Good evening, everyone;
My apologies for "yelling" in my previous post.
However, I stand beside the fact that, once accepted and implemented, SPF
will indeed help to reduce both phishing and spam because it will provide a
more reliable audit-trail within the header of the message to validate who
actually sent the message. That having been provided, there are tools
available, even not, that will allow the likes of the FBI and Interpol to
use that date provided in the header of the message to track down who
actually registered the domain name, where the hosting took place, who paid
for the hosting of the server that did the phishing, etc.
Therefore, whether intended or not, SPF will indeed help to reduce both spam
and phishing by criminal elements.
Because the nature of many of our clients is to provide web based shopping
carts, we already validate e-mail addresses using reverse DNS entries,
validation of the sender's e-mail address via the use of domain literals
(RFC1123 5.2.17) and the refusal of the ability of anyone using a free
e-mail account to correspond or place an online order using those free
e-mail accounts.
The addition of the SPF record for a specific domain name will go a long way
towards assisting law enforcement agencies with the tracking of illegally
forged message headers by virtue of the fact that there will be a lot more
data to look back into and use to assist in the finding of a criminal
element when e-mail is used to perpetrate a crime.
How the forwarding and mailing list problems will be resolved is another
problem that should not be included in either the SPF protocal or
implementation, but resolved by the software vendors of the forwarding and
mailing list programs.
Bruce Barnes
ChicagoNetTech Inc
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Hannah
Schroeter
Sent: Monday, November 22, 2004 11:07
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Forwarding is spoofing Was:
ElectronicFrontier Foundation (EFF) Article OnAnti-Spam Technologies
Mentions SPF
Hello!
On Mon, Nov 22, 2004 at 10:12:41AM -0600, Bruce Barnes wrote:
We're missing the point here, people.
The issue is to eliminate as much SPAM and PHISHING as possible and this
WILL require some radical steps to implement. If that means forcing people
to upgrade software - which it WILL - then so be it!
SPF isn't intended to eliminate spam, as many here explicitly stated.
It's only there to reduce *envelope* sender forgeries. So phishing
(no need to shout btw) isn't prevented either, as usual MUAs only
display header from (2822, not 2821), a few other headers (usually *not*
Return-Path) and the body of the mail. So SPF will not prevent me from
mailing this:
MAIL FROM: <phisher(_at_)somewhere(_dot_)example>
RCPT TO: <victim...>
DATA
From: technical_staff(_at_)your_favourite_bank(_dot_)example
To: victim...
Subject: Technical Problems with Online Banking
Hello!
We have problems with our online banking. Until services return to
normal, please use
https://www.yourfavourite_bank.example/temporary_banking/
[NOTE: Mind the missed '_'!]
for urgent banking needs.
We'll notify you when the normal services are back up.
Kind regards,
Technician
My MAIL FROM validates (because it's on my domain and I control SPF for
this). The From and web site forgery (which is the main problem point)
isn't checked by spf at all.
So preventing phishing is something even more difficult that preventing
spam.
And my example would work even a bit better with HTML mail, of course.
[...]
Kind regards,
Hannah.
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in Atlanta features
SPF and Sender ID.
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com