At 06:37 PM 8/25/2004 +0200, Ralf Doeblitz wrote:
AccuSpam wrote:
[...]
Second, the problem is once you enumerate the legitimate address
publicly, then you tell the spammers what they are.
The same is true for any kind of reputation system.
Yes and that is why I am saying do not enumerate them.
Thus I still do not see how SPF can solve this kind of scenario I laid out when
I started this thread:
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200408/0824.html
Which was better explained by me here:
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200408/0860.html
And in a post which never appeared in list (apparently censored during the
"war" :-):
AccuSpam <support(_at_)accuspam(_dot_)com> writes:
Also I think many people who buy domains for personal use, do get
*(_at_)domain mailbox. It is sort of a super feature that ISPs can offer
at no extra cost. Maybe I am wrong. But certainly many of the
millions of domains have *(_at_)domain mailbox and this is a big hole for
*EXISTENT* sender address email forgery.
Why is this a big hole? Surely this only affects incoming mail and has
no effect on sender address email forgery.
Disagree, see below...
If you are thinking of
call-back checks (by the recipient) then do not forget that (at least
with SPF) the mail has to come from the correct MTA as well. But I
agree that where several domains all use a common (ISP) server it does
allow for other users of the same server to forge the sender address.
Perhaps you missed my core point.
(1) In scenario I described, the owner of the domain chooses *NOT* want to
set "-all" for his legitimate addresses, because owner is not ready to
follow the requirements for sending email when "-all" is set.
(2) Yet spammers keep forging addresses (of *(_at_)domain) which are *NOT* the
legitimate addresses (of *(_at_)domain), and owner wants to set "-all" on
*ALL*
addresses (of *(_at_)domain) which are *NOT* the legitimate addresses (of
*(_at_)domain).
In other words, owner of domains want to maintain status quo with his
legitimate address, but blacklist sending from addresses which owner of
domain does not ever use.
I feel this is VERY IMPORTANT, because you could get much faster adoption of
SPF in this scenario than if you require owner to force "-all" on his
legitimate addresses (of *(_at_)domain), because then owner can quickly set a
SPF
DNS record and not have to do any thing else to meet the "-all" requirement.
Then at least you close the very obvious forging hole for spammers, i.e.
randomly forging *(_at_)domain searching for domains which have an
*(_at_)domain mailbox.
Please consider there are millions of domains owned by novice individuals,
who may have more important priorities than making sure they have done all
policies necessary to comply with "-all". Setting a DNS record is very
simple in comparison.
Note, I do not think this issue is as crucial to SPF's success, as the other
issue I raised today:
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200408/1063.html
AccuSpam wrote:
Not only can then the spammers forge you (not all recipients will
implement SPF) , but they can now spam you to high heaven!
So the "exists" mechanism is not going to work for this scenario?
At 06:37 PM 8/25/2004 +0200, Ralf Doeblitz wrote:
It works, but it has its drawbacks. You could try "security by obscurity"
and disallow zone transfers for the subzone that contains the user entries,
but the spammer could still use a dictionary attack to find valid usernames.
Yes perhaps but I was trying to get SPF to work for it, such SPF would have
another KILLER anti-forgery feature that would increase adoption.
But I do not think that this is a big problem as many addresses are already
knwon to spammers and used by them both as targets and fake senders. IMHO
you gain more than you risk by using this kind of whitelisting.
Oh I disagree and I see a lot of spam data.
I can prove this wrong simply by the fact that one address I have gets 3000
spams a day and the other one only 9 spams a day.
And remember, you only need this for users that can not use a submission
service (something that is easily set up and already offered by many
freemailers).
It has been made very clear to me that some (most or all?) people in this list
think that getting millions of "gramma" users to switch to SMTP authentication
is like flipping a switch.
I happen to know it will take years at best. And SPF can not wait that long.