spf-discuss
[Top] [All Lists]

Re: A hole in planned phishing-prevention?

2004-06-06 07:50:56
Shevek wrote:
On Sat, 5 Jun 2004, Daniel Taylor wrote:



SPF is necessary but not sufficient to prevent joe-jobs as it currently
exists. If you do _not_ do something like SPF, protection is unavailable.


SPF and SRS _ARE_ sufficient to prevent joe jobs as they currently exist. I will stand up and categorically state that if SPF and SRS are implemented, then there are only three ways in which a spammer can send you ANY form of mail indirectly:

a) As a reply to a forwarded mail you sent directly to the spammer.
b) Via a forwarding address you set up to yourself.
c) Via a forwarding address the spammer set up pointing to you.

This is explained more fully at http://www.libsrs2.org/srs/srs.pdf, which I updated yesterday.

Thanks for the link and keeping this up.

The problem with these examples is that there is no requirement of a
relationship between the envelope-From and From:. To force such a relationship breaks an awful lot, but even the wonderful cryptographic
authentication solutions don't fix the trust problem, so where
does that leave us?


Doesn't matter. From: has nothing to do with joe jobs. Vacation messages, perhaps, but that's a second layer. The envelope layer works. Use it.

Yes, it works for what it does.
It needs to be used with other methods to protect From:, which
is the root of phishing attacks and a lot of the reputation
damage from joe jobs.

--
Daniel Taylor