I am a subscriber to the on-line Security UPDATE newletter
<Security-UPDATE(_at_)list(_dot_)winnetmag(_dot_)com> and have just sent the
message below
to the editors for comment.
I would like to ask the same question to this discussion group - is there
some way for spammers to circumvent the SPF solution short of hijacking the
DNS or mailservers for a domain?
============================================================================
====
As someone who deals with Spam arriving at our customer's sites on a
regular basis, I closely follow proposals for reducing the flow of unwanted
e-mail.
Based on what I have read, I am a strong supporter of the SPF solution. I
see it as easy to implement (we also handle DNS support for most of our
customers) and I believe it would handle most of the Spam I am observing on
the Internet at this time. The only problem would appear to be getting most
domain owners to incorporate mailserver identification in the DNS zone
files so that MTAs can refuse mail originating from invalid IP addresses.
The proposed technology would appear to be easy to implement for both
senders and recipients, require no changes to e-mail client software, and
does not need any form of infrastructre to manage cryptographic keys etc.
Based on my current knowledge level, I was surprised to read the following
statement in your newsletter.
"Although all three technologies provide reasonable ways to verify an
email message's origin, they all contain problems that determined
spammers could exploit."
Am I missing something regarding the SPF solution. Obviously spammers could
hijack the DNS servers for a domain or one of the approved mailservers -
but that shouldn't be too hard to prevent. Is there some other problem?
Roy Snell
============================================================================
===
Roy C. Snell (rsnell(_at_)trilan(_dot_)com)
President
Tri-Lan Internetwork Ltd
Victoria, British Columbia, Canada
Tel : (250) 477-0104