spf-discuss
[Top] [All Lists]

Re: on moving from heuristics toward certainty

2004-02-25 11:53:07
We want a world where either the sender is forged or it's not; either
it's accredited or it's not; either it's reputable or it's not.  We're
trying to shift the uncertainty from the authentication space into the
reputation space where it belongs.

One thing that is worth considering at this point:  I am very much in
favour of widespread adoption of authentication mechanisms, as that would
make my job in the anti-virus world easier.  SPF is quite simply a "neat"
and practical approach, but it is not going to put the spammers out of
business.

Assuming authentication is generally adopted (SPF, Caller-ID or whatever),
the question is how will spam "evolve" in response?  That is perhaps a bit
off-topic for the SPF list, but we should keep those scenarios in mind.

First, and most obviously, spammers will use more "disposable domains",
hoping to get the spam out before the domains are blacklisted.  Getting
a new domain is trivial and cheap.  *However*, getting a new IP block
is not.  If spam evolves along this route, I imagine there will be more
emphasis on IP-based RBLs, blocking the sites hosting those disposable
domains until they clean up their act.

The second possibility is not as obvious, but it involves modifying
the way the "zombie" machines work.  Currently, spam software and 
viruses/worms on compromised machines will pick the "sender's" name
and domain more-or-less at random.  What they *could* co instead (and
what they will do, if authentication becomes more widely used) is to
try to determine which domain the machine "belongs to" and send mail
appearing to be from that domain.  Example: The software (spam or worm)
cound analyse mail found on the machine, and look at the "To:" address,
which typically would belong to the owner of the machine (OK, not always,
but they don't care if it only works 80% of the time).  Say that it
finds mail addressed to John_Smith(_at_)somedomain(_dot_)com(_dot_)  Fine, the 
spam/worm
software could then start sending out mail appearing to be from someone
at somedomain.com - and what would happen is that the mail would be
indistinguishable from "normal" mail sent by the legitimate user of that
machine, as far as for example SPF is concerned.

This is not a flaw in SPF, of course - it is not meant to deal with 
this problem - I am just pointing this out as I see it as a likely
future development and we need to have some ideas how to deal with it.

Discussion on how to solve this problem belongs on some other list, 
though.

For now I am just finishing the SPF records for our own domains - which
has taken a bit longer than expected, and we are looking at  
implementing SPF checking in our AVES virus/spam filtering technology
(aves.f-prot.com).  I expect to have some numbers in the near future
on how much spam (and worms) SPF actually stops.

-- 
Fridrik Skulason   Frisk Software International   phone: +354-540-7400
Author of F-PROT   E-mail: frisk(_at_)f-prot(_dot_)com       fax:   
+354-540-7401