On Fri, 3 Dec 2004, aseem_jakhar(_at_)persistent(_dot_)co(_dot_)in wrote:
Or, alternatively, the problem SPF "solves" is NOT the spam
problem, nor is it the worm problem.
Yes, that's true, SPF attacks the problem of forged MAIL FROM
addresses and forged HELO domains.
Right, but if that's the ONLY thing it does then it shouldn't be talked
about as
a cure for spam, since spam DOES NOT HAVE TO USE forged From addresses or
forged HELO domains.
It was never meant to be a cure for spam.
If not, it's certainly been PRESENTED that way.
It is just an anti forgery thing. But still in a way it is related to the
spam problem because there are spams blocked by checking SPF records.
There are also a GREAT many LEGITIMATE mails "blocked by checking SPF records",
and that's a good part of the problem with the (ill-conceived) approach.
...It's indirectly related to spam and worms at the moment, like open
relays
were related to the spam problem some years ago.
"Indirectly related" is fine, as long as we recognize it ONLY as such.
(And as
such, I think it gets WAY more discussion and attention than it deserves.)
I don't see SPF as the solution for almost ANY questions.
"Many" is good enough, spammers and worm authors won't waste
their time with something not working at say AOL or behind SA.
The idea of creating a confusing patchwork lattice mesh that the spam
would have
to work its way through is fine. But SPF is not at all difficult to
defeat...
you just send the mail using the infected victim's authorizations.
Tell me one spmmer who has the time and patience to first email a worm +
sniffer to a victim and then wait for the sniffer to sniff the victims
username pwd and other user name pwd. and then start using those ID/pwd
for sending out mails, worst if the network is switched , then wasting
time in arp spoofing and waiting to sniff.
Don't be ridiculous and set up these stupid straw men arguments.
First of all, you make it sound like some "extra step" is required by the
spammer, and that's just not true.
Once a machine is infected, it's generally trivial to find the infected user's
E-mail address. And it's nearly as trivial to find their outgoing E-mail
password, whether from the registry or by monitoring the legitimate outgoing
E-mails they send.
There are still open relays , return path forgeries etc used by spammers
because most ppl rely only on Anti spam wonder products and they don't
want to take any initiative on their own or just don't know about things
they can do to prevent spam.
Agreed that most folks are relatively clueless, but what's your point there?
In any case, a fine-mesh permissions list approach such as I propose, combined
with a good content filter (and the latter can be FAR more effective in
conjunction with the former) is clearly a SUPERIOR way to both combat spam, and
virtually eliminate E-mail as a transmission vector for viruses and worms.
While at the same time not imposing ANY significant restrictions on open
relays,
vanity domains, mailing lists, digests, forwarding, and other legitimate and
well-established traditional features supported by E-mail.
undoing the DAMAGE that SPF has done
There's no "damage", if you don't like it just don't publish a
sender policy.
Again, you're ignoring things like discussion group/mailing lists, message
digests, and so forth. Anybody who makes the mistake of supporting SPF
later
finds that they can't send mail using their business E-mail address when
they
are (say) on a cruise ship vacation or at an Internet cafe in some other
country.
SMTP AUTH is a simple and effective way.
ABSOLUTELY NOT!!!! You are TOTALLY IGNORING the issue of sending mail from
public access Internet kiosks. A good example is from cruise ship Internet
"cafes" where you have **no** choice regarding the SMTP server you MUST use;
you are NOT (generally) using your own portable computer; you can NOT change
(for obvious reasons) the mail server to be used in transmission; and you
PROBABLY want to sign your mail using your *own* normal E-mail return address
(which could well be a personally-owned domain name, but also might be your
"normal" ISP-provided E-mail address).
But this is a good example of how the SPF-type (and other DNS-based) folks try
(in vain) to eliminate serious objections and problems with their proposals by
waving a magic wand with obfuscatory nonsense which in fact changes NOTHING.
We can spend YEARS debating (and then implementing) SPF or some other similar
DNS-based certification scheme, and when we get done we will have accomplished
VIRTUALLY NOTHING in the war against spam, and if anything it will be MORE
disruptive because by then, instead of bounces and such mostly getting T-canned
as undeliverable, they'll effectively become a DDOS attack on the infected
victim. :-((
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections! http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg