Below is an email from a list I am on. I thought I should forward it to
SPF discuss.
--
Boyd Gerber <gerberb(_at_)zenez(_dot_)com>
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047
---------- Forwarded message ----------
Date: Tue, 21 Jun 2005 18:10:00 -0500
From: NW on Security <Security(_at_)nwfnews(_dot_)com>
Reply-To: Security Help <NWReplies(_at_)bellevue(_dot_)com>
To: GERBERB(_at_)zenez(_dot_)com
Subject: SPF: Some Problems to Face but Seems Pretty Fair
NETWORK WORLD NEWSLETTER: M. E. KABAY ON SECURITY
06/21/05
Today's focus: SPF: Some Problems to Face but Seems Pretty Fair
Dear Boyd Gerber,
In this issue:
* Sender Policy Framework debated
* Links related to Security
* Featured reader resource
_______________________________________________________________
This newsletter is sponsored by Lancope
"Discover the security benefits of NetFlow"
Learn how Cisco NetFlow enables cost-effective security across
distributed enterprise networks. StealthWatch, the Network
Behavior Anomaly Detection solution, leverages NetFlow to offer
Infrastructure IPS and provide real-time intelligence about
network operations and devices to cost-effectively identify,
prioritize and control network behavior. Download "Enterprise
Network Security Doesn't End with IPS" Whitepaper and discover
the security benefits of NetFlow at
http://www.fattail.com/redir/redirect.asp?CID=106856
_______________________________________________________________
FREE NETWORK WORLD PRINT SUBSCRIPTIONS FOR NEWSLETTER
SUBSCRIBERS
Security is one of the most pressing issues in all of IT, and
you need to stay on top of it. Network World delivers the
hottest security news. Network IT Executives depend upon Network
World for the information they need to keep their networks
secure! Subscribe today at
http://www.fattail.com/redir/redirect.asp?CID=106871
_______________________________________________________________
Today's focus: SPF: Some Problems to Face but Seems Pretty Fair
By M. E. Kabay
Andrew Rose posted a note in Risks last January alerting readers
to a new project called Sender Policy Framework that uses "SPF
records" to be published in the domain name system. E-mail sent
with fraudulent headers would be identified because the sender
would not match an authorized SMTP server registered in the DNS
by means of these records.
Rose wrote:
"The technical work on SPF is now complete and adoption has
started. Several thousand domains have published SPF records
including some very large domains such as aol.com. Plugins exist
for most of the popular MTAs [Message Transfer Agents] - the
only notable exception being MS Exchange."
In a sharply worded riposte in Risks 23.18, Markus Fleck-Graffe
attacked the whole idea of SPF, pointing to these failings among
others:
1) All forwarded e-mail must be rewritten (e.g., mailing lists
must destroy the original header to substitute their own
authorized domain).
2) Forwarded e-mail requires a database of reverse mappings to
allow bounce messages to reach the original sender.
3) Spammers will subvert the system by establishing their own
SPF-enabled infrastructure using temporary domain names.
4) Worms will use the authentic e-mail addresses of their
infected host PCs.
Also in Risks 23.18, Ian Jackson criticized the SPF group for
not using the IETF RFC mechanisms to stimulate discussion and
improvements of the proposal but rather, "going for a publicity
campaign to 'bounce' people into adoption."
In Risks 23.19, Lawrence Kestenbaum detailed the misery caused
by spammers and worms that use his e-mail address in FROM lines,
causing thousands of bounce messages to arrive at his address
daily. He wrote in exasperation, "The critics of SPF suggest
that spammers would simply find or invent other addresses to
use. Frankly, I don't care about that, so long as they stopped
plastering my personal address on hundreds of thousands of
fraudulent and disreputable spam messages and viruses, and
clogging my server's net connection with vast piles of
misdirected bounces."
In Risks 23.21, Ben Rosengart recommended doing away with the
Sender Rewriting Scheme part of SPF, leaving forwarded e-mail
with the original header unchanged. Peter da Silva pointed out
that "Implementing SPF would do nothing for the people receiving
thousands of bounces (myself included). It would simply add
another filter that bounced messages back to us because `we'
weren't using the right server."
Dmitri Maziuk added to the conversation with the observation
that "We know that slapping a band-aid onto implementation to
fix deficiencies in design doesn't work and creates more
problems... We already have directory servers, we already have
digital signatures. All we need is a way to query Domain Name
Service for directory server of a domain, and a standard
directory query-response for an e-mail address and associated
public crypto key."
He also darkly suggested that there would be resistance to this
scheme from political forces who actually support spam for their
own purposes: "all 'anti-spam' legislations are really there to
legalize it. Ergo, all you're going to achieve by implementing
SPF, blocklists, blacklists, whatever, is to open yourself to
lawsuits from 'legal' spammers."
In Risks 23.23, Jonathan de Boyne Pollard bitterly points out
that SPF is a short-term move in an arms race and that it fails
to solve the underlying problems of SMTP (which include failure
to authenticate message origins). He ends:
"Perhaps the fact that widespread adoption of SPF will do
serious damage to the SMTP mail architecture is a good thing. In
the battle against unsolicited bulk mail, we've concentrated
upon the wrong problem time after time, with mechanisms that
address the wrong thing and that don't address the actual
'unsolicited' and 'bulk' qualities of undesirable mail. SMTP has
become less usable, more patchy, and more balkanised with each
new bodge, yet continues to bend and not quite break completely.
Perhaps the adoption of SPF will turn out to be the straw that
finally breaks the camel's back, and that thus finally forcibly
weans us off this bad habit of addressing the wrong problem."
The Wikipedia article on SPF has a good review of the project,
including a detailed summary of controversial aspects of the
system: <http://en.wikipedia.org/wiki/Sender_Policy_Framework>
In addition, I found the November 2004 white paper by Meng Weng
Wong of the Messaging Anti-Abuse Working Group an excellent
summary of theory and implementation details:
<http://spf.pobox.com/whitepaper.pdf>
That paper's interesting layout includes what could have been
footnotes as comments and diagrams placed in a separate column
on the right-hand side of each page. It makes for fascinating
reading and is worthwhile for mail-system administrators.
RELATED EDITORIAL LINKS
Vendors tout desktop spyware protection
Network World, 06/20/05
http://www.networkworld.com/news/2005/062005-spyware.html?rl
_______________________________________________________________
To contact: M. E. Kabay
M. E. Kabay, Ph.D., CISSP, is Associate Professor in the
Division of Business and Management at Norwich University in
Northfield, Vt. Mich can be reached by e-mail
<mailto:mkabay(_at_)norwich(_dot_)edu> and his Web site
<http://www2.norwich.edu/mkabay/index.htm>.
A Master's degree in the management of information assurance in
18 months of study online from a real university - see
<http://www.msia.norwich.edu/>
_______________________________________________________________
This newsletter is sponsored by Lancope
"Discover the security benefits of NetFlow"
Learn how Cisco NetFlow enables cost-effective security across
distributed enterprise networks. StealthWatch, the Network
Behavior Anomaly Detection solution, leverages NetFlow to offer
Infrastructure IPS and provide real-time intelligence about
network operations and devices to cost-effectively identify,
prioritize and control network behavior. Download "Enterprise
Network Security Doesn't End with IPS" Whitepaper and discover
the security benefits of NetFlow at
http://www.fattail.com/redir/redirect.asp?CID=106855
_______________________________________________________________
ARCHIVE LINKS
Archive of the Security newsletter:
http://www.networkworld.com/newsletters/sec/index.html
Security Research Center:
http://www.networkworld.com/topics/security.html
Instant sign-up for Security News Alert:
http://www.networkworld.com/isusecna
Instant sign-up for Virus & Bug Patch Alert:
http://www.networkworld.com/isubug
_______________________________________________________________
Four steps to achieving real customer insight - Webcast
Do you want to improve the quality of your customer data? Learn
how you can create a unified, enterprise wide view of customers
so you can provide better service, improve customer relations,
and increase sales and more.
http://www.fattail.com/redir/redirect.asp?CID=106964
_______________________________________________________________
FEATURED READER RESOURCE
CALL FOR ENTRIES: 2005 ENTERPRISE ALL-STAR AWARDS
Network World is looking for entries for its inaugural
Enterprise All-Star Awards program. The Enterprise All-Star
Awards will honor user organizations that demonstrate
exceptional use of network technology to further business
objectives. Network World will honor dozens of user
organizations from a wide variety of industries, based on a
technology category. Deadline: July 8. Enter today:
<http://www.networkworld.com/survey/easform.html?net>
_______________________________________________________________
May We Send You a Free Print Subscription?
You've got the technology snapshot of your choice delivered
at your fingertips each day. Now, extend your knowledge by
receiving 51 FREE issues to our print publication. Apply
today at http://www.subscribenw.com/nl2
International subscribers click here:
http://nww1.com/go/circ_promo.html
_______________________________________________________________
SUBSCRIPTION SERVICES
To subscribe or unsubscribe to any Network World e-mail
newsletters, go to:
<http://www.nwwsubscribe.com/Changes.aspx>
To change your e-mail address, go to:
<http://www.nwwsubscribe.com/ChangeMail.aspx>
Subscription questions? Contact Customer Service by replying to
this message.
This message was sent to: GERBERB(_at_)zenez(_dot_)com
Please use this address when modifying your subscription.
_______________________________________________________________
Have editorial comments? Write Jeff Caruso, Newsletter Editor,
at: <mailto:jcaruso(_at_)nww(_dot_)com>
Inquiries to: NL Customer Service, Network World, Inc., 118
Turnpike Road, Southborough, MA 01772
For advertising information, write Kevin Normandeau, V.P. of
Online Development, at: <mailto:sponsorships(_at_)nwfusion(_dot_)com>
Copyright Network World, Inc., 2005