spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SPF and Responsibility

2004-07-21 12:35:30
from [Andriy G. Tereshchenko] [Permanent Link] 
Thanks Terry,


Consider BIGISP.com, they have 1 mail server mail.bigisp.com



Little company abc.com buys a DSL account from bigisp.com [.....]
Little company spammer.com buys a DSL account from bigisp.com.  [.... ]
Now he sends a spam, faking the from address as whatever(_at_)abc(_dot_)com 
targeting
victim(_at_)spamtarget(_dot_)com



This will be real problem during next several years until BigISPs will start to 
use SMTP AUTH.
I see this is as big problem. There is no reasons for ISPs to support STMP AUTH.
They usualy do not care about spam. Spam is source of thier money.
If end-user will spend more time to recieve his email using dialup - this mean 
more money for ISP.
If end-user have to buy 10Mb or 20Mb mailbox instead of current 5Mb  - this 
mean more money for ISP.
If end-user do not wish to recieve viruses or spam - he can buy additional 
services - spam filtering - this mean more money
for ISP.

No real reasons for ISPs to stop spam.

SPF is Server-to-Server auth protocol. It has a lot of disavantaged like one 
you have mentioned.
I see only one benefit from current SPF - it does not requere big changes to 
send email.
Publish SPF record and you can send.
But in return it does not save you from new kinds of forgery. Additional steps 
requered to prevent this.
This is one of biggest problems - make changes in your DNS, MUA, MTA to make it 
possible to send any email currently,
or postpone everything until better times (but still requered to make changes).

If SPF will be accepted as standart and DK(or any other cryptography based or 
other non-server-to-server tech) I see this:
2004-2005 SPF records published by domain owners
2005-2006 Recievers finaly start to check SPF records. Even more SPF record 
published to prevent "unknown" status
Bulk mailing prices increase. Black-hat hackers and script kiddies become 
interested in spam money.
2006-2007 New kind of forgery like one you have described deliver spam to you 
mailbox
2007-2008 SMTP AUTH and better fine-tuned SPF tech used. But "unknown kind 
attack by unknown hackers" claims (Like one I've
described several days ago) started to prevent blacklisting 
WeSendSpamSometimes.com domain.
2007-2008 DK or any other technology (which does not requere mail routing 
restrictions) started prosecute claims above and
becouse of IPv6 dynamic mail/IP routing nature and unhappy travelers who forces 
to use corporate mail servers.

This is my first accuption. Timing can be changed. Other factors like IPv6 
acceptance or start of WW3 can delay this.

--
Andriy G. Tereshchenko
TAG Software
Odessa, Ukraine
http://www.24.odessa.ua
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SPF and Responsibility, Michel Bouissou
Next by Date:  RE: Broken SPF implementations among this list's subscribers ?, Ryan Malayter
Previous by Thread:  Re: SPF and Responsibility, Daniel Taylor
Next by Thread:  Re: SPF and Responsibility, David Brodbeck
Indexes:  [Date] [Thread] [Top] [All Lists]