|
how the board might look a few moves ahead
2004-02-25 12:16:58
On Wed, Feb 25, 2004 at 06:53:07PM +0000, Fridrik Skulason wrote:
|
| Assuming authentication is generally adopted (SPF, Caller-ID or whatever),
| the question is how will spam "evolve" in response? That is perhaps a bit
| off-topic for the SPF list, but we should keep those scenarios in mind.
Yes, this is an important line of thinking.
| First, and most obviously, spammers will use more "disposable domains",
| hoping to get the spam out before the domains are blacklisted. Getting
| a new domain is trivial and cheap. *However*, getting a new IP block
| is not. If spam evolves along this route, I imagine there will be more
| emphasis on IP-based RBLs, blocking the sites hosting those disposable
| domains until they clean up their act.
My previous thoughts on this issue include:
http://spf.pobox.com/faq.html#churn
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200311/0118.html
| The second possibility is not as obvious, but it involves modifying
| the way the "zombie" machines work. Currently, spam software and
| viruses/worms on compromised machines will pick the "sender's" name
| and domain more-or-less at random. What they *could* co instead (and
| what they will do, if authentication becomes more widely used) is to
| try to determine which domain the machine "belongs to" and send mail
| appearing to be from that domain. Example: The software (spam or worm)
| cound analyse mail found on the machine, and look at the "To:" address,
| which typically would belong to the owner of the machine (OK, not always,
| but they don't care if it only works 80% of the time). Say that it
| finds mail addressed to John_Smith(_at_)somedomain(_dot_)com(_dot_) Fine,
the spam/worm
| software could then start sending out mail appearing to be from someone
| at somedomain.com - and what would happen is that the mail would be
| indistinguishable from "normal" mail sent by the legitimate user of that
| machine, as far as for example SPF is concerned.
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200401/1505.html
|
| For now I am just finishing the SPF records for our own domains - which
| has taken a bit longer than expected, and we are looking at
| implementing SPF checking in our AVES virus/spam filtering technology
| (aves.f-prot.com). I expect to have some numbers in the near future
| on how much spam (and worms) SPF actually stops.
|
I'm glad to hear f-prot is adding support.
cheers
meng
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: cost comparison of Caller-ID, DK, and SPF, (continued)
- Re: cost comparison of Caller-ID, DK, and SPF, wayne
- Re: cost comparison of Caller-ID, DK, and SPF, Justin Mason
- Re: cost comparison of Caller-ID, DK, and SPF, David Woodhouse
- Re: cost comparison of Caller-ID, DK, and SPF, Meng Weng Wong
- Re: cost comparison of Caller-ID, DK, and SPF, David Woodhouse
- Re: cost comparison of Caller-ID, DK, and SPF, Meng Weng Wong
- on moving from heuristics toward certainty, Meng Weng Wong
- Re: on moving from heuristics toward certainty, David Woodhouse
- Re: on moving from heuristics toward certainty, wayne
- Re: on moving from heuristics toward certainty, Fridrik Skulason
- how the board might look a few moves ahead,
Meng Weng Wong <=
- Re: how the board might look a few moves ahead, Meng Weng Wong
- Re: on moving from heuristics toward certainty, David Brodbeck
- Re: cost comparison of Caller-ID, DK, and SPF, wayne
- Re: cost comparison of Caller-ID, DK, and SPF, David Woodhouse
- Re: cost comparison of Caller-ID, DK, and SPF, wayne
- body hashing (was Re: cost comparison of Caller-ID, DK, and SPF), Justin Mason
- Re: cost comparison of Caller-ID, DK, and SPF, Greg Wooledge
- Re: cost comparison of Caller-ID, DK, and SPF, Roy Badami
technical comparison, Caller-ID and SPF, Meng Weng Wong
|
|
|