spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

SPF is not usable as legal measure against spammers. DomainKeys are probably yes. Routers hacked by spammers scenario.

2004-07-13 14:19:07
from [Andrew G. Tereschenko] [Permanent Link] 
SPF is not usable as legal measure against spammers. DomainKeys are probably
yes. Routers hacked by spammers scenario.





 Currently SPF is technical-only measure against forgery.



Quoting Chris Drake:




  SPF IS   NOT   AN ANTISPAM TECHNOLOGY




  NOT NOT NOT NOT NOT NOT NOT.




I agree with him. It's not possible to use SPF against biggest problem of
Internet - spam.

Everybody who need spam protection - adopt DomainKeys.

Even if SPF will be installed on 100% of MTAs - this will not give us a
legal protection against root of spam problem - spammers people and
companies.

No one spammer can be sued to recover damages.



It's not possible to prove in court that Spam was ordinates/requested
from/by domain owner.

Sender IP are indirect proof that cannot be used in court.

Even more - currently MTAs do not log any information about content of
emails send,

only From/To/Date/delivery status. Server logs can not be used too.

It's not possible to determine if entire content of email provided is
original or only headers parts.

This makes it impossible to use 1.000.000's of emails as an evidences in
court.



But there are a lot of electronic signature legislations worldwide.

You will be able to prove that entire content of email was signed by valid
company _private_ key.

Content of email cannot be altered while preserve headers.



Example:

www.mygreatingcards.com send a lot of valid greeting cards. But current
finance conditions of my company are weak.

I would like to earn a few bucks by sending spam to select prescreened
members.

It's will be impossible for those members to prove that I've spammed them.

No evidences other that emails headers, source IP and mail-from.

My lawyers will be able to protect me because they will show that email
message was possibly altered in transit and my company is not responsible
for spam message.



Your opinion ?



BTW, This kind of hacked ISP mail servers scenario allows injecting spam
text inside valid emails. And you will be unable to block this using any
SPAM filter/SPF without losses.

No way to use SPF as authentication mechanism.

Spammers can hack a few ISP servers, routers or even network links and
inject message text like this inside legit emails:

Like a

--

To: Me(_at_)MyDomain(_dot_)com

From: MyBestFriend(_at_)HackedISP(_dot_)net

Subject: Re: <Valid subject of email message>



<Valid and relevant text message>



P.S> I've checked this site
http://cheap.domain.that.spammers.buy.using.stolen.creditcard.com and found
their products valuable.

I've already ordered and received their products. They are outstanding. I
recommend you to buy as much as possible ASAP while price is affordable.

---



FYI. No needs to hack MTAs. Routers are ok too for this ;-)



This will be impossible to use SPF as valid authentication mechanism.

Only against "real"-forgery - but this will reduce in side and simply
migrate to better non-forged or hacked scenarios.





--
Andriy G. Tereshchenko
TAG Software
Odessa, Ukraine
http://www.24.odessa.ua
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Are SPF fault tolerant ? How to make SPF records changed correctly ?, Meng Weng Wong
Next by Date:  Re: Are SPF fault tolerant ? How to make SPF records changed correctly ?, Andrew G. Tereschenko
Previous by Thread:  spf-discuss record changing to -all, Meng Weng Wong
Next by Thread:  Re: SPF is not usable as legal measure against spammers., Jonathan Gardner
Indexes:  [Date] [Thread] [Top] [All Lists]