|
Re: [spf-discuss] Can this really be true?
2005-09-25 06:37:51
Seth Goodman wrote:
From: Dick St.Peters [mailto:stpeters(_at_)NetHeaven(_dot_)com]
Sent: Saturday, September 24, 2005 9:03 PM
<...>
Actually, I take that back. What matters is that spam not be sent.
How an ISP accomplishes that does not matter except to the ISP and its
users. Can we agree on that much?
At the end of the day, that's most of what everyone cares about. But for
large ISP's, policing the users is a major task. One of the things that
makes spamming a good business is that you can easily impersonate any
desired identity. That can be stopped by enforcing submission rights.
Though you could do this with POP before SMTP, it is much more practical
with SMTP-AUTH since other ISP's don't block authenticated submission ports.
Not that Exim is the last word in MTA's, but the default setup in the
current version is that the return-path has to match the authenticated
identity and if the From: header does not, it actually adds a Sender: that
does match. I'm not suggesting that most sites use it that way, but the
fact that those are the defaults does make a statement.
I am currently building a system to enforce SMTP-AUTH with cross-users forgery protection.
The concept will hopefully allow a user to login by SASL (eventually with TLS when all
MUA's can do it) and allow the user to choose which of his own domains he wants to send
mail from. This will allow a user to have domains or sub-domains with SPF records and the
mail *will* be coming from that domain's IP. The method of choosing the domain is causing
me some headaches at the moment because of the differing ways people will log in. I don;t
want to complicate a users MUA by having a whole lot of SMTP accounts on it, so he has one
to log in with and then is presented the choice of his own domains, according to his
log-in details.
The security flaws are obvious - if his login details are abused by a spammer, the spammer
can send correctly authenticed spam which will pass SPF checks, but given the other
aspects of my throttling users of my MTA's SMTP by rate and volume, I hope the amount of
spam sent by an abused users account will be restricted. For genuine bulk-emailing, I am
setting up a seperate system - probably via a web form, but with the same advantage of the
bulk mail being correctly authenticated and coming directly from the users domain and IP -
not some outsourced server who would have to spoof the domain name.
Question - As a fairly lo-tech sysadmin, I am able to tackle this, so why do the major
ISP's not do so?
The return-path part of that policy is exactly what SPF is designed to
accomplish. In fact if everyone enforced submission rights this way, there
would be no need for SPF. This doesn't stop anyone from spamming, just as
SPF doesn't. What it does prevent is someone spamming and claiming to be
billing(_at_)ebay(_dot_)com or president(_at_)whitehouse(_dot_)gov(_dot_)
Their phish would not be very
effective if the From: address was hsmith(_at_)comcast(_dot_)net(_dot_) Thus,
while
enforcing submission rights at an MSA and checking SPF at the receiving MTA
does not prevent spamming, those policies make it a lot harder to make a
living at spamming and a lot easier to identify who sent a given piece of
spam. Enforcing submission rights and publishing definitive SPF records go
hand in hand.
Mail providers still have to police their users if they don't want to get a
reputation like MSN. While that's arguably easier when the originator
headers are known to be accurate compared to figuring out who had a given IP
at a given time, the main benefit is making a given mail account useless as
a place from which to send phishes.
At the end of the day - all the policing in the world is not going to be effective if no
action is taken. Why do msn, Yahoo.Hotmail etc, allow their systems to be abused when is a
relatively easy thing to minimise - if not actually eliminate. Answer - they don't want to
lose customers.
Yahoo is repeatedly the largest sender of mails, but most of it is Spam - so they would
lose their "top slot" if only non-spam was counted. You'd probably find that the largest
sender of non-spam mail is some much less obvious candidate.
Slainte,
JohnP
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: [spf-discuss] Can this really be true?, (continued)
- Re: [spf-discuss] Can this really be true?, Dick St.Peters
- RE: [spf-discuss] Can this really be true?, Mark
- Re: [spf-discuss] Can this really be true?, johnp
- RE: [spf-discuss] Can this really be true?, Mark
- Re: [spf-discuss] Can this really be true?, johnp
- Re: [spf-discuss] Can this really be true?, Dick St.Peters
- RE: [spf-discuss] Can this really be true?, Seth Goodman
- Re: [spf-discuss] Can this really be true?,
johnp <=
- Re: [spf-discuss] Can this really be true?, Hector Santos
- [spf-discuss] Re: Can this really be true?, Frank Ellermann
- Re: [spf-discuss] Can this really be true?, johnp
- Re: [spf-discuss] Can this really be true?, Alex van den Bogaerdt
- Re: [spf-discuss] Can this really be true?, johnp
- RE: [spf-discuss] Can this really be true?, Seth Goodman
- Re: [spf-discuss] Can this really be true?, Stuart D. Gathman
- Re: [spf-discuss] Can this really be true?, Dick St.Peters
- Re: [spf-discuss] Can this really be true?, Stuart D. Gathman
- [spf-discuss] Re: Can this really be true?, Frank Ellermann
|
|
|