How could a spammer plublish SPF for comast.net ? A reverse DNS lookup on
the IP address is where the server is going to look for the SPF record. Its
not going to find and SPF record on comcast dns servers, so how do you
propose that a spamer can forge SPF?
-----Original Message-----
From: owner-spf-help@v2.listbox.com [mailto:owner-spf-help@v2.listbox.com]
On Behalf Of Angus McIntyre
Sent: Friday, September 10, 2004 5:12 PM
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] "Spammers love Sender ID"
Cary Fitch wrote:
> I think the article is wrong, because their source is wrong.
> The spammer can't forge the machine address your server is connected to.
> They can forge the reported IP but not the actual connect ID.
>
> More BS in other words.
>
> Cary Fitch
>
> ----- Original Message -----
> From: "Danny" <nocmonkey@gmail.com>
> Sent: Friday, September 10, 2004 10:11 AM
> Subject: [spf-help] "Spammers love Sender ID"
>
>> http://www.theinquirer.net/?article=18367 - thoughts?
There's a better-researched and better-written article at:
http://www.informationweek.com/story/showArticle.jhtml?articleID=47102042 which gives more information and some different viewpoints. What MX Logic
have been reporting is that a large number of spams in their sample - around
16% out of 400,000 - passed SPF checks, because the spammers published SPF
records for the domains they owned and signalled their mail as coming from
those domains.
To my mind, this in no way reduces the usefulness of SPF. First of all, SPF
checks will still catch (a) viruses, (b) phishing, (c) joe jobs, and
(d) spam that forges addresses from domains that publish SPF records. It
should also help to reduce the aggravation caused by forgery-bounces.
Second, spammers who register domains and publish SPF records may pass SPF
checks, but they'll still be forced to host their domains somewhere.
Networks hosting spammer domains are good candidates for blocklisting,
especially if white hat ISPs are proactive about forcing spammers to move
on, resulting in a concentration of spammers on a few black hat networks.
There are still problems, though. If a spammer sets up a domain and
publishes an SPF record that says that every zombie PC on 'comcast.net' is a
valid sender for that domain, they'll pass SPF checks, but there's no clear
basis for an ISP to kick them off. Unlike a domain that sends mail or hosts
a spamvertized website, there's no obvious and undeniable link to the spam
operation. The spammer might plausibly pretend that their domain was a
legitimate undertaking that just happened to be being abused by those evil
spammers (although they better have a good answer as to why they need to
list the whole of Comcast and half the Korean school system as legitimate
senders). And experience already shows that spammers don't mind registering
new domains at $5 a throw in order to avoid domain-name-based filters.
It's clear that SPF on its own won't solve the spam problem and using SPF
checks as your only test is clearly foolish. However, it can already head
off a fair bit of nastiness, and in combination with other existing
techniques - filters and blocklists - it may make a real contribution.
Apologies if this is off-topic for SPF-help.
Angus
-------
Archives at
http://archives.listbox.com/spf-help/current/ Donate!
http://spf.pobox.com/donations.html To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com --
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------
Archives at
http://archives.listbox.com/spf-help/current/ Donate!
http://spf.pobox.com/donations.html To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com