On Wed, 2004-09-15 at 11:56 -0700, Jonathan Gardner wrote:
When you publish SPF records, you are declaring which servers are allowed to
represent your domain, and you are claiming responsibility for what those
servers send. I think you'll find that phishers that publish SPF are
extremely stupid. The police already have ways to track them down via IP
address. Giving the police a trail through DNS and registrars is like
purposely cutting yourself and leaving a blood sample at the scene of the
crime, or writing down your home address on the wall.
Your analogy seems a little flawed here. Yes, the police already have
ways to track them down via IP address anyway. Some countries even
passed new laws to ensure that ISPs _must_ keep track of the logs which
will give that information. Let's consider that the blood at the scene
-- it's _already_ there. So phishers that publish SPF are writing their
address on the wall _too_ -- it doesn't actually help the police much
since the address they write there is trivial to fake and the blood was
enough in the first place.
On Wednesday 15 September 2004 01:26 am, David Woodhouse wrote:
Some examples to ponder. A mail arrives at your site from one of my mail
hosts, looking like this:
MAIL
FROM:<SRS0+xx+yy+example(_dot_)com+joeuser(_at_)pentafluge(_dot_)srs(_dot_)infradead(_dot_)org>
and
Received: from [2002:c1ed:8229:10:2c0:f0ff:fe31:e18] (helo=me) by
pentafluge.infradead.org with esmtpsa id
1C7Ej2-0008II-SZ; Tue, 14 Sep 2004 15:56:09 +0100
From: <joeuser(_at_)example(_dot_)com>
It looks like it's been sent by Joe, with SMTP AUTH (that's what the 'a'
means in esmtpsa). But did Joe really send it?
So when someone tells joeuser(_at_)example(_dot_)com that
pentafluge.srs.infraded.org
has been sending email that looks like it is from
joeuser(_at_)example(_dot_)com,
police will show up at the following address:
OK. It's all about the sending mail server -- and even without the
breakage that SPF imposes, the police would have turned up here anyway
because my ISP would have told them who had that IP address at that
time.
When "David Woodhouse" or whoever he really is gets caught, he will be
charged with whatever laws he has broken by sending an email for
joeuser(_at_)example(_dot_)com and whatever fraud he committed by doing that.
Right. Of course he'll claim that it wasn't him personally and it was
just that his computer was infected with a virus. He has no duty or
responsibility to ensure that this doesn't happen. But now we digress.
If it didn't, then the people who own example.com will find the police on
their doorstep.
<...>
If it doesn't, then the people who own hosteddomain.com will find the police
on their doorstep.
<...>
If it didn't, then whoever controls the DNS records for
mail.virtualhosting.com will find the police on their doorstep.
And in these three cases the owner of the domain will just explain that
he had to include that mail server in his SPF record for his email to
keep working, and criminal liability will not be inferred.
You're not answering the questions I asked. We know the police can track
you, and they can do that with only an IP address. That isn't really
relevant to what I was asking, and it certainly isn't a benefit of SPF.
--
dwmw2