ietf-mxcomp
[Top] [All Lists]

RE: SPF abused by spammers

2004-09-13 09:29:50

[snip]

Going back to my spam examination where you are examining a
spam message: Suppose the IP address in the received from 
header no longer matches the SPF records:  In this case you 
don't know if your SPF check passed because DNS records were 
spoofed, or if the real DNS records were changed.  All 
you know is that you got a spam from a certain IP address.  
You don't know 
whether it was forged or not.

 This is why the delay time is there. (28 days?) If it is no longer 
there, then it *MUST* fail.

Delay time? 
*MUST* fail???

What are you talking about?

 I apologize. I was actually thinking about something else when I wrote
that. Don't know how I missed it in my re-read.
So here is the answer I meant to give.

So the IP address changes- So does the SPF record. The two should not be
out of sync. This is an administrative issue.



Suppose the IP address in the received header does match the SPF 
records.  You don't know if the abuser signed up for an 
account with 
that domain, or if they got an infected machine under that domain.
You don't know whether the nameserver was cracked, and incorrect
records added. Most people can't tell the difference between a
poisoned DNS cache and whether the records really come from an
authoritative nameserver or even figure out where they got the DNS
record from.  So, similarly, all you really know is that you got a
spam from a certain IP address.
 
Again, in this case it *MUST* fail

Why would it fail if it the SPF "check" succeeds?

Or is this just another case of blind faith? Yes, it *must* 
fail if SPF is 
to work. Except that it doesn't fail, and as a result SPF 
doesn't work.


That is not at ALL what it means. What it means is: It failed.
It must and will fail.
Just because the SPF record belongs to a spammer and the SPF check
doesn't fail DOES NOT mean that SPF failed. It means it SUCCEEDED.


[snip]

They already do this. Every day.  You seem to be saying that 
AOL sends no spam, and has no spammers, no viruses, no stolen 
accounts???


This is a very low percentage of spam and killable using other methods.

I note that you wrote this notion as an admin for Bell South. 
 Has Bell South been able to clean spammers out of Bell 
South? Or clean virus infections out of Bell South?  Or make 
it impossible for Bell South users to get viruses, worms, 
etc? Or do they just whack them as the find them?  
Or is this just another "blind faith" that you //think// will happen?

If you've found some special immunity from 
spammers/viruses/worms, then I 
think you should share that. //That// would be far more 
valuable than SPF. 
If we could prevent spammers/viruses/worms then we wouldn't 
need anti-spam 
tools at all.

 My opinions in this discussion group have always been, and always will
be, my own.
I delete my 'official' signature before I send any email to this group.
If I wished to make an 'official' comment, it would be marked as such.
Most people here know who I am and what I do. This lends itself to my
credibility in a technical discussion, as I have direct, volumetric, and
personal experience in direct relation to the issues.
I hope you will understand why I believe the above is completely
inappropriate and request that my employer not be brought into the
discussion. 

Regards,
Damon Sauer 

*****
The information transmitted is intended only for the person or entity to which 
it is addressed and may contain confidential, proprietary, and/or privileged 
material.  Any review, retransmission, dissemination or other use of, or taking 
of any action in reliance upon, this information by persons or entities other 
than the intended recipient is prohibited.  If you received this in error, 
please contact the sender and delete the material from all computers. 113



<Prev in Thread] Current Thread [Next in Thread>