spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

SPF: Some Problems to Face but Seems Pretty Fair

2005-06-21 21:19:03
from [Boyd Lynn Gerber] [Permanent Link] 
Below is an email from a list I am on.  I thought I should forward it to 
SPF discuss.

--
Boyd Gerber <gerberb(_at_)zenez(_dot_)com>
ZENEZ   1042 East Fort Union #135, Midvale Utah  84047

---------- Forwarded message ----------
Date: Tue, 21 Jun 2005 18:10:00 -0500
From: NW on Security <Security(_at_)nwfnews(_dot_)com>
Reply-To: Security Help <NWReplies(_at_)bellevue(_dot_)com>
To: GERBERB(_at_)zenez(_dot_)com
Subject: SPF: Some Problems to Face but Seems Pretty Fair

NETWORK WORLD NEWSLETTER: M. E. KABAY ON SECURITY
06/21/05
Today's focus:  SPF: Some Problems to Face but Seems Pretty Fair

Dear Boyd Gerber,

In this issue:

* Sender Policy Framework debated
* Links related to Security
* Featured reader resource
_______________________________________________________________
This newsletter is sponsored by Lancope 
"Discover the security benefits of NetFlow" 

Learn how Cisco NetFlow enables cost-effective security across 
distributed enterprise networks. StealthWatch, the Network 
Behavior Anomaly Detection solution, leverages NetFlow to offer 
Infrastructure IPS and provide real-time intelligence about 
network operations and devices to cost-effectively identify, 
prioritize and control network behavior. Download "Enterprise 
Network Security Doesn't End with IPS" Whitepaper and discover 
the security benefits of NetFlow at  
http://www.fattail.com/redir/redirect.asp?CID=106856
_______________________________________________________________
FREE NETWORK WORLD PRINT SUBSCRIPTIONS FOR NEWSLETTER 
SUBSCRIBERS 

Security is one of the most pressing issues in all of IT, and 
you need to stay on top of it. Network World delivers the 
hottest security news. Network IT Executives depend upon Network 
World for the information they need to keep their networks 
secure!  Subscribe today at  
http://www.fattail.com/redir/redirect.asp?CID=106871
_______________________________________________________________

Today's focus:  SPF: Some Problems to Face but Seems Pretty Fair

By M. E. Kabay

Andrew Rose posted a note in Risks last January alerting readers 
to a new project called Sender Policy Framework that uses "SPF 
records" to be published in the domain name system. E-mail sent 
with fraudulent headers would be identified because the sender 
would not match an authorized SMTP server registered in the DNS 
by means of these records.

Rose wrote:

"The technical work on SPF is now complete and adoption has 
started. Several thousand domains have published SPF records 
including some very large domains such as aol.com. Plugins exist 
for most of the popular MTAs [Message Transfer Agents] - the 
only notable exception being MS Exchange."

In a sharply worded riposte in Risks 23.18, Markus Fleck-Graffe 
attacked the whole idea of SPF, pointing to these failings among 
others:

1) All forwarded e-mail must be rewritten (e.g., mailing lists 
   must destroy the original header to substitute their own 
   authorized domain).

2) Forwarded e-mail requires a database of reverse mappings to 
   allow bounce messages to reach the original sender.

3) Spammers will subvert the system by establishing their own 
   SPF-enabled infrastructure using temporary domain names.

4) Worms will use the authentic e-mail addresses of their 
   infected host PCs.

Also in Risks 23.18, Ian Jackson criticized the SPF group for 
not using the IETF RFC mechanisms to stimulate discussion and 
improvements of the proposal but rather, "going for a publicity 
campaign to 'bounce' people into adoption."

In Risks 23.19, Lawrence Kestenbaum detailed the misery caused 
by spammers and worms that use his e-mail address in FROM lines, 
causing thousands of bounce messages to arrive at his address 
daily. He wrote in exasperation, "The critics of SPF suggest 
that spammers would simply find or invent other addresses to 
use. Frankly, I don't care about that, so long as they stopped 
plastering my personal address on hundreds of thousands of 
fraudulent and disreputable spam messages and viruses, and 
clogging my server's net connection with vast piles of 
misdirected bounces."

In Risks 23.21, Ben Rosengart recommended doing away with the 
Sender Rewriting Scheme part of SPF, leaving forwarded e-mail 
with the original header unchanged. Peter da Silva pointed out 
that "Implementing SPF would do nothing for the people receiving 
thousands of bounces (myself included). It would simply add 
another filter that bounced messages back to us because `we' 
weren't using the right server."

Dmitri Maziuk added to the conversation with the observation 
that "We know that slapping a band-aid onto implementation to 
fix deficiencies in design doesn't work and creates more 
problems... We already have directory servers, we already have 
digital signatures. All we need is a way to query Domain Name 
Service for directory server of a domain, and a standard 
directory query-response for an e-mail address and associated 
public crypto key."

He also darkly suggested that there would be resistance to this 
scheme from political forces who actually support spam for their 
own purposes: "all 'anti-spam' legislations are really there to 
legalize it. Ergo, all you're going to achieve by implementing 
SPF, blocklists, blacklists, whatever, is to open yourself to 
lawsuits from 'legal' spammers."

In Risks 23.23, Jonathan de Boyne Pollard bitterly points out 
that SPF is a short-term move in an arms race and that it fails 
to solve the underlying problems of SMTP (which include failure 
to authenticate message origins). He ends:

"Perhaps the fact that widespread adoption of SPF will do 
serious damage to the SMTP mail architecture is a good thing. In 
the battle against unsolicited bulk mail, we've concentrated 
upon the wrong problem time after time, with mechanisms that 
address the wrong thing and that don't address the actual 
'unsolicited' and 'bulk' qualities of undesirable mail. SMTP has 
become less usable, more patchy, and more balkanised with each 
new bodge, yet continues to bend and not quite break completely. 
Perhaps the adoption of SPF will turn out to be the straw that 
finally breaks the camel's back, and that thus finally forcibly 
weans us off this bad habit of addressing the wrong problem."

The Wikipedia article on SPF has a good review of the project, 
including a detailed summary of controversial aspects of the 
system: <http://en.wikipedia.org/wiki/Sender_Policy_Framework> 

In addition, I found the November 2004 white paper by Meng Weng 
Wong of the Messaging Anti-Abuse Working Group an excellent 
summary of theory and implementation details: 
<http://spf.pobox.com/whitepaper.pdf> 

That paper's interesting layout includes what could have been 
footnotes as comments and diagrams placed in a separate column 
on the right-hand side of each page. It makes for fascinating 
reading and is worthwhile for mail-system administrators.

RELATED EDITORIAL LINKS

Vendors tout desktop spyware protection
Network World, 06/20/05
http://www.networkworld.com/news/2005/062005-spyware.html?rl
_______________________________________________________________
To contact: M. E. Kabay

M. E. Kabay, Ph.D., CISSP, is Associate Professor in the 
Division of Business and Management at Norwich University in 
Northfield, Vt. Mich can be reached by e-mail 
<mailto:mkabay(_at_)norwich(_dot_)edu> and his Web site 
<http://www2.norwich.edu/mkabay/index.htm>.

A Master's degree in the management of information assurance in 
18 months of study online from a real university - see 
<http://www.msia.norwich.edu/> 
_______________________________________________________________
This newsletter is sponsored by Lancope 
"Discover the security benefits of NetFlow" 

Learn how Cisco NetFlow enables cost-effective security across 
distributed enterprise networks. StealthWatch, the Network 
Behavior Anomaly Detection solution, leverages NetFlow to offer 
Infrastructure IPS and provide real-time intelligence about 
network operations and devices to cost-effectively identify, 
prioritize and control network behavior. Download "Enterprise 
Network Security Doesn't End with IPS" Whitepaper and discover 
the security benefits of NetFlow at  
http://www.fattail.com/redir/redirect.asp?CID=106855
_______________________________________________________________
ARCHIVE LINKS

Archive of the Security newsletter:
http://www.networkworld.com/newsletters/sec/index.html

Security Research Center:
http://www.networkworld.com/topics/security.html

Instant sign-up for Security News Alert:
http://www.networkworld.com/isusecna

Instant sign-up for Virus & Bug Patch Alert:
http://www.networkworld.com/isubug
_______________________________________________________________
Four steps to achieving real customer insight - Webcast 

Do you want to improve the quality of your customer data? Learn 
how you can create a unified, enterprise wide view of customers 
so you can provide better service, improve customer relations, 
and increase sales and more.  
http://www.fattail.com/redir/redirect.asp?CID=106964
_______________________________________________________________
FEATURED READER RESOURCE
CALL FOR ENTRIES: 2005 ENTERPRISE ALL-STAR AWARDS

Network World is looking for entries for its inaugural 
Enterprise All-Star Awards program. The Enterprise All-Star 
Awards will honor user organizations that demonstrate 
exceptional use of network technology to further business 
objectives. Network World will honor dozens of user 
organizations from a wide variety of industries, based on a 
technology category. Deadline: July 8. Enter today:
<http://www.networkworld.com/survey/easform.html?net>
_______________________________________________________________
May We Send You a Free Print Subscription? 
You've got the technology snapshot of your choice delivered 
at your fingertips each day. Now, extend your knowledge by 
receiving 51 FREE issues to our print publication. Apply 
today at http://www.subscribenw.com/nl2

International subscribers click here: 
http://nww1.com/go/circ_promo.html
_______________________________________________________________
SUBSCRIPTION SERVICES

To subscribe or unsubscribe to any Network World e-mail 
newsletters, go to: 
<http://www.nwwsubscribe.com/Changes.aspx> 

To change your e-mail address, go to: 
<http://www.nwwsubscribe.com/ChangeMail.aspx> 

Subscription questions? Contact Customer Service by replying to 
this message.

This message was sent to: GERBERB(_at_)zenez(_dot_)com 
Please use this address when modifying your subscription. 
_______________________________________________________________

Have editorial comments? Write Jeff Caruso, Newsletter Editor, 
at: <mailto:jcaruso(_at_)nww(_dot_)com> 

Inquiries to: NL Customer Service, Network World, Inc., 118 
Turnpike Road, Southborough, MA 01772

For advertising information, write Kevin Normandeau, V.P. of 
Online Development, at: <mailto:sponsorships(_at_)nwfusion(_dot_)com> 

Copyright Network World, Inc., 2005
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Hotmail preparing to check SID with spf2.0/pra only?, Hector Santos
Next by Date:  Re: Problem with SID, Hector Santos
Previous by Thread:  OpenSPF.org domain name still available for this project..., James Couzens
Next by Thread:  Re: SPF: Some Problems to Face but Seems Pretty Fair, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]