ietf-asrg
[Top] [All Lists]

Re: [Asrg] Re: "worm spam" and SPF

2004-12-03 03:35:36
Or, alternatively, the problem SPF "solves" is NOT the spam
problem, nor is it the worm problem.

Yes, that's true, SPF attacks the problem of forged MAIL FROM
addresses and forged HELO domains.

Right, but if that's the ONLY thing it does then it shouldn't be talked
about as
a cure for spam, since spam DOES NOT HAVE TO USE forged From addresses or
forged
HELO domains.

It was never meant to be a cure for spam. It is just an anti forgery thing.
But still in a way it is related to the spam problem because there are
spams blocked by checking SPF records.

...It's indirectly related to spam and worms at the moment, like open
relays
were related to the spam problem some years ago.

"Indirectly related" is fine, as long as we recognize it ONLY as such.
(And as
such, I think it gets WAY more discussion and attention than it deserves.)


I don't see SPF as the solution for almost ANY questions.

"Many" is good enough, spammers and worm authors won't waste
their time with something not working at say AOL or behind SA.

The idea of creating a confusing patchwork lattice mesh that the spam
would have
to work its way through is fine.  But SPF is not at all difficult to
defeat...
you just send the mail using the infected victim's authorizations.

Tell me one spmmer who has the time and patience to first email a worm +
sniffer to a victim and then wait for the sniffer to sniff the victims
username pwd and other user name pwd. and then start using those ID/pwd
for sending out mails, worst if the network is switched , then wasting
time in arp spoofing and waiting to sniff.
 There are still open relays , return path forgeries etc used by spammers
because most ppl rely only on Anti spam wonder products and they don't
want to take any initiative on their own or just don't know about things
they can do to prevent spam.


undoing the DAMAGE that SPF has done

There's no "damage", if you don't like it just don't publish a
sender policy.

Again, you're ignoring things like discussion group/mailing lists, message
digests, and so forth.  Anybody who makes the mistake of supporting SPF
later
finds that they can't send mail using their business E-mail address when
they
are (say) on a cruise ship vacation or at an Internet cafe in some other
country.

SMTP AUTH is a simple and effective way.




_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg