Alex van den Bogaerdt wrote on Monday, January 29, 2007 8:00 PM -0600:
On Mon, Jan 29, 2007 at 05:13:01PM -0800, Devin Ganger wrote:
Given the sheer numbers of bots out there, you can no longer assume
that an incoming SMTP connection is necessarily allowed to be an
email sender. A spammer with a botnet can configure those bots to
use a HELO domain in a domain *the spammer controls*. Sure, the
domain lists the IP address properly, but it's still a stolen IP
address.
SPF is not about authorization for participating in the email system
(nor is HELO). SPF is about authorization for using domain names.
That spammer authorizes an IP address to use the spammer's domain
name.
So what.
With domain name based reputation schemes, you don't even care if the
host is or is not authorized to use the spammer's name. You just
won't accept email from "bigspammer.example" (HELO or MAIL FROM).
For a domain with no reputation, you allow them to hand you a limited
number of messages before blacklisting them. Since zombies work by
hit-and-run, by the time you blacklist them for handing you spam, they
may have already given you all they intended. The only gain is in the
case of a shared reputation system that uses other people's spam
reports, but that technique improves IP blacklists by a similar amount.
The days when spammers use persistent domains and open relays are long
gone. They use freshly stolen IP's, and as soon as they are forced to,
they will likely use proper HELO names and even publish valid SPF
records for domains they will shortly abandon. This is about making
their business more costly to operate as time goes on by decreasing
deliverability, thus requiring more zombies to _deliver_, as opposed to
offer, the same number of messages. To accomplish that, we have to
decrease the number of messages that a reasonable recipient looks at
before blacklisting. Their profit margins are astronomical, so we have
reduce deliverability quite low in order to have any effect. Even that
may not be enough, but it's our best chance without leveling the whole
system and starting over.
In fact, if the entire world would use these strict helo rules, SPF
would no longer be necessary for HELO, at least not for anti-forgery.
There are a lot of things just as rational that will unfortunately not
happen. If everyone set up PTR, used valid HELO names, block outgoing
port 25 connections and enforced MSA submission rights (all known best
practices recommended in RFC's for many years), you could set up usable
domain reputation systems and reject connections from zombies without
SPF, DK or any ancillary protocols.
--
Seth Goodman
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735