spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

SV: on moving from heuristics toward certainty

2004-02-25 13:46:21
from [Lars Dybdahl] [Permanent Link] 
This is a multi-part message in MIME format.

First, and most obviously, spammers will use more "disposable domains",
hoping to get the spam out before the domains are blacklisted.


Please note that it will become more and more common to delete spam e-mail from 
people's mailboxes after they have received the e-mail. Also, techniques that 
involve delaying some e-mails can be improved with SPF - because greater 
reliability on sender addresses makes it possible to reduce the delay on 
already approved sender addresses.


Getting a new domain is trivial and cheap.  *However*, getting a new IP block
is not.  If spam evolves along this route, I imagine there will be more
emphasis on IP-based RBLs, blocking the sites hosting those disposable
domains until they clean up their act.


SPF reduces the number of possible IP addresses, making IP blocking easier ;-)


try to determine which domain the machine "belongs to" and send mail
appearing to be from that domain.


This is not a problem with SPF. SPF doesn't prevent people from sending spams 
or viruses and never intended to do that. SPF just connects the sender address 
with the sender machine, and you need additional mechanisms to use this to 
prevent spam.


Say that it
finds mail addressed to John_Smith(_at_)somedomain(_dot_)com(_dot_)  Fine, 
the spam/worm
software could then start sending out mail appearing to be from someone
at somedomain.com 


Again, SPF is not intended to stop that, but SPF can help the infected 
organization to avoid those e-mails being classified as genuine. Several ISPs 
are now blocking outgoing TCP connections to port 25 except for connections to 
their own mailservers (for instance tdc.dk), and this means, that a virus or 
worm either has to use the mail application (but Outlook 2003 blocks MAPI 
access by default) or read the mail application's settings (mailserver, 
username, password). But if the mail-servers also scans outgoing e-mails, 
viruses and worms don't have much chance of sending anything.

The combination of SPF, port 25 blocking, mailserver authentication and 
scanning of outgoing e-mails on the mailserver can be an extremely powerful 
combination to prevent, that anyone ever sees a virus coming from your e-mail 
address.

Lars Dybdahl.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • SV: on moving from heuristics toward certainty, Lars Dybdahl <=
Previous by Date:  Re: MS will announce Caller-ID next Tuesday, list+spf-discuss
Next by Date:  Re: Why keep people thinking HELO checks provide a loophole?, Matthew Barr
Previous by Thread:  Caller ID and patents, Michael Fischer v. Mollard
Next by Thread:  ANNOUNCE: Mail::SPF::Query 1.992 and 1.993 released with Caller-ID support, Meng Weng Wong
Indexes:  [Date] [Thread] [Top] [All Lists]