Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spoofed From: Prevention

Posted by timothy on from the web-of-trust dept.

An anonymous reader writes "It looks like the next promising advance in the war on spam is here! Introducing SPF: Sender Permitted From. A draft RFC is still being written, but the idea is simple: we can prevent forged emails by having domain owners publish a list of IP addresses authorized to send mail from their domain. It's no silver bullet, but how much spam can we eliminate by preventing forged mail from spoofed domains? Maybe we really don't need anti-spam legislation after all? The SPF site is chock-full of juicy info for our reading enjoyment. Bon appetit!" Interestingly, the to-do list mentions the possibility of seeking a defensive patent on this scheme, too.

7 of 532 comments (clear)

  1. Re:BAD Idea by sgifford · · Score: 4, Insightful

    Sure, each email provider can provide a secure SMTP for me to log into, but this sounds like a lot of work.

    Running a mail server is a lot of work; providing SSL and SMTP AUTH isn't much more.

    I'm not sure this would work very well, but having more ISPs support SSL and SMTP AUTH doesn't sound like a terrible thing even if it doesn't.

    --
    My Web Page
  2. Re:There's another problem this could help with. by PhoenixRising · · Score: 4, Insightful

    Presumably, the body responsible for the domain would be responsible for authenticating users to ensure that they are not spoofing before it comes out of their domain. Unfortunately, this would lead to even more ISPs taking the AOL-esque tactic of stopping anyone from setting up a mail server, forcing all outbound mail to pass through the ISP's servers.

    This would also cause serious problems for mobile users -- if I'm on the road, who knows what ISP I'll be connecting to. However, I probably want my From: address to stay the same no matter where I'm connected.

    This solution doesn't seem likely to make a serious dent in the flow of spam, and would likely add unwanted restrictions to the actions of users. As such, it seems unwise.

  3. Re:great idea... by marnanel · · Score: 4, Insightful

    It doesn't solve the whole problem of spam, no. It's one possible way to deal with one particular aspect of the problem: forging From addresses will become harder. This is a major annoyance and it'd be good to have the hole closed.

    --
    GROGGS: alive and well and living in
  4. Not realistic, and not a complete solution. by Elias+Israel · · Score: 4, Insightful

    Yes, having information on which SMTP servers are the expected and typical mail "emitters" for a given domain would help reduce (not eliminate) spam.

    But the number of cases where users "forge" their from lines for perfectly innocent reasons is huge. Everyone here can probably think of a few cases. Here's one to get you started: "I'm working from home today about I don't want replies to my business email sent to my home account."

    Of course, they've covered that in their FAQ. Their answer boils down to: "Tough noogies. You have to suffer the inconvenience and change your behavior because I don't want to suffer the inconvenience of spam."

    This, alas, it typical of the disdainful, anti-user mentality that one finds in too many anti-spam efforts.

    Here's a clue: want an anti-spam solution to work? Then start from the idea that it needs to make the life of the end user easier, not harder.

    Of course, I'm biased. See my sig.

  5. Re:Won't work unless everyone implements this by wayne · · Score: 4, Insightful
    Nope, you didn't miss anything. Those people who don't care if spammers forge their domain name will likely have spammers use their domains. If the SPF system (or similar systems) become widespread, then receiving email from a domain that doesn't use SPF will become a strong indicator of spam and some people may choose to reject such email, or add in a score into spamassassin.

    This is not much different than feel that they should be allowed to run open relays. They will end up on DNS blacklists and others may choose not to accept mail from them. Their server, their rules. No one is forcing anyone to close open relays, and no one is forcing anyone to accept email from everyone.

    --
    SPF support for most open source mail servers can be found at libspf2.
  6. Think of the email virus/worm consequences... by gladbach · · Score: 5, Insightful

    This could do wonders... One of the ways that the latest email viruses/worms have been so effective, is that they tend now to randomly spoof the from lines after mining valid emails so that its harder to figure out *who* it is that is sending you the infected email.... If this system were globally in place, email worms like sobig and blaster would have never gotten as big as they did, so easily...

    --
    "Computer games don't affect kids; I mean if Pac-Man affected us as kids, we'd all be running around in darkened rooms,
  7. Travelling Mailman problem's solution's problem by Todd+Knarr · · Score: 4, Insightful

    He mentions the Travelling Mailman problem, that of being able to use your home e-mail address while not on your home network. His solution, having your home mailserver use authentication so that you always send via it, has it's own problem. The problem is Windows malware that e-mails itself out. Several large ISPs have responded to this by prohibiting the use of any mailserver but their own from inside their network. This puts me in a quandry: I wouldn't be able to use my domain while on my ISP's (Cox Cable) network because SPF would reject it, and I can't use my domain's mailserver because my ISP won't let me connect to it. This is, IMHO, a fatal flaw in the scheme.