At 10:08 AM +0000 9/11/04, Fridrik Skulason wrote:
At 3:43 PM -0400 9/10/04, Barry Shein wrote:
Spammers no longer use static domains, and they haven't for years.
Some still do, but they are untouched by SPF anyway.
Spammers us ZOMBIE PCs.
Yes, and those are quite hard to get into SPF records.
There are two things to consider here.
1) Most compromised machines (and the last time I checked they seemed
to account for 30% of the spam) are personally owned "home" machines,
running Windows, typically with an ADSL or broadband connection. In
It looks different to me: more like 80%. That's what I'm seeing
rejected by the Spamhaus XBL plus a local blacklist made up almost
entirely of consumer broadband ranges. I have never seen any 1st-hand
evidence of false positives from either list. However, that 80% does
not distinguish between spam intended to sell stuff and spam intended
to spread infection. If you're only looking at spam not matching a
malware signature, that could explain the discrepancy.
many cases they have dynamic IP addresses, and they simply should not
be sending out mail directly. Many ISPs block port 25 traffic from those
machines. However, in theory a spammer could send the mail through
the ISP, just as if it was the user actually hitting the buttons -
on a compromised machine anything is possible. In those cases it
is possible to get the mail to pass an SPF check.
Yes, but this is a losing tactic. Spammers learned almost a decade
ago that spamming through the mail servers of consumer ISP's was a
swift path to disconnection because of how easy it is for an ISP to
detect and respond to that sort of spamming. There may have been
regression on the part of ISP's in the last few years in the area of
keeping their legitimate outbound mail systems from being used to
spam, but I suspect that Swen has managed to instruct the backsliders.
2) If the ISP allows use of port 25, all the spammer has to do is to
determine which domain the compromised machine "belongs to", and then
send out the mail with a forged sender *in that domain*, as if the
owner of the machine was actually sending the mail.
To the outside (and to anyone checking SPF records), there would not
be a difference bewtween spam sent from the machine and real email
sent by a real human sitting at the keyboard.
Right, and this is a serious concern relative to preventing spam from
being transported.
However, any accurate detection of a domain that will allow a machine
to pass SPF checks also affixes a truly responsible party to the
mail. If one publishes an SPF record including a particular IP
address, one is affirming responsibility for the use of that domain
name from that IP address.
SPF is not a "cure-all" - it will help against joe-jobbing in
particular, and (if universally adopted), it will kill off the
current generation of computer worms.
It won't kill Swen. Only the spawning of competent and ethical ISP's
can do that. Don't hold your breath.
Combined with ISPs blocking
port 25 by default, blacklisting of ISPs that allow spammers to set
up one throwaway domain after another, harsher legal actions against
those using compromised machines for spam and Spamhaus-type
blacklisting of spammers with their own dedicated spam-servers you
would actually see a VERY significant drop in spam.
Some of those actually drive increases, when measured in the wrong ways.
I believe that the excellent Spamhaus SBL and XBL are a part of the
reason for the explosion in spam over the past year, if you measure
spam from a point not protected by those lists. Spammers have a long
history of responding to effective measures by driving more volume,
and for the XBL especially this only improves the effectiveness and
creates a cycle of escalating volume. The available mechanisms for
reliably rejecting spam mean that a competently operated mail system
can provide users with less spam in their mailboxes today than 3
years ago, even as the volume of spam being offered up has grown. The
more the spammers send, the faster they become detectable. As their
stuff gets detected faster and rejected more, they boost the volume
more.
SPF alone is not going to reduce spam - only change its nature by
getting rid of most joe-jobs (except the "same domain" ones).
Right. The history of spam evasion is of ongoing identification of
the various technical gaps in email where the spammers slip through
and putting traps over them. At some point maybe we'll be able to
tell who is sending each message easily and reliably enough to
actually address the social issue of spamming
--
Bill Cole
bill(_at_)scconsult(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg