spf-discuss
[Top] [All Lists]

Re: How to use SPF to reject spam

2005-04-06 07:59:10
Stuart D. Gathman wrote:
On Wed, 6 Apr 2005, Radu Hociung wrote:


Thanks, but I see no similarities between the draft above and the reputation system that I envision.


You will find more similarities with the GOSSiP system.

Differences:
o When there is no SPF PASS, GOSSiP tracks reputation
  by IP address instead of SPF result.

o GOSSiP lets MTAs query "neighbor" MTAs to share reputation info.

Ah, I see. I haven't looked at it, so my objection may be unfounded, but it looks like it would be scaleability challenges with this method. With 2^32 IPv4 and 2^128 IPv6 domains, it would be interesting to see how thy go about it. I'll look into it.

Using the PASS-ed domain names means that the database would only get as large as the currently active domain name space (ie, only paid/registered domains will be included) + 4 for the global counters.

Of course this DB has the challenge of a spammer who uses a fake subdomain name, and a wildcard "v=spf1 +all" record, or an equivalent (v=spf1 +ip4:127.0.0.1/1 +ip4:128.0.0.1/1 -all)

Then they could use {rnd}.spamdomain.com
This will be a challenge. However, the registrar and DNS host of the spammer domain would charge a lot of money to host the zone, as there will be many uncacheable queries to the authoritative servers.

If the content based filters allow 1 in 100,000 of these spam messages, and the success rate (actual sales) is 1 in 1,000, you have about 100 million DNS queries for one sale. This will cost a few dollars, but likely the offender's registrar will pull the plug, due to violated agreement. So the SPF record goes away together with the domain.

If they don't pull the plug, IANA will probably revoke the registrar's license, as their activities places a huge load on the root servers, and does not benefit the Internet. This would be after they establish a reputation of being spammer-friendly.

Radu