Mailing List Archive: philosophy behind SPF

On Mon, Feb 23, 2004 at 02:51:18PM +0000, Brian Candler wrote:
|
| The spammer will configure his DNS and SPF to look like a legitimate mail
| user. He will send mail from IP address X; his domain's SPF records will say
| "mail can come from IP address X". If people use callouts, he will have an
| MX record for his domain, which points at his own mailserver which accepts
| (and discards) any mail sent there. Or more likely, he will still forge
| addresses of <randomuser@theisp.net> where 'theisp.net' is a domain owned by
| the ISP the spammer is connected through, and therefore follows their SPF
| policy. Poor old randomuser will receive his joe-job bounces.
|

The intra-domain forgery scenario can be solved by ISPs requiring SMTP
AUTH.

http://archives.listbox.com/spf-discuss@v2.listbox.com/200401/1505.html

I don't care if poor old randomuser gets the bounces, as long as I
don't. If randomuser gets harmed by those bounces, he is free to sue
his ISP for negligence in not requiring AUTH. Market forces apply.

| Neither SPF, nor callouts, will reduce the amount of spam you get. They
| might for a very short time, until the spammers catch up. I don't buy into
| this arms race, as it cannot be won.

I encourage all spammers to publish SPF records, and to mail through
their ISP smarthosts, because that gives the good guys more points of
control.

SPF alone will not reduce the amount of spam you get. SPF is not an
FUSSP; it is a way for me to not get joe-jobbed, and to help keep other
people from getting joe-jobbed.

If you want to reduce spam, you have to involve a reputation system.

http://archives.listbox.com/spf-discuss@v2.listbox.com/200311/0118.html

Since Aspen we have been working under a framework that is, roughly,

On the sender side
authentication
accreditation

On the receiver side
reputation
enforcement

SPF helps with the first half. Receivers use that to do the second half.

Once there is accountability, and traceability, then enforcement methods
become stronger.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com

On Mon, Feb 23, 2004 at 10:28:44AM -0500, Meng Weng Wong wrote:
> The intra-domain forgery scenario can be solved by ISPs requiring SMTP
> AUTH.
>
> http://archives.listbox.com/spf-discuss@v2.listbox.com/200401/1505.html

Which they could do now. But they don't, as they would break all users who
are legitimately sending mail from <me@my-vanity-domain.com>, or users with
5 mailboxes in the same household, and so on (apart from the fact that all
their existing customers would require reconfiguration, which is actually
the biggest issue)

It's not really part of SPF though. Effectively the ISP would have to
implement their own stronger-than-SPF policy, binding envelope sender to
individual AUTHenticated user. SPF could be used to tell the rest of the
world "you can't send mail from anyone@mydomain"

SMTP AUTH could be a useful enforcement mechanism. Each time a spammer
registers for an account (a dial-up, a leased line, etc), she would get a
single SMTP AUTH username/password. Her mail relaying privileges could
easily be revoked, in the same way that her access could be terminated, but
additionally she could also have per-user rate-limiting policies applied,
and it's easier to detect patterns in mail usage (or abuse) if you have an
authenticated user.

BUT: the benefit mainly accrues to the rest of the Internet, not to the ISP
who goes to all this trouble. They may save themselves a little abuse desk
work by keeping spammers off. But they will still be lost in a tide of spam
from the rest of the world.

If you are saying the whole Internet should be built around the above
scenario: that's great. IP-Blacklist everyone who doesn't comply. It's not
going to happen in the near future.

> SPF alone will not reduce the amount of spam you get. SPF is not an
> FUSSP; it is a way for me to not get joe-jobbed, and to help keep other
> people from getting joe-jobbed.

I think there are simpler ways of preventing the fallout from joe-jobs
though, which are effective immediately rather than having to wait for the
rest of the world to implement SPF.

> If you want to reduce spam, you have to involve a reputation system.

You mean reputation on domain name? I see the logic, but I'm not yet
convinced. In order to be effective there would be a huge bias against
genuine companies who are new to the Internet, and if it's 99.9% effective
against spammers, they will just have to register 1000 times as many domains
as now.

It will only be more effective than IP blacklists for dynamic-IP scenarios:
i.e. spam sent from dial-ups and DSL lines. I do agree that if people have
to "invest" in their domain becoming "trusted" in some fashion, then they
have something valuable to take with them, even if they change ISP and
therefore their IP netblock moves. I don't think new users will accept that
their dial-up account (or vanity domain) is being rejected by the rest of
the Internet just because it hasn't established a 'credit history'.

But the biggest problem I see is that it just depends on too many things
piled up together to become effective:
- widespread adoption of SPF (and SRS to fix broken forwarding)
- ISPs widely requiring SMTP AUTH and enforcing envelope sender validity,
so that only the reputation of spamaccount@myisp.net is affected, not
my entire myisp.net domain, by that user [*]
- a distributed reputation system with input from the unwashed masses

[*] If you are happy to tarnish all of myisp.net with the same brush, then
IP blacklists are just as effective anyway

If this is all really necessary, then a public-key cryptographic mechanism
might actually be a lot simpler and easier to implement.

Regards,

Brian.

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com