On Mon, Jan 12, 2004 at 11:01:13AM +0100, Dr. Ernst Molitor wrote:
| On Mon, 2004-01-12 at 00:26, spf(_at_)unobtainium(_dot_)net wrote:
| [...]
| > This is straightforward. SPF aims to make it harder to forge mail. My
| > understanding is that even if Johnny Spammer set up his own domain with
| > his own spf records, he still couldn't impersonate AOL (this assumes
| > that AOL had published a sane policy in their own SPF records). When
| > your MTA sees MAIL FROM: user(_at_)aol(_dot_)com your MTA would query the
aol.com
| > name servers, get the AOL SPF policy, and find (presumably) that Johnny
| > Spammer's servers are not authorized to send mail from aol.com. Your
| > mail system could then reject the mail, accept it and add points to its
| > spam score, or whatever.
| >
| > Also, note that everything that forces spammers to use address space
| > they own makes it easier to block their traffic.
|
| current spammers fake e-mail addresses since this is the cheapest way
| for them to achieve their goals. Assumed spf will take this inroad into
| our e-mail boxes away from them, they will user other methods. Sure,
| once you have detected that, say, abcdefg.com, is a spammer's domain, it
| can be blocked. They will have used abcdefg.com for about ten billion
| messages before, and still work profitably. Maybe they will have to set
| up a couple of domains to make traffice analysis harder, maybe they will
| have to use messages combined from an array of text blocks, but on my
| assumptions as to the gains spam mails offer to those who produce them,
| this will simply not stop them. It will, however, make life harder for
| all of us ;-)
As evidenced on SPAM-L, spammers are taking to registering huge numbers of
domain names, well more than 365 a year. But there still remain some patterns
such as using the same name servers for them all, either by name or by IP
address, or by netblock. Still, if they are using trojaned home Windows
machines, the SMTP client rDNS is not usable to detect that it is a spammer
(but many, including myself, majorly block end user DSL/Cable addresses that
have generic rDNS). Scanners might run DNS lookups on hostnames in every
URL in the content to see if the A record, or the NS record, or the A record
for that NS record, smells of spam.
Spammers will either not publish SPF, using default behaviour which is likely
to allow passing mail for quite a while, or publish "+all", on their domains,
and use those on sender addresses pushed through the trojaned machines. That
will let them spam for still quite some time (eventually blocking of domains
that publish "+all" might happen) but at least not spam with a sender address
in someone ELSE's domain (which has been a substantial third party damage of
spam that SPF is clearly aimed at).
--
-----------------------------------------------------------------------------
| Phil Howard KA9WGN | http://linuxhomepage.com/ http://ham.org/ |
| (first name) at ipal.net | http://phil.ipal.org/ http://ka9wgn.ham.org/ |
-----------------------------------------------------------------------------
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡