spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Should I include major ISPs in SPF for our hosted domains?

2005-01-07 00:28:01
from [Greg Connor] [Permanent Link] 
--Julian Mehnle <bulk(_at_)mehnle(_dot_)net> wrote:


I meant:

 1. Notice the SMTP-AUTH identity.  See if MAIL FROM matches the SMTP-AUTH
    identity.  If not, reject the MAIL FROM.

 2. Notice the SMTP-AUTH identity.  See if MAIL FROM matches the SMTP-AUTH
    identity.  If not, simply override MAIL FROM with an e-mail address
    that is appropriate for the SMTP-AUTH identity.



Stuart D. Gathman [stuart(_at_)bmsi(_dot_)com] wrote:

The ISP should simply compare the MAIL FROM domain with
a list of domains allowed for that SMTP-AUTH identity, and reject/alter
if not included.
I am guessing that most users will use the mail address associated with the ISP account they are using, but a significant number will want to use "their own" domain in the outgoing address (whether it's a domain hosted by $ISP or not).
So. This gets to the part Stuart mentioned... how to create this list. My thought on this was... 1. Automatically add any email addresses that the ISP knows about (their account, other aliases or screen names) 2. Automatically add any domains that $ISP serves the DNS for and can track back to the owner 3. Allow the user to add other addresses, but send a challenge to the email address being added, similar to confirmation when signing up for a list. (Send the challenge to postmaster(_at_)domain if the user wants to use any address in the domain)
I know that some ISPs are starting to use SMTP AUTH (probably so that their users can send mail with myisp.com from other places on the network, and the legacy system was blocking them as an off-network third-party relay). I haven't seen any service providers take the next step to prevent forgeries, or even doing anything with the AUTH information other than checking if the password is valid. On providing a valid password you can spoof whatever you want.
Is this kind of checking even possible with most modern MSAs? I seem to remember Postfix has a map that can correlate usernames to allowed email addresses, am I right? Is this possible with sendmail or qmail or others?
This is all assuming that $ISP can build a list as described above. Of course, web sites where you enter an email address, and the system keeps a list of "your other email addresses" and whether they are confirmed, is not a new thing, just something most ISPs have not had to do before.
How I view this in the larger scheme of things. Tying SMTP AUTH info to MAIL FROM is not the most crucial thing for SPF or other anti-forgery efforts right now. It will be important soon, but it's not hugely important right now. Here is why I say this:
The list of domains that are totally unprotected is vast, and spammers don't seem to be affected by SPF really, yet. Some folks have reported slightly less forgery of their domain name once they published SPF info, but I don't think it's enough to celebrate over, yet.
Hopefully if things go our way, spammers will start to avoid any domain that publishes SPF records at all. That will be the first sign that we're having an effect and starting to gain back some inches from the miles already lost to the arms race. The spammers will still be winning, but by forcing them to change behavior even a little bit, we will have started on our thousand-mile journey.
If the first cause was "a small-but-dedicated group publishing SPF records", and it has the desired effect of "changing spammer's behavior, even slightly," then we can hope that the next link in the chain is "more admins take notice of SPF". If SPF starts to become noticed *because* spammers have changed their behavior, then there is a better chance that it will start to move under its own momentum.
In this vision of the future, "more admins take notice of SPF" leads to "spammers must change tactics again". It is during this "second wave" that just merely picking a domain that doesn't have SPF on it won't work as well, and they will be forced to use same-site forgeries to get their messages through.
Anyway, my point is, this could be 6 months away, or it could be 2 years away or more. Sooner or later, ISPs are going to start thinking, "Boy I wish there were a clever way to use SMTP AUTH to catch forgeries. That is when we need to be ready with sample code and how-to's that show ISPs what they really need to do to keep up with "New Best Practices".
For now the best we can do is advise users to list their favorite ISP outgoing mailers as either + or ? or ~ depending on their level of trust in the ISP itself. For example, an ISP that does no SMTP AUTH checking, but doesn't really have much of a spam problem on the network, might be given a +, but if they start to have forged messages going out the domain owner should be ready to change this to a ? or ~. (Or, the domain owner could go per-user and limit the possible forgery space even further, and this also makes it harder for spammers to tell which addresses are free for the spoofing in 1 dns lookup). It really is up to the domain owner what to do, but we should be able to give them pros and cons of each side. 


--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: External mass mailings question, Mike Markley
Next by Date:  Re: Should I include major ISPs in SPF for our hosted domains?, Hector Santos
Previous by Thread:  RE: Should I include major ISPs in SPF for our hosted domains?, Julian Mehnle
Next by Thread:  Re: Should I include major ISPs in SPF for our hosted domains?, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]