spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Maybe simple question

2003-12-15 09:06:48
from [Brian Hatch] [Permanent Link] 



Pretend I'm a spammer.  I have a list of 120 million people's email
addresses.  I have a high speed connection in some city somewhere.  Let's
just say my ISP is isp.net

If I go down the list of email addresses, there are 20 million unique
domains.  So all I have to do is find a domain whose spf records allows the
person to send mail from *my* isp.  Suppose the victim's email address is
honestjoe(_at_)isp(_dot_)net


So the use of SPF has massively trimmed the amount of forgeable
source addresses now, incuring more work on the spammers part
to find an appropriate address, and providing us with a much
smaller list of machines from which the spammer must have been
spamming.  He can't choose a million random IP addresses, he
can only choose from the ISPs smattering of outgoing mail
servers.  

Where previously, the spammer would send five emails each out
of a million machines, now he needs to send a million emails
out of the five ISP mail servers.  The one ISP will notice
this huge usage, whereas previously the million ISPs would
not notice five emails.

SPF made the spammers job a lot harder, and made his actions
much more obvious to someone able to do something about it.


Presto.  I can forge Joe's email address as much as I want


If you're talking about authenticating joe's identity, you
still do not understand.  Currently anyone anywhere on the
internet can forge email as if it's from joe.  With SPF
only people at joe's ISP can forge it.  That's an improvement.
Improvements are good.

If we decide that a solution must solve 100% of the problems we
will never get one, and will be stuck where we are for the rest
of eternity.  If we pick a solution that solves most of the problems,
and the unsolved parts are well understood then we've made good
progress.

Clearly there are those who do understand and those who do not.


and spf will
tell the victims that it's really Joe sending the spam.


No, it'll tell them that joe's email address sent the spam,
and that it must have come through a machine allowed to
send email from joe's domain.

Currently, seeing joe's email address doesn't mean anything
at all.  SPF is again an improvement.


No matter what you do with SPF, the spammer will always succeed in this
method.


At an increasing cost of doing his business, and with a higher
chance of being identified and either cut off or caught.


Poor Joe can't do anything about it.  Consider his options:

...

Yep, poor joe can't do much that's extreemly simple.  However
poor joe can't do much today either.  No change in the status
quo, and thus SPF doesn't incure a penalty.

And, if joe has SPF rules, he's less likely to be the forged
sender, because the spammer needs to get on a machine that's
trusted by joe.  Thus SPF makes him a less likely target.



Sounds like a good deal for joe and the Internet community
all around!

--
Brian Hatch                  "You could be a winner"
   Systems and                No purchase necessary.
   Security Engineer          Details inside."
http://www.ifokr.org/bri/

Every message PGP signed

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦¾Øß´ëù1Ií-»Fqx(_dot_)com

Attachment: pgpgJV13rGpll.pgp
Description: PGP signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Maybe simple question, Edward Ned Harvey
Next by Date:  Re: Maybe simple question, Wechsler
Previous by Thread:  RE: Maybe simple question, Edward Ned Harvey
Next by Thread:  RE: Maybe simple question, Edward Ned Harvey
Indexes:  [Date] [Thread] [Top] [All Lists]