The term "spam" below should be interpreted in its broadest sense. Not
just UCE, or even UBE - just UE.
When someone sends me a mail accusing me of spamming him (just because
someone, somewhere else sent out spam with a forged sender), that mail
is "spam" as far as I am concerned. It is not "commercial", and it is
not "bulk" - it is just unwanted crap in my mailbox. I don't care
whether the sender of a particular unwanted, unsolicited mail sent out
10.000.000 identical copies or just one - they are equally unwanted
as far as I am considered.
Now, having said this, I want to look at a few examples of spam (in
the above sense) in my mailbox, and think about how they could have
been prevented or blocked before they reached me.
Consider first the example I mentioned above. If it was universally
adopted, SPF would have prevented the original mail from reaching
the recipient - he would have received less spam, and he would never
have mailed me accusing me of spamming him.
Consider a typical "joe-job" bounce next - The same applies there.
If SPF was in general use, the original mail would never have
bounced to me.
Now consider the worms currently in circulation. Things are quiet
right now, with only 10% of e-mail traffic containing worms. Most of
the current generation of worms forge the sender's address - picking
it at random. Those worms would disappear if SPF was in general use.
For this reason, we should expect "next-generation" worms to be
"immune" to SPF - that is, they will determine a "valid" domain for
the machine they are running on, and send themselves out as being
sent by someone in that domain, and everything will be fine as far
as SPF is concerned.
Then consider "classic" spam, sent by a "professional" spammer with his
own domain, who forges the sender at random. SPF will stop this.
Next consider "classic" spam sent by a "professional" spammer with his
own domain, who does not engage in any kind of forging SPF is not
going to be of any help here - the spammer is who he claims to be.
In civilized countries he can be stopped via legal means. If he is
operating from a country where the law cannot reach him, there is
always Spamhaus.org.
Then we have a spammer using a "throwaway" account at some ISP - used
to send out spam until the account is closed down. If the spammer
sets things up right, using only domains which are allowed to send mail
from that server, SPF will not be of any help. A reputation system
will notice spam coming from that system, but it is interspersed
with mail from a large number of non-spamming users. If the usage of
that repotation system results in those "innocent bystanders" having
problems, a flood of lawsuit is one likely outcome - the ISP will be
sued for not blocking the spammer in the first place and the people
behind the reputation system will be sued too. Sounds like fun ....
if you are a lawyer, that is. ISPs can do things to avoid this
scenario - one being to install something that limits the number
of outgoing mails - if you can only send, say, 100 mails per hour
nost "normal" users would not notice anything, and non-spamming
customers that need to send out more mail can probably get some
special license from the ISP.
Finally we have spammers using compromised machines. Currently the spam
software running on those machines just selects a sender's name at
random, but that is certain to change as SPF becomes more popular, and
we should assume that in the future the spam sent from compromised
machines will look just like it was sent by a regular human user of
that machine. SPF will not be able to tell the difference.
The bottom line ?
Adoption of SPF will change the nature of spam. It will eliminate
certain classes of unwanted mail, some of which are not spam in the
UCE/UBE sense. It will force spammers to use other methods, some of
which are more illegal than what they are doing now.
Combined with legal means, ISPs restricting outgoing traffic, and
a real-time blacklist, you could eliminate much of the spam, but
not all - compromised machines are a problem in most scenarios.
--
Fridrik Skulason Frisk Software International phone: +354-540-7400
Author of F-PROT E-mail: frisk(_at_)f-prot(_dot_)com fax:
+354-540-7401