spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: What does PASS really mean?

2004-06-29 21:52:40
from [spf] [Permanent Link] 
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of 
Guillaume Filion
Sent: Tuesday, June 29, 2004 2:30 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] What does PASS really mean?


"Jonathan Gardner" <jonagard(_at_)amazon(_dot_)com> wrote:

Discussion with Scott Kitterman and others has brought to my attention

some

misunderstandings. In particular, what does an SPF PASS result really

mean?

As far as I know, the "official" definition of pass is: This server is
authorized to send email for example.com.

SPF is all about authenticating servers, not messages. For example,
trudy(_at_)example(_dot_)com could send a forged email pretending to be
alice(_at_)example(_dot_)com using example.com MTA and it would get a SPF
pass. Without
cryptographic signatures, you can't really be sure that a message is
authentic. On the other hand, if it's SPF failed, you can be sure
that it's
not respecting the domain owner's policy.

Hope it answers, at least partially, your question,
GFK's


Yes, that's what I was originally thinking too.  That's surely what it must
mean because that's what it does.  Try this on for size...

http://spf.pobox.com/faq.html#churn

This is what is coming:

"Here's an example of automated blacklisting in action:

   1. A spammer spams.
          * The spam comes from an SPF-conformant domain.
                o That domain is on a widely published sender-domain
blacklist.
                      + The MTA rejects the message.
                o That domain is a throwaway, just-registered domain, and
does not yet appear on blacklists.
                     1. The spam gets accepted by unsophisticated MTAs which
do not use other traffic-analysis methods to impose a crude reputation
system on unrecognized senders.
                     2. The spam also gets accepted by automated spamtraps.
                     3. The spamtraps add the domain to the blacklist.
                     4. (advanced) Some time later, the user checks email.
Immediately before the display phase, the MUA re-tests the message against
the blacklists, and discards it.
                     5. Thanks to the greater level of sender
accountability, lawsuits may begin against the spammers, and registrars may
be subpoenaed for domain owner information. SPF strengthens administrative
and legal methods."

OK.  How is this different from the perspective of the automated systems
from the following response to SPF:

0.  The Prudent Spammer knows that SPF makes it harder to hide.  He sells
his get rich quick, here's bunch of e-mail addresses package to Novice
Spammer.  He sees that Novice Spammer is sending through one of {I'm just
picking Verizon here because the publish SPF and I'm a customer of theirs,
this could be most any big ISP} Verizon's authorized MTAs, so Prudent
Spammer queries the domains listed in is directory of millions and millions
of e-mail addresses and pulls out a list of domains that
"include:verizon.net" in their SPF record.  He packages those as the from
addresses in the package he sends to Novice Spammer.

1. Novice Spammer spams {throught the Verizon MTA using his 500/hour}.
          * The spam comes from an SPF-conformant domain (might be mine).
               o That domain is a throwaway , just-registered domain (or one
that Prudent Spammer decided to hijack), and does not yet appear on
blacklists.
                     1. The spam gets accepted by the Verizon MTAs because
one of the Verizon users is SASL authenticated.
                     2. The spam also gets accepted by automated spamtraps.
                     3. The spamtraps add the domain to the blacklist.
                     4. (advanced) Some time later, the user checks email.
Immediately before the display phase, the MUA re-tests the message against
the blacklists, and discards it.
                     5. Thanks to the greater level of sender
accountability, lawsuits may begin against the spammers, and registrars may
be subpoenaed for domain owner information. SPF strengthens administrative
and legal methods.  Novice Spammers gets slammed (as he should) and no one
will accept e-mail from me because the SPAM was an SPF PASS (and I get
burned because I published SPF, unless I did ?include:verizon.net - which
sort of limits the usefulness of SPF record).

I've spent a lot of time trying to develop an accurate SPF record for myself
and the handfull of other people who use my domain.  Now it's almost all ?
in front of everything because I don't want to get burned.

I understand trying to sell SPF and being and SPF evangelist.  It appears to
me that it's being oversold right now and once people get burned they are
going to either delete their SPF records or tune the usefulness right out of
them.  "v=spf1 ?a ?mx ?include:verizon.net ~all" isn't really going to be a
lot of help to anybody is it?

This just highlights my original point.  People are confused about this.  If
people are wrong (either way) innocents will get burned.

Scott Kitterman
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Last Tweak for the Aggressive Spam Hater, David Lawless
Next by Date:  Re: Last Tweak for the Aggressive Spam Hater, Greg Connor
Previous by Thread:  Re: What does PASS really mean?, Guillaume Filion
Next by Thread:  Re: What does PASS really mean?, Meng Weng Wong
Indexes:  [Date] [Thread] [Top] [All Lists]