ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] SPF is only useful to dupe the ignorant...]

2004-09-11 03:20:19
from [Fridrik Skulason] [Permanent Link] 
At 3:43 PM -0400 9/10/04, Barry Shein wrote:

Spammers no longer use static domains, and they haven't for years.


Some still do, but they are untouched by SPF anyway.


Spammers us ZOMBIE PCs.


Yes, and those are quite hard to get into SPF records.


There are two things to consider here.

1) Most compromised machines (and the last time I checked they seemed
to account for 30% of the spam) are personally owned "home" machines,
running Windows, typically with an ADSL or broadband connection.  In
many cases they have dynamic IP addresses, and they simply should not
be sending out mail directly.  Many ISPs block port 25 traffic from those
machines.  However, in theory a spammer could send the mail through
the ISP, just as if it was the user actually hitting the buttons -
on a compromised machine anything is possible.  In those cases it
is possible to get the mail to pass an SPF check.

2) If the ISP allows use of port 25, all the spammer has to do is to
determine which domain the compromised machine "belongs to", and then
send out the mail with a forged sender *in that domain*, as if the
owner of the machine was actually sending the mail.

To the outside (and to anyone checking SPF records), there would not
be a difference bewtween spam sent from the machine and real email
sent by a real human sitting at the keyboard.

SPF is not a "cure-all" - it will help against joe-jobbing in
particular, and (if universally adopted), it will kill off the
current generation of computer worms.  Combined with ISPs blocking
port 25 by default, blacklisting of ISPs that allow spammers to set
up one throwaway domain after another, harsher legal actions against
those using compromised machines for spam and Spamhaus-type
blacklisting of spammers with their own dedicated spam-servers you
would actually see a VERY significant drop in spam.

SPF alone is not going to reduce spam - only change its nature by
getting rid of most joe-jobs (except the "same domain" ones).

--
Fridrik Skulason   Frisk Software International   phone: +354-540-7400
Author of F-PROT   E-mail: frisk(_at_)f-prot(_dot_)com       fax:   
+354-540-7401

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Re: SPF abused by spammers, Matthias Leisi
Next by Date:  [Asrg] Patenting HOWTO/FAQ ?, Hadmut Danisch
Previous by Thread:  [Asrg] SPF is only useful to dupe the ignorant..., Barry Shein
Next by Thread:  Re: [Asrg] SPF is only useful to dupe the ignorant...], Bill Cole
Indexes:  [Date] [Thread] [Top] [All Lists]