ietf-mxcomp
[Top] [All Lists]

Re: How is SPF different from RMX?

2004-07-30 16:18:12

On Tue, 27 Jul 2004, Alan DeKok wrote:


With the preceding in mind, how does SPF prevent a virus-infected,
hijacked computer from sending abuse email?

  It doesn't.  It DOES, however, make them accountable to either the
domain used by the owner of the infected machine, or by a throw-away
spammer domain.

Which does what?  AOL and MSN and other large domain operators already
have tens of thousands of virus infected machines sending junk. Mostly,
those machines are connecting directly. It wouldn't make any difference if 
they send mail through AOL's mail servers instead, using a forged (or 
accurate) <user>@aol.com From: address.  

Major residential providers have already blocked outgoing SMTP, which 
forces the clients to the providers relays. This hasn't stopped abuse.  
Essentially, all SPF is a way to force everyone to block outbound SMTP 
except from their relays.  But that won't stop abuse either.

  IMHO, MARID (RMX, etc) is about closing a hole in SMTP, which says
"messages MUST be accepted for delivery or bounced", but it makes no
provisions for ensuring that the message CAN be bounced.  

Ahh. Still trying to contact the abuser.  Well, forget it. There is no way
to do that.  You aren't dealing with a commerical operator practically any
of the time. You are dealing with a one-way, virus-operated mail client
whose purpose is not two-way communication but sending one-way abuse. 
"Bounce" has no meaning to such a client, and there is no point in trying 
to "bounce" anything to them.

One intention behind all of these related ideas is to provably have an
accountable entity which will accept responsibility for messages,
including bounces.

This is impossible. You already have an accountable entity: the IP address
delegate.  Evidently, they either aren't responsible enough or aren't
responsive enough to halt abuse. They are often the same entity as the
domain delegate:  AOL owns the IP address, AOL owns the aol.com domain.  
You haven't "proven" anyone's accountability.

Information theory demonstrates conclusively that that you can't stop
abuse by protocol.  There is an abuse problem: More specifically, there is
a Virus problem. The virus operator doesn't care about the domain owner
any more than they care about the machine owner, or the IP address owner.
The domain owner has no more control over the infected machine than the IP
address owner.  That being so, sender verification is pointless.

It costs us millions, perhaps billions of dollars to go through these 
gyrations. There are millions of domains, for which tens or hundreds of 
records will have to be added to DNS. That expands the distributed DNS 
database by tens or hundreds of millions of records.  Operations like 
register.com and DNS operators have to alter their applications to store 
and update the records.  Millions of dollars are spent doing this.

The virus operator has to add a couple lines of code to his program to use
the infected machines legitimate email address, and use psyBNC to
distibute this to his virus stable.  Time to implement: few days. Cost: 0.

I am sorry to be critical, but this was why the DNSEXT group rejected RMX.  
One has to wonder why it was brought up again without more critical
analysis.

If you want to stop abuse, then forget about SPF, and work on viruses.  
Thats the problem and unless you address that problem, you are just
playing with playdoh: Squeezing it just changes the shape, but not the
mass. It doesn't go away, it just morphs.  But making it change shape
costs the good guys money and the bad guys nothing.

                --Dean