spf-discuss
[Top] [All Lists]

Re: Some thoughts about spam and SPF

2004-08-17 12:06:34
On Tue, 2004-08-17 at 18:12, Fridrik Skulason wrote:
Next consider "classic" spam sent by a "professional" spammer with his
own domain, who does not engage in any kind of forging  SPF is not
going to be of any help here - the spammer is who he claims to be.
In civilized countries he can be stopped via legal means.

Not always. Some countries that have enacted anti-spam laws such as the
US and UK would not necessarily make this form of spam illegal. The
YOU-CAN-SPAM act in the US only really targets spammers that forge
headers or don't honour opt-opts (and who opts out of spam anyway?), and
the UK act doesn't forbid business-to-business spam, only
business-to-consumer. Of course, we may take the view that these
countries are not what you call "civilized" ;-)

If he is 
operating from a country where the law cannot reach him, there is 
always Spamhaus.org.

Indeed, I'm very grateful to Steve and his team that have kept loads of
spam out of my inbox these last few years.

Then we have a spammer using a "throwaway" account at some ISP - used
to send out spam until the account is closed down.  If the spammer
sets things up right, using only domains which are allowed to send mail
from that server, SPF will not be of any help.  A reputation system
will notice spam coming from that system, but it is interspersed
with mail from a large number of non-spamming users.

I think the ides behind the new reputation systems intended to
complement SPF are domain-based rather than IP-based, but the effect is
the same.

Finally we have spammers using compromised machines.  Currently the spam
software running on those machines just selects a sender's name at 
random, but that is certain to change as SPF becomes more popular, and
we should assume that in the future the spam sent from compromised 
machines will look just like it was sent by a regular human user of
that machine.  SPF will not be able to tell the difference.

Correct. I've already heard of one trojan that would pop up a dialog box
for the user to enter their mail settings (username, password, server
name etc.) if it couldn't figure them out itself. People actually fill
these things in!

The bottom line ?

Adoption of SPF will change the nature of spam.  It will eliminate 
certain classes of unwanted mail, some of which are not spam in the
UCE/UBE sense.  It will force spammers to use other methods, some of
which are more illegal than what they are doing now.

Combined with legal means, ISPs restricting outgoing traffic, and
a real-time blacklist, you could eliminate much of the spam, but 
not all - compromised machines are a problem in most scenarios.

Agreed.

Paul.
-- 
Paul Howarth <paul(_at_)city-fan(_dot_)org>