Re: on moving from heuristics toward certainty
2004-02-25 11:53:07
We want a world where either the sender is forged or it's not; either
it's accredited or it's not; either it's reputable or it's not. We're
trying to shift the uncertainty from the authentication space into the
reputation space where it belongs.
One thing that is worth considering at this point: I am very much in
favour of widespread adoption of authentication mechanisms, as that would
make my job in the anti-virus world easier. SPF is quite simply a "neat"
and practical approach, but it is not going to put the spammers out of
business.
Assuming authentication is generally adopted (SPF, Caller-ID or whatever),
the question is how will spam "evolve" in response? That is perhaps a bit
off-topic for the SPF list, but we should keep those scenarios in mind.
First, and most obviously, spammers will use more "disposable domains",
hoping to get the spam out before the domains are blacklisted. Getting
a new domain is trivial and cheap. *However*, getting a new IP block
is not. If spam evolves along this route, I imagine there will be more
emphasis on IP-based RBLs, blocking the sites hosting those disposable
domains until they clean up their act.
The second possibility is not as obvious, but it involves modifying
the way the "zombie" machines work. Currently, spam software and
viruses/worms on compromised machines will pick the "sender's" name
and domain more-or-less at random. What they *could* co instead (and
what they will do, if authentication becomes more widely used) is to
try to determine which domain the machine "belongs to" and send mail
appearing to be from that domain. Example: The software (spam or worm)
cound analyse mail found on the machine, and look at the "To:" address,
which typically would belong to the owner of the machine (OK, not always,
but they don't care if it only works 80% of the time). Say that it
finds mail addressed to John_Smith(_at_)somedomain(_dot_)com(_dot_) Fine, the
spam/worm
software could then start sending out mail appearing to be from someone
at somedomain.com - and what would happen is that the mail would be
indistinguishable from "normal" mail sent by the legitimate user of that
machine, as far as for example SPF is concerned.
This is not a flaw in SPF, of course - it is not meant to deal with
this problem - I am just pointing this out as I see it as a likely
future development and we need to have some ideas how to deal with it.
Discussion on how to solve this problem belongs on some other list,
though.
For now I am just finishing the SPF records for our own domains - which
has taken a bit longer than expected, and we are looking at
implementing SPF checking in our AVES virus/spam filtering technology
(aves.f-prot.com). I expect to have some numbers in the near future
on how much spam (and worms) SPF actually stops.
--
Fridrik Skulason Frisk Software International phone: +354-540-7400
Author of F-PROT E-mail: frisk(_at_)f-prot(_dot_)com fax:
+354-540-7401
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- cost comparison of Caller-ID, DK, and SPF, (continued)
- cost comparison of Caller-ID, DK, and SPF, Meng Weng Wong
- Re: cost comparison of Caller-ID, DK, and SPF, wayne
- Re: cost comparison of Caller-ID, DK, and SPF, Justin Mason
- Re: cost comparison of Caller-ID, DK, and SPF, David Woodhouse
- Re: cost comparison of Caller-ID, DK, and SPF, Meng Weng Wong
- Re: cost comparison of Caller-ID, DK, and SPF, David Woodhouse
- Re: cost comparison of Caller-ID, DK, and SPF, Meng Weng Wong
- on moving from heuristics toward certainty, Meng Weng Wong
- Re: on moving from heuristics toward certainty, David Woodhouse
- Re: on moving from heuristics toward certainty, wayne
- Re: on moving from heuristics toward certainty,
Fridrik Skulason <=
- how the board might look a few moves ahead, Meng Weng Wong
- Re: how the board might look a few moves ahead, Meng Weng Wong
- Re: on moving from heuristics toward certainty, David Brodbeck
- Re: cost comparison of Caller-ID, DK, and SPF, wayne
- Re: cost comparison of Caller-ID, DK, and SPF, David Woodhouse
- Re: cost comparison of Caller-ID, DK, and SPF, wayne
- body hashing (was Re: cost comparison of Caller-ID, DK, and SPF), Justin Mason
- Re: cost comparison of Caller-ID, DK, and SPF, Greg Wooledge
- Re: cost comparison of Caller-ID, DK, and SPF, Roy Badami
technical comparison, Caller-ID and SPF, Meng Weng Wong
|
|
|