RE: SPF abused by spammers

I claim absolutely no originality here. Butler Lampson was talking about
Authentication/Authorization in the design of the MULTICS security system
thirty years ago before email was invented. The only originality here might
be here is changing the term authorization to accreditation due to the
possible use of third party data.

What I suspect has happened here is that the spammers have asked their arms
providers for a SenderID work arround and this is what they have come up
with. It does not have to work for the arms providers to get paid. I suspect
that spammers are also adding SPF records in the hope that they can slow the
adoption of SenderID by falsely claiming it is not going to work. If
SenderID was not going to work they would not be as concerned as they
clearly are.

We have a reactive system here, we said all along that this would happen.
disposable domains are a clear weakness in any authentication only solution.
That is why we have to go further to accreditation - which I hope we will
get to as soon as last call finishes.

SenderID is the chasis, engine and wheels. We know that we also need
bodywork before we have a complete car.

                Phill

> -----Original Message-----
> From: Sauer, Damon [mailto:Damon(_dot_)Sauer(_at_)bellsouth(_dot_)com]
> Sent: Thursday, September 09, 2004 12:39 PM
> To: Hallam-Baker, Phillip; Dean Anderson; Markus Stumpf
> Cc: ietf-mxcomp(_at_)vpnc(_dot_)org
> Subject: RE: SPF abused by spammers
>
>
> Also by me. Please see my post dated: Wed, 5 Mar 2003. With particular
> attention to example.
>
> http://www1.ietf.org/mail-archive/web/asrg/current/msg00334.html
>
> Regards,
> Damon Sauer
>
>
> -----Original Message-----
> From: owner-ietf-mxcomp(_at_)mail(_dot_)imc(_dot_)org
> [mailto:owner-ietf-mxcomp(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of 
> Hallam-Baker,
> Phillip
> Sent: Thursday, September 09, 2004 11:46 AM
> To: 'Dean Anderson'; Markus Stumpf
> Cc: ietf-mxcomp(_at_)vpnc(_dot_)org
> Subject: RE: SPF abused by spammers
>
>
>
> What percentage of the SPF authenticated spam is being trapped by the
> spam filters?
>
> The big advantage of authentication is that you are no longer 
> forced to
> analyse at the message level. Even if you have zero third party 
> data available you can arrive at general conclusions such as 
> 'all mail from example.com is spam' or the opposite.
>
> Authentication alone is not a security solution. You also need
> authorization. This is what I was saying 18 months ago in my 
> 'Plan for No Spam'. 
>
>               Phill
>
> > -----Original Message-----
> > From: Dean Anderson [mailto:dean(_at_)av8(_dot_)com]
> > Sent: Thursday, September 09, 2004 10:59 AM
> > To: Markus Stumpf
> > Cc: ietf-mxcomp(_at_)vpnc(_dot_)org
> > Subject: Re: SPF abused by spammers
> >
> >
> >
> > Isn't that what I said would happen?
> >
> >             --Dean
> >
> > On Thu, 9 Sep 2004, Markus Stumpf wrote:
> >
> > > Justin Murdock posted this link on the qmail list:
> > >     http://news.bbc.co.uk/1/hi/technology/3631350.stm
> > >     "CipherTrust [...] found that 34% more spam is passing
> > SPF checks than
> > >     legitimate e-mail."
> > >
> > >   \Maex
> > Date: Tue, 10 Aug 2004 19:55:57 -0400 (EDT)
> > From: Dean Anderson <dean(_at_)av8(_dot_)com>
> > To: 'IETF MARID WG' <ietf-mxcomp(_at_)imc(_dot_)org>
> > Subject: Analysis of SPF benefits for reduced filtering
> >
> >
> > It has been reported that AOL is already using SPF to give reduced
> > filtering to SPF-using domains. Is this a good idea?
> >
> > IF you use SPF to provide less stringent anti-spam
> > processing, then you
> > are MORE vulnerable than you were before. You have shot 
> > yourself in the
> > foot.  Suppose for example that AOL subjects MSN users to 
> > less stringent
> > anti-spam filtering because MSN uses SPF.  MSN is still 
> vulnerable to
> > viruses as it was before it used SPF, and it is just as 
> vulnerable to
> > disposable account creation as it was before.  Using SPF will 
> > __attract__
> > abusers to MSN, because they can get more spam through to 
> > AOL, because it
> > is subject to less processing.  Since AOL is doing less 
> > processing on the
> > same spam, AOL users get more spam. SPF is bad for both companies.
> >
> > And of course, anyone who sets up a disposable domain can
> > also get spam
> > through to AOL by creating an SPF record for the domain. Disposable
> > domains along with disposable or stolen accounts is a major 
> > problem now,
> > and it remains a major problem under SPF.
> >
> > Anything that reduces spam filtering without reducing the number of 
> > abusers will be harmful.
> >
> > Basically, SPF gives abusers the opportunity to whitelist
> > themselves, or
> > the opportunity to identify ISPs that may be whitelisted. 
> Any kind of
> > whitelist that is under the control of the sender, rather than the
> > recipient is also going to be ineffective and harmful.
> >
> >
> > Dean Anderson
> > Av8 Internet, Inc
>
> *****
> The information transmitted is intended only for the person 
> or entity to which it is addressed and may contain 
> confidential, proprietary, and/or privileged material.  Any 
> review, retransmission, dissemination or other use of, or 
> taking of any action in reliance upon, this information by 
> persons or entities other than the intended recipient is 
> prohibited.  If you received this in error, please contact 
> the sender and delete the material from all computers. 113