-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stuart D. Gathman wrote:
We (and our customers) have been bombarded by a boatload of German spam.
One characteristic of this spam is that the (forged) MAIL FROM is always
a domain with an SPF record that returns NEUTRAL for the zombies IP. It
is as if the zombie program screens potential forged MAIL FROMs to
ensure that they have an SPF record and won't get a FAIL.
Obviously this isn't true. I keep getting lots of misdirected bounces from
idiots who don't bother checking this German propaganda spam against my
SPF records, which only give "Pass" or "Fail" results.
But it's an interesting theory, as this may very well become a reality with
another virm/spam run soon.
I already reject NEUTRAL for commonly forged domains (e.g. aol.com), but
this new attack may lead to rejecting NEUTRAL results across the board.
Domains whose policy gives "Neutral" results (like those without any policy
at all) don't care enough about being abused. IOW, they are showing their
consent to be forged. In the grand scheme of things, that probably
shouldn't be reason enough to block them.
What annoys me most is that too many ignorants are still not checking SPF
records (see my first paragraph). We need quicker adoption of SPF.
(Other than noting that the draft RFC says NEUTRAL MUST BE treated the
same as NONE. My MTA, my rules.)
Well, I have always been against mandating receiver policy, which is
exactly what reactions to individual result codes are. This rule in the
spec is pointless because adherence isn't essential for the working of
SPF, so people are going to ignore it at will.
Apparently, pobox.com redirects to a user specific SPF record. So all a
spammer has to do is sign up, create an SPF record for their account of
'v=spf1 ?all', and spam away with a mail from domain of pobox.com.
...which is exactly the same spammers can do with _any_ publicly available
e-mail service. E-mail services need to confirm the user's identity (by
sending them an unlock code to their postal address, or through similar
means) or live with an increased risk of being abused by spammers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCiQT4wL7PKlBZWjsRAoiBAJ9HEXAPleZhHECmPXM+5StfhTOgJQCfUIgS
Vq5mgaI0IMdnX+fFIfxqC54=
=bQR0
-----END PGP SIGNATURE-----