RE: Should I include major ISPs in SPF for our hosted domains?
2005-01-07 00:28:01
--Julian Mehnle <bulk(_at_)mehnle(_dot_)net> wrote:
I meant:
1. Notice the SMTP-AUTH identity. See if MAIL FROM matches the SMTP-AUTH
identity. If not, reject the MAIL FROM.
2. Notice the SMTP-AUTH identity. See if MAIL FROM matches the SMTP-AUTH
identity. If not, simply override MAIL FROM with an e-mail address
that is appropriate for the SMTP-AUTH identity.
Stuart D. Gathman [stuart(_at_)bmsi(_dot_)com] wrote:
The ISP should simply compare the MAIL FROM domain with
a list of domains allowed for that SMTP-AUTH identity, and reject/alter
if not included.
I am guessing that most users will use the mail address associated with the
ISP account they are using, but a significant number will want to use
"their own" domain in the outgoing address (whether it's a domain hosted by
$ISP or not).
So. This gets to the part Stuart mentioned... how to create this list. My
thought on this was...
1. Automatically add any email addresses that the ISP knows about (their
account, other aliases or screen names)
2. Automatically add any domains that $ISP serves the DNS for and can
track back to the owner
3. Allow the user to add other addresses, but send a challenge to the
email address being added, similar to confirmation when signing up for a
list. (Send the challenge to postmaster(_at_)domain if the user wants to use
any address in the domain)
I know that some ISPs are starting to use SMTP AUTH (probably so that their
users can send mail with myisp.com from other places on the network, and
the legacy system was blocking them as an off-network third-party relay).
I haven't seen any service providers take the next step to prevent
forgeries, or even doing anything with the AUTH information other than
checking if the password is valid. On providing a valid password you can
spoof whatever you want.
Is this kind of checking even possible with most modern MSAs? I seem to
remember Postfix has a map that can correlate usernames to allowed email
addresses, am I right? Is this possible with sendmail or qmail or others?
This is all assuming that $ISP can build a list as described above. Of
course, web sites where you enter an email address, and the system keeps a
list of "your other email addresses" and whether they are confirmed, is not
a new thing, just something most ISPs have not had to do before.
How I view this in the larger scheme of things. Tying SMTP AUTH info to
MAIL FROM is not the most crucial thing for SPF or other anti-forgery
efforts right now. It will be important soon, but it's not hugely
important right now. Here is why I say this:
The list of domains that are totally unprotected is vast, and spammers
don't seem to be affected by SPF really, yet. Some folks have reported
slightly less forgery of their domain name once they published SPF info,
but I don't think it's enough to celebrate over, yet.
Hopefully if things go our way, spammers will start to avoid any domain
that publishes SPF records at all. That will be the first sign that we're
having an effect and starting to gain back some inches from the miles
already lost to the arms race. The spammers will still be winning, but by
forcing them to change behavior even a little bit, we will have started on
our thousand-mile journey.
If the first cause was "a small-but-dedicated group publishing SPF
records", and it has the desired effect of "changing spammer's behavior,
even slightly," then we can hope that the next link in the chain is "more
admins take notice of SPF". If SPF starts to become noticed *because*
spammers have changed their behavior, then there is a better chance that it
will start to move under its own momentum.
In this vision of the future, "more admins take notice of SPF" leads to
"spammers must change tactics again". It is during this "second wave" that
just merely picking a domain that doesn't have SPF on it won't work as
well, and they will be forced to use same-site forgeries to get their
messages through.
Anyway, my point is, this could be 6 months away, or it could be 2 years
away or more. Sooner or later, ISPs are going to start thinking, "Boy I
wish there were a clever way to use SMTP AUTH to catch forgeries. That is
when we need to be ready with sample code and how-to's that show ISPs what
they really need to do to keep up with "New Best Practices".
For now the best we can do is advise users to list their favorite ISP
outgoing mailers as either + or ? or ~ depending on their level of trust in
the ISP itself. For example, an ISP that does no SMTP AUTH checking, but
doesn't really have much of a spam problem on the network, might be given a
+, but if they start to have forged messages going out the domain owner
should be ready to change this to a ? or ~. (Or, the domain owner could go
per-user and limit the possible forgery space even further, and this also
makes it harder for spammers to tell which addresses are free for the
spoofing in 1 dns lookup). It really is up to the domain owner what to do,
but we should be able to give them pros and cons of each side.
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- RE: Should I include major ISPs in SPF for our hosted domains?, (continued)
- Re: Should I include major ISPs in SPF for our hosted domains?, Nick Phillips
- RE: Should I include major ISPs in SPF for our hosted domains?, Julian Mehnle
- RE: Should I include major ISPs in SPF for our hosted domains?, Stuart D. Gathman
- RE: Should I include major ISPs in SPF for our hosted domains?, Julian Mehnle
- RE: Should I include major ISPs in SPF for our hosted domains?,
Greg Connor <=
- Re: Should I include major ISPs in SPF for our hosted domains?, Hector Santos
- RE: Should I include major ISPs in SPF for our hosted domains?, Julian Mehnle
- RE: Should I include major ISPs in SPF for our hosted domains?, Scott Kitterman
- Re: Should I include major ISPs in SPF for our hosted domains?, Mike Markley
- Re: Should I include major ISPs in SPF for our hosted domains?, Hector Santos
- Re: Should I include major ISPs in SPF for our hosted domains?, Nico Kadel-Garcia
- RE: Should I include major ISPs in SPF for our hosted domains?, Julian Mehnle
- Re: Should I include major ISPs in SPF for our hosted domains?, Nico Kadel-Garcia
- Re: Should I include major ISPs in SPF for our hosted domains?, Hector Santos
- RE: Should I include major ISPs in SPF for our hosted domains?, Julian Mehnle
|
|
|