spf-discuss
[Top] [All Lists]

Re: Attacking the throwaway-domain problem

2003-10-15 07:19:27
In <20031015073801(_dot_)GA9431(_at_)arbat(_dot_)com> Erik Corry 
<erik(_at_)arbat(_dot_)com> writes:

No, SPF does not verify an identity (authentication),

That's not what I said.  What I (meant to) say is that SPF is
using the registries, routers and TCP sequences to verify
identity.

it verifies
whether a given IP address is approved for use by a given domain
(authorization).

The domain is the identity.  The control over the IP address provides
the authentication.

Again, SPF doesn't verify an identity.  It uses an identity that has
already been verified by some other means.  In the case of the IP
address, that identity is authenticated via the sufficiently-random
sequence numbers, but it could be authenticated some other way, or SPF
could be used to check the authorization of unverified IP addresses.

How and whether the IP address is authenticated is beyond the scope of
the SPF proposal.


These are two different things.

I agree that SPF is much weaker than a conventional authentication
system.

No, SPF is not "much weaker" at authentication.  SPF *isn't*
authentication, it is authorization.



*IF* SPF (or a similar system) becomes widespread, that opens up a new
option for judging the reputation for a domain, much like the IP
address is currently judged..

Yes, though many of the same problems still apply.  It's not always
clear who is to blame for spam in an SPF world:

* Spammer misuses his ISP's SPF-protected SMTP server:
  Is the ISP at fault.  Can spamtraps put the ISP on automated
  block lists?

SPF doesn't protect SMTP servers, it protects a domain name.

If an ISP has authorized a given SMTP server to use it's domain name
and that SMTP server allows people to send spam using the ISP's domain
name, then that is the ISP's problem and the ISP is at fault.


* Mailing list includes spam:
  Did the mailing list do the SPF checks wrong, or use the wrong
  block lists (or white lists).  Or is the spammer using a new
  domain that looked legit.

Mailing lists must send emailing using their one domain as the
envelope-from.  Whether they decide to do any SPF checking or spam
checking of the email to the mailing list is up to them.  SPF protects
a domain name, it doesn't stop all forms of spam.


* Forwarding service sends out spam:
  Again, who is to blame?

Unless the forwarding service also provide spam filtering, I don't see
why they would even be thought about.


How about a spammer misuses his ISP to send mail to a forwarder
who forwards it to a mailing list?  Blacklist all of them?

The choice of blacklisting is up the the end user.  If an end user
wants to blacklist all of them, they can.  

           Domains can be created out of thin air for pocket change,
esp. if you allow 3rd level domains to publish their own SPF data.

Use graylisting.


-wayne

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡