Spoofed From: Prevention

An anonymous reader writes "It looks like the next promising advance in the war on spam is here! Introducing SPF: Sender Permitted From. A draft RFC is still being written, but the idea is simple: we can prevent forged emails by having domain owners publish a list of IP addresses authorized to send mail from their domain. It's no silver bullet, but how much spam can we eliminate by preventing forged mail from spoofed domains? Maybe we really don't need anti-spam legislation after all? The SPF site is chock-full of juicy info for our reading enjoyment. Bon appetit!" Interestingly, the to-do list mentions the possibility of seeking a defensive patent on this scheme, too.

Re:Won't work unless everyone implements this

[donnz]

Sort of not. All we need are a few of the big ones to sign up to see significant impact.

In fact, other /.ers can explain this much more clearly.

Re:BAD Idea

[monsterlemon]

> This is a BAD idea. What happens when I have 3
> different email accounts that I use for different
> things, and I want to send mail from each of them
> from my home ISP? Sure, each email provider can
> provide a secure SMTP for me to log into, but this
> sounds like a lot of work.

Actually it's a very good idea.

A lot of work? For the ISPs? Or for you?

Setting up an authenticated SMTP server is not hard, and the cost -- compared to the costs that ISPs are forced to incur to deliver spam, would be small.

For you? Just go into your Outlook (or whatever) preferences and edit the outgoing server. Big deal.

As for spammers getting round it, sure they can forge their mail as if it were from someone else at the same domain. But the admins of that domain will have their server logs and will know who to go after.

And the fact that the spammer will only be able to post from a domain he (any "she" spammers out there feeling hard done by, do speak up) controls will greatly reduce the number of bounces you and I get from spam that pretends to be from us.

So, overall, while SPF won't stop spam, it will help, and it will introduce a lot more accountability into the email process -- which can only be a good thing.

Re:Another problem:

[Pharmboy]

Actually, that brings something important to mind: Here in Australia a very large proportion of mail servers are Debian boxes. If that patent idea gets taken up, I can't see Debian including SPF; it'll be poison.

He refered to patenting it, and immediately releasing it as Public Domain. This means it can be used by anyone, in any license, even Microsoft. Actually, you NEED Microsoft to use it if you want it to work anyway. But there is already lots of PD in Linux, including Debian, so no worries.

What I'd like to do is reverse EMAIL lookup checks

[leonbrooks]

That is, at the "MAIL FROM:" stage, my email server goes through most of the steps involved in sending a reply email back, to wit, finding a willing MX server, connecting to port 25 on it, falling back etc as you would normally do to send a reply, but do something like "MAIL FROM:id.3141592763@spamtest.mydomain.dom" when it came time to ID the sender. This will allow you to give positive responses to the other end if they in turn perform a similar check on you. If the SMTP process can't get up to "DATA" without a rejection of some kind, then the inbound mail is spam by definition. Either way, it then drops the connection so the return "mail" isn't delivered.

Perhaps it could say DATA/If you receive this, your email server has been misconfigured./Please ask your system administrator or ISP to configure the server to discard incomplete email messages.// -pause- disconnect.

That won't get them all, and there will be the odd false positive (550 unable to validate sender address), but it should get most, no worries. It'll certainly get the zillion or so messages spoofed as being from "@hotmail.com" "@yahoo.com" and so on. If you wanted to be a pedand, you'd check the embedded "From:" address as well as the enveloped one.

I'd also appreciate some name-finding AI, so that when a message which programs like SpamAssassin become absolutely dead-set convinced is spam (ie, the filter doesn't say "maybe spam", the filter says "if this isn't spam, upload me to a microwave") arrives - but passes the above test - any email addresses mentioned in it get a score or so of vary different but realistic-looking "replies" based on the original message ("Re: P*E+N~I:S E|N-L=A/R'G\E!R/Dear Sexy Sal//Please send me four boxes of penis perpetration patches. My credit card number is 3141-5926-5358-9793 and expires on 04-04. My address is Australian Federal Police/Hay Street/East Perth 6001.//Please use plain brown wrapper on the parcel.//Fred Q Nurk esq") but from a variety of bit-bucket addresses and spread out over the next few hours. A bit sad if the spammer is spoofing from your address, but you can easily filter everything related to such spoofing - and otherwise forces the scumbags to work for their addresses. Even better if he wants to talk to a bot about invalid credit card numbers or mismatched expiry dates. Better still if you can arrange to get them done for credit card fraud, maybe by using numbers from your local supermarket's stolen-cards list. Working for their addresses is exactly what spammers don't want to do.

You see, I've become convinced that a war of attrition - making it harder for spam to get through - isn't enough.

The thing that makes spam work is that it's cheap to get addresses and cheap to send out mail. Since there will always be bad-apple ISPs (and dumbo-sucker ISPs) who let the canned-ham merchants send the stuff, the obvious step is to make collecting the addresses harder.

Collecting addresses is a two-phase process. Phase one harvests addresses wholesale using spambots and/or people stupid enough to fill in random on-line forms accurately, phase two qualifies those addresses by sending stuff to them. Unfortunately, the same people stupid enough to fill in forms willy-nilly are the same people stupid enough to respond to spam. I guess it's just not a good survival characteristic.

If it were possible to establish a contract by sending someone email, we could make the initial harvest very expensive, very quickly by simply embedding the email address in an offer of contract. Unfortunately, the courts have so far decreed that such an event doesn't necessarily entail a "meeting of minds" necessary to establish a contract - even if the email address says "email-to-this-address-costs-USD-1000-in-advance@m ydomain.dom". To me, this makes no sense, kind of analogous to releasing an automated tank and being able to claim that any damage done by it was not deliberate.

Nevertheless, if we can make

Re:This can already be done

[pjrc]

How would I be able to continue doing this under such a system?

Two ways:

1. List your IP number as a valid point of origin for that domain
2. Do not list any IP numbers

The "problem" (for you) occurs if you do not control the domain name, and whomever adds a list of valid sending IP addresses does not include the IP number you are using. In that case, you'd be out of luck.... but so will spammers.

Re:black hole relay...

[tsvk]

Your idea of running fake open proxies for spammers to discover and 'abuse' is not new. There is already software for this purpose. Search for 'proxy honeypot' or 'proxypot' in Google.

In fact, Ronald F. Guilmette who ran the monkeys.com anti-spam website and open proxy blocklist and who was forced to shut down due to DDoS-attacks also ran an extensive network of proxypots to unconver those criminal spammer gangs who regularly abuse open proxies and also to uncover the rouge ISPs who host these criminals and who let the proxy hijackers to be connected.

Mr. Guilmette posted several times to the news.admin.net-abuse.email newsgroup (charter) compiled lists of the top proxy-abuse allowing ISPs and extensive analyses of the proxy-hijackers' operations (examples here, here, here, here and here). This anti-spam work was partly very fruitful, resulting in several ISPs to be outed as spammer-friendly and also being forced to clean up their act.