent: Friday, September 10, 2004 10:11 AM
> Subject: [spf-help] "Spammers love Sender ID"
>
>> http://www.theinquirer.net/?article=18367 - thoughts?

There's a better-researched and better-written article at:

http://www.informationweek.com/story/showArticle.jhtml?articleID=47102042

which gives more information and some different viewpoints. What MX Logic
have been reporting is that a large number of spams in their sample -
around 16% out of 400,000 - passed SPF checks, because the spammers
published SPF records for the domains they owned and signalled their mail
as coming from those domains.

To my mind, this in no way reduces the usefulness of SPF. First of all,
SPF checks will still catch (a) viruses, (b) phishing, (c) joe jobs, and
(d) spam that forges addresses from domains that publish SPF records. It
should also help to reduce the aggravation caused by forgery-bounces.
Second, spammers who register domains and publish SPF records may pass SPF
checks, but they'll still be forced to host their domains somewhere.
Networks hosting spammer domains are good candidates for blocklisting,
especially if white hat ISPs are proactive about forcing spammers to move
on, resulting in a concentration of spammers on a few black hat networks.

There are still problems, though. If a spammer sets up a domain and
publishes an SPF record that says that every zombie PC on 'comcast.net' is
a valid sender for that domain, they'll pass SPF checks, but there's no
clear basis for an ISP to kick them off. Unlike a domain that sends mail
or hosts a spamvertized website, there's no obvious and undeniable link to
the spam operation. The spammer might plausibly pretend that their domain
was a legitimate undertaking that just happened to be being abused by
those evil spammers (although they better have a good answer as to why
they need to list the whole of Comcast and half the Korean school system
as legitimate senders). And experience already shows that spammers don't
mind registering new domains at $5 a throw in order to avoid
domain-name-based filters.

It's clear that SPF on its own won't solve the spam problem and using SPF
checks as your only test is clearly foolish. However, it can already head
off a fair bit of nastiness, and in combination with other existing
techniques - filters and blocklists - it may make a real contribution.

Apologies if this is off-topic for SPF-help.

Angus

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

How could a spammer plublish SPF for comast.net ? A reverse DNS lookup on
the IP address is where the server is going to look for the SPF record. Its
not going to find and SPF record on comcast dns servers, so how do you
propose that a spamer can forge SPF?

-----Original Message-----
From: owner-spf-help@v2.listbox.com [mailto:owner-spf-help@v2.listbox.com]
On Behalf Of Angus McIntyre
Sent: Friday, September 10, 2004 5:12 PM
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] "Spammers love Sender ID"

Cary Fitch wrote:
> I think the article is wrong, because their source is wrong.
> The spammer can't forge the machine address your server is connected to.
> They can forge the reported IP but not the actual connect ID.
>
> More BS in other words.
>
> Cary Fitch
>
> ----- Original Message -----
> From: "Danny" <nocmonkey@gmail.com>
> Sent: Friday, September 10, 2004 10:11 AM
> Subject: [spf-help] "Spammers love Sender ID"
>
>> http://www.theinquirer.net/?article=18367 - thoughts?

There's a better-researched and better-written article at:

http://www.informationweek.com/story/showArticle.jhtml?articleID=47102042

which gives more information and some different viewpoints. What MX Logic
have been reporting is that a large number of spams in their sample - around
16% out of 400,000 - passed SPF checks, because the spammers published SPF
records for the domains they owned and signalled their mail as coming from
those domains.

To my mind, this in no way reduces the usefulness of SPF. First of all, SPF
checks will still catch (a) viruses, (b) phishing, (c) joe jobs, and
(d) spam that forges addresses from domains that publish SPF records. It
should also help to reduce the aggravation caused by forgery-bounces.
Second, spammers who register domains and publish SPF records may pass SPF
checks, but they'll still be forced to host their domains somewhere.
Networks hosting spammer domains are good candidates for blocklisting,
especially if white hat ISPs are proactive about forcing spammers to move
on, resulting in a concentration of spammers on a few black hat networks.

There are still problems, though. If a spammer sets up a domain and
publishes an SPF record that says that every zombie PC on 'comcast.net' is a
valid sender for that domain, they'll pass SPF checks, but there's no clear
basis for an ISP to kick them off. Unlike a domain that sends mail or hosts
a spamvertized website, there's no obvious and undeniable link to the spam
operation. The spammer might plausibly pretend that their domain was a
legitimate undertaking that just happened to be being abused by those evil
spammers (although they better have a good answer as to why they need to
list the whole of Comcast and half the Korean school system as legitimate
senders). And experience already shows that spammers don't mind registering
new domains at $5 a throw in order to avoid domain-name-based filters.

It's clear that SPF on its own won't solve the spam problem and using SPF
checks as your only test is clearly foolish. However, it can already head
off a fair bit of nastiness, and in combination with other existing
techniques - filters and blocklists - it may make a real contribution.

Apologies if this is off-topic for SPF-help.

Angus

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

He could publish their IPs for his domain name...

so they would pass SPF, but you could of course S-can his domain!

SPF is about accountability, not spam.

Of course accountability makes anti spam actions easier. :-)

Cary
----- Original Message -----
From: "Chris Sweeney" <csweeney@osubucks.org>
To: <spf-help@v2.listbox.com>
Sent: Friday, September 10, 2004 5:13 PM
Subject: RE: [spf-help] "Spammers love Sender ID"


> How could a spammer plublish SPF for comast.net ? A reverse DNS lookup on
> the IP address is where the server is going to look for the SPF record.
Its
> not going to find and SPF record on comcast dns servers, so how do you
> propose that a spamer can forge SPF?
>
> -----Original Message-----
> From: owner-spf-help@v2.listbox.com [mailto:owner-spf-help@v2.listbox.com]
> On Behalf Of Angus McIntyre
> Sent: Friday, September 10, 2004 5:12 PM
> To: spf-help@v2.listbox.com
> Subject: Re: [spf-help] "Spammers love Sender ID"
>
> Cary Fitch wrote:
> > I think the article is wrong, because their source is wrong.
> > The spammer can't forge the machine address your server is connected to.
> > They can forge the reported IP but not the actual connect ID.
> >
> > More BS in other words.
> >
> > Cary Fitch
> >
> > ----- Original Message -----
> > From: "Danny" <nocmonkey@gmail.com>
> > Sent: Friday, September 10, 2004 10:11 AM
> > Subject: [spf-help] "Spammers love Sender ID"
> >
> >> http://www.theinquirer.net/?article=18367 - thoughts?
>
> There's a better-researched and better-written article at:
>
>
http://www.informationweek.com/story/showArticle.jhtml?articleID=47102042
>
> which gives more information and some different viewpoints. What MX Logic
> have been reporting is that a large number of spams in their sample -
around
> 16% out of 400,000 - passed SPF checks, because the spammers published SPF
> records for the domains they owned and signalled their mail as coming from
> those domains.
>
> To my mind, this in no way reduces the usefulness of SPF. First of all,
SPF
> checks will still catch (a) viruses, (b) phishing, (c) joe jobs, and
> (d) spam that forges addresses from domains that publish SPF records. It
> should also help to reduce the aggravation caused by forgery-bounces.
> Second, spammers who register domains and publish SPF records may pass SPF
> checks, but they'll still be forced to host their domains somewhere.
> Networks hosting spammer domains are good candidates for blocklisting,
> especially if white hat ISPs are proactive about forcing spammers to move
> on, resulting in a concentration of spammers on a few black hat networks.
>
> There are still problems, though. If a spammer sets up a domain and
> publishes an SPF record that says that every zombie PC on 'comcast.net' is
a
> valid sender for that domain, they'll pass SPF checks, but there's no
clear
> basis for an ISP to kick them off. Unlike a domain that sends mail or
hosts
> a spamvertized website, there's no obvious and undeniable link to the spam
> operation. The spammer might plausibly pretend that their domain was a
> legitimate undertaking that just happened to be being abused by those evil
> spammers (although they better have a good answer as to why they need to
> list the whole of Comcast and half the Korean school system as legitimate
> senders). And experience already shows that spammers don't mind
registering
> new domains at $5 a throw in order to avoid domain-name-based filters.
>
> It's clear that SPF on its own won't solve the spam problem and using SPF
> checks as your only test is clearly foolish. However, it can already head
> off a fair bit of nastiness, and in combination with other existing
> techniques - filters and blocklists - it may make a real contribution.
>
> Apologies if this is off-topic for SPF-help.
>
> Angus
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
> subscription, please go to
> http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>
> --
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is believed to be clean.
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
subscription,
> please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

At 18:13 -0400 10.09.2004, Chris Sweeney wrote:
>How could a spammer plublish SPF for comast.net ? A reverse DNS lookup on
>the IP address is where the server is going to look for the SPF record. Its
>not going to find and SPF record on comcast dns servers, so how do you
>propose that a spamer can forge SPF?

I don't propose that spammers publish SPF for comcast.net. I said
that they can publish an SPF record that indicates comcast.net hosts
as valid senders for _their_ domain.

SPF - unless I have badly misunderstood how it works - allows a
domain owner to say "Here is the list of hosts that are allowed to
send messages with my domain name in the envelope header." SPF checks
will flag messages that claim to come from domain X, but were sent
from a machine that's not listed among the allowed senders.

So the DNS servers being consulted in an SPF check are not Comcast's,
but the servers of the domain that purports to send the message.
These are under the spammer's control. The spammer can thus say "Mail
claiming to be from my domain might come from any machine at
Comcast." (using appropriate wild-carding).

This is much like the situation where a legitimate user has their own
domain but uses their ISP's mail gateway to send messages, thus they
declare the mail gateway as a permitted sender for their domain.

As I understand it, SPF lets you say "Mail from mydomain.com may come
from theirdomain.com"; what it doesn't let you do is say "Mail from
theirdomain.com may come from mydomain.com".

Angus

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Angus McIntyre wrote:

> SPF - unless I have badly misunderstood how it works - allows a domain
> owner to say "Here is the list of hosts that are allowed to send
> messages with my domain name in the envelope header." SPF checks will
> flag messages that claim to come from domain X, but were sent from a
> machine that's not listed among the allowed senders.
>
> So the DNS servers being consulted in an SPF check are not Comcast's,
> but the servers of the domain that purports to send the message. These
> are under the spammer's control. The spammer can thus say "Mail
> claiming to be from my domain might come from any machine at Comcast."
> (using appropriate wild-carding).

What you say is correct... but the obvious next step is for the
recipients to quickly blacklist the spammers domain with no worry of
blacklisting an innocent domain that was being forged, since that's
obviously not true. Spammers will need to constantly purchase new
domains and setup SPF again each time to stay ahead of the blacklists
(costing them time and money), cutting into the incentive to send spam
in the first place.



-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

OK yes, I guess I read your message wrong earlier.

-----Original Message-----
From: owner-spf-help@v2.listbox.com [mailto:owner-spf-help@v2.listbox.com]
On Behalf Of Angus McIntyre
Sent: Friday, September 10, 2004 7:34 PM
To: spf-help@v2.listbox.com
Subject: RE: [spf-help] "Spammers love Sender ID"

At 18:13 -0400 10.09.2004, Chris Sweeney wrote:
>How could a spammer plublish SPF for comast.net ? A reverse DNS lookup
>on the IP address is where the server is going to look for the SPF
>record. Its not going to find and SPF record on comcast dns servers,
>so how do you propose that a spamer can forge SPF?

I don't propose that spammers publish SPF for comcast.net. I said that they
can publish an SPF record that indicates comcast.net hosts as valid senders
for _their_ domain.

SPF - unless I have badly misunderstood how it works - allows a domain owner
to say "Here is the list of hosts that are allowed to send messages with my
domain name in the envelope header." SPF checks will flag messages that
claim to come from domain X, but were sent from a machine that's not listed
among the allowed senders.

So the DNS servers being consulted in an SPF check are not Comcast's, but
the servers of the domain that purports to send the message.
These are under the spammer's control. The spammer can thus say "Mail
claiming to be from my domain might come from any machine at Comcast."
(using appropriate wild-carding).

This is much like the situation where a legitimate user has their own domain
but uses their ISP's mail gateway to send messages, thus they declare the
mail gateway as a permitted sender for their domain.

As I understand it, SPF lets you say "Mail from mydomain.com may come from
theirdomain.com"; what it doesn't let you do is say "Mail from
theirdomain.com may come from mydomain.com".

Angus

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Fri, Sep 10, 2004 at 06:13:45PM -0400, Chris Sweeney wrote:
> How could a spammer plublish SPF for comast.net ? A reverse DNS lookup on
> the IP address is where the server is going to look for the SPF record. Its
> not going to find and SPF record on comcast dns servers, so how do you
> propose that a spamer can forge SPF?

This is _not_ true. An mta that checks spf will look at the domain found
in MAIL FROM (or the HELO domain if MAIL FROM is <>). Where did you get
the idea that the mta would do a reverse lookup on the ip and look at
the spf record for that domain? Clearly, if that'd be the case, spf
would be useless as most domains that have spf include the A record of
the domain itself and thus it would almost always give a pass.

Koen

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, embedded systems, unix expertise, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

At 18:37 -0600 10.09.2004, <spf-help@rusticweb.com> wrote:

[. ... when spammers implement SPF to 'authorize' their zombies ... ]

> ... the obvious next step is for the recipients to quickly blacklist
> the spammers domain with no worry of blacklisting an innocent domain
> that was being forged, since that's obviously not true. Spammers will
> need to constantly purchase new domains and setup SPF again each time
> to stay ahead of the blacklists (costing them time and money), cutting
> into the incentive to send spam in the first place.

You're right about the potential for blacklisting, but with new
domains costing $5 a time I don't see professional spammers being
much deterred. Some of my 'favorite' spammers are already changing
the throwaway domain names that they use for their websites with
impressive speed. Sometimes the new names follow a predictable enough
pattern that wildcarding works, but in some cases the names are
chosen in such a way that any pattern you could think of will
generate too many false positives.

Spammers can also automate the setup of SPF records easily enough, so
the time cost will be minimal.

I think SPF is still useful in that it promises to tie spammers to a
domain. Even if the spammers then constantly morph their domain
names, it's possible that the IP will tend to be the same, making
black-listing of particular IP ranges a valid strategy. So we've
definitely gained something, but the war is by no means won.

Angus

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

From: "Angus McIntyre" <angus@pobox.com>


>
> I think SPF is still useful in that it promises to tie spammers to a
> domain. Even if the spammers then constantly morph their domain
> names, it's possible that the IP will tend to be the same, making
> black-listing of particular IP ranges a valid strategy. So we've
> definitely gained something, but the war is by no means won.

Agreed - totally. The cost implications are nothing to the professional
spammer who will change domains daily if needed.

What we need to do now is go after the domain registrars and force them to
do the thorough checking that they are meant to when a domain is
registered -- at the moment I can enter totally false details when I
register a domain and there are no checks, no reprisals and no suspension of
service. If they are accepting credit card details for a domain the card
details should be the same as the person registering the domain - this is
not the case. If the domain proves to be a spammer could the credit card not
be traced? And if it is false, the genuine owner will be glad to know too
;-)

It's all small steps to the ultimate goal of stopping spam, but we need
*all* these little pieces, not just one cure-all which spammers will work
around within a week.


Slainte,

JohnP.
johnp@idimo.com
ICQ 313355492



-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Granted, spammers will do anything within their power to continue to send
spam, and anything we can do to combat that is great!

But I think the real reason for SPF is to allow us to protect use of our own
domain names, which it does as long as the recipient's SMTP server takes
advantage of the SPF records we publish. So, for SPF to really, really help
us with what it was intended to do, we need to promote as many
administrators as possible to implement the checking of SPF records. Then
we can also reap the side benefit of spammers not being able to use our
domain names in vain.

Sincerely,
Mike McTee
Eastex Net (www.eastex.net)


-----Original Message-----
From: owner-spf-help@v2.listbox.com [mailto:owner-spf-help@v2.listbox.com]
On Behalf Of jpinkerton
Sent: Saturday, September 11, 2004 4:37 PM
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] "Spammers love Sender ID"

From: "Angus McIntyre" <angus@pobox.com>


>
> I think SPF is still useful in that it promises to tie spammers to a
> domain. Even if the spammers then constantly morph their domain
> names, it's possible that the IP will tend to be the same, making
> black-listing of particular IP ranges a valid strategy. So we've
> definitely gained something, but the war is by no means won.

Agreed - totally. The cost implications are nothing to the professional
spammer who will change domains daily if needed.

What we need to do now is go after the domain registrars and force them to
do the thorough checking that they are meant to when a domain is
registered -- at the moment I can enter totally false details when I
register a domain and there are no checks, no reprisals and no suspension of
service. If they are accepting credit card details for a domain the card
details should be the same as the person registering the domain - this is
not the case. If the domain proves to be a spammer could the credit card not
be traced? And if it is false, the genuine owner will be glad to know too
;-)

It's all small steps to the ultimate goal of stopping spam, but we need
*all* these little pieces, not just one cure-all which spammers will work
around within a week.


Slainte,

JohnP.
johnp@idimo.com
ICQ 313355492



-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

----- Original Message -----
From: "Cary Fitch" <sage@usawide.net>
To: <spf-help@v2.listbox.com>
Sent: Friday, September 10, 2004 11:17 AM
Subject: Re: [spf-help] "Spammers love Sender ID"


> I think the article is wrong, because their source is wrong.
>
> The spammer can't forge the machine address your server is connected to.
> They can forge the reported IP but not the actual connect ID.

They can forge a valid IP address of an SPF permitted address that can be
routed to locally in preference to more specific routing to a real domain's
routers. This are plenty of techniques to do this: they're extra work, and
some of them require finding a router to reconfigure, but very few routers
out there are really secure.

But it's a lot of extra work.

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com