[Paul Bissex]
Performing SPF checks, for me, is part of a larger strategy to reject
forgery of all sorts (for example, a surprising 10-20% of SMTP
connections to my server are HELOing with *my* IP or hostname). I've
been considering working up a Postfix content filter that does forgery
detection outside of SPF, mostly to protect my friends-and-family
users from the onslaught of phishing scams.
Then I thought, gosh, my job would be a lot easier if paypal.com,
ebay.com, and citibank.com (for starters) simply published SPF
records. Of the domains that I see phorged (sorry) most often, only US
Bank has published SPF -- and only for usbank-email.com, not for
usbank.com.
I know that implementation can be difficult for large, busy sites, but
if these guys don't see a strong business (financial) case for
publishing SPF, isn't that a bad sign?
Are efforts underway, but simply at such an early stage that they
can't even publish preliminary (softfail) SPF records?
Has there been any technical outreach aimed at these people?
Perhaps I'm being too impatient?
My organization hosts the largest retail banking conference in the US,
as well as a host of banking security, compliance, payment fraud, and
audit conferences.
For what it's worth, there have been - and will continue to be - a lot
of sessions about combating phishing and other electronic payment fraud
at these conferences. I do not know if SPF or SenderID have been
discussed specifically in past sessions, but the phishing problem is
very much on the management radar at banks.
However, I will encourage the conference managers in our organization to
see that SPF/SenderID (and other anti-forgery technologies) are
specifically evangelized in upcoming sessions presented to bank managers
at our conferences. We simply must have anti-forgery technology in place
to curb email phishing. Despite a lot of lingering issues, SPF/SenderID
are in the IETF standards process and have the most significant field
deployment of any anti-forgery technology. They are the best hope.
One of the reasons banks may not have published SPF records is that SPF
only checks for mail envelope forgery, while phishing is mainly a
problem of From-header forgery. SenderID addresses this gap in SPF;
hopefully the license issues surrounding SenderID can be resolved so
that RFC-2822 header protection is part of some workable MARID standard.
In any case, I cannot speak for or direct my organization as a whole,
but I will make sure that our conference managers know about
SPF/SenderID. Hopefully, they will make sure that details of
SPF/SenderID and the MARID work is presented by speakers on the topic of
electronic fraud at our conferences in the near future.
Regards,
Ryan Malayter
Manager, Applications Architecture and Security
Bank Administration Institute (www.bai.org)
Chicago, Illinois, USA