spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

SV: Security Paper on forgery bounce DDoS

2004-04-20 16:16:55
from [Lars Dybdahl] [Permanent Link] 
This is a multi-part message in MIME format.

SPF _cannot_ validate that the sender of that message was
indeed the claimed sender.


SPF does not publish whether the domain owner prevents forgery of e-mail 
addresses within the same domain, but that's not what SPF is around to do. 
Please regard SPF in context with what it's trying to do. SPF is not trying to 
save the world - actually, it allows a certain degree of freedom in how to 
handle your e-mail systems, both technically and administrative.

The more you want to check, the more complicated it gets. SPF was designed for 
a simple task, and can therefore be kept simple. There are many parameters in 
handling e-mails:

If you want to be 100% sure identity of a sender, you will need digital 
signatures, and you will need certificates to ensure that the digital signature 
actually belongs to the identity that you expect. If you don't trust 
authorities, don't get your signature from such one. If you want to communicate 
with digital signatures with authorities, you will need to get your signature 
from such one.

If you want to kill spam 100%, you will need to define "spam" extremely 
precisely. Please note, that e-mails on this list is spam to some people, if 
they aren't clever enough to find out how to unsubscribe to the list. Good 
spamfilters should be able to filter away e-mails from this list for those 
people, while letting it through to other people.

If you want flexibility in your systems, you should not set any restrictions on 
which servers may send which e-mails etc.

If you want to guarantee e-mail delivery, you should not bounce or filter away 
any incoming e-mails.

If you want an e-mail server with no significant load, don't put any 
spamfiltering techniques on the server, that makes network lookups (like RBLs, 
SPF etc.) or uses CPU (bayesian filtering).

If you want a real-life e-mail system for many people, you will have to 
compromise. What you are doing, is to describe some characteristica of some 
technologies - but this doesn't change the fact, that SPF will benefit a lot of 
e-mail systems at a low cost, and is even able to give the early adopters 
immediate and remarkable benefits.

Lars.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: 'explain' etiquette, or is this a security concern?, John A. Martin
Next by Date:  related to "mxout": a 3-step antispam rule that stops zombie spam, Meng Weng Wong
Previous by Thread:  SV: Security Paper on forgery bounce DDoS, Lars Dybdahl
Next by Thread:  RE: Security Paper on forgery bounce DDoS, Seth Goodman
Indexes:  [Date] [Thread] [Top] [All Lists]