Slashdot Mirror
SPF Design Frozen
Eric S. Smith writes "SPF, previously mentioned here, is a step closer to becoming a real, live RFC. We are encouraged to publish SPF records and thus to hasten the beginning of the end for annoying spam forgeries. SPF describes DNS TXT records that define the hosts authorized to send mail on behalf of users in your domain. Sites can then consult your SPF records and reject spam forged to look like it comes from you." (SPF stands for "Sender Permitted From.")
I've always wondered how a spam filter system based on authorization might work. Your mail server could automatically send out a verification request to the email address that sent the email, then if the email address exists, an authorization would be sent back to your mail server. All mails that weren't confirmed by a returned authorization could be automatically deleted. This way, you could only get mail from active email addresses. Could cut down on email spoofing because anyone spamming you would have to use a real email address which would allow you to complain to the domain owner. Of course, all mail servers in the world would have to be upgraded to this new protocall for it to work, or everything would be considered spam.
Does any of this make sense?
You're right, I wouldn't steal a car. But if it were possible, I sure as hell would download one!
This is a great idea. I'm all in favor of it. I would update my companies DNS to this new standard immediately. But, I envision these issues, correct me if I'm wrong:
1) Increased network traffic at all points - where one mail server gets the email, and the network of the domain being sent from or forged. Imagine how this might increase AOL's or hotmail's network traffic, while they gain nothing from it. Every mail server in the world could be trying to contact their dns servers to check if they allow the mail. I hope you like lag if you use AOL.
2) Spammers tend to use made up domains anyways. This is bad with this method for several reasons. The first being that you will have delayed email receiving times because your mail server will be trying to contact dns servers that don't exist. The timeout would have to be short for this to work.... then on the other hand, if the timeout is too short, and a busy mail server can't respond in time, the email is rejected, which is just as bad as a real email getting flagged as spam, aka a false positive.
While I agree in practice with this technology, I'd like to see how people can solve these issues before I would use it at my company.
Your points are both invalid.
1) Most mail servers already to a return DNS lookup on the IP of who the sender is. (The recived from lines in the headers) DNS takes so little bandwidth compared to normal activity (even compared to the payload of the email it is tiny, not consider all the web browsing, DNS is trivial)
2)DNS works by asking the root servers who owns a domain. The root servers respond either with the DNS for the domain, or with a no such domain. (Ever hear of Verisign's sitefinder? Verisign runs the root servers, and they started saying anything unowned belonged to them) Essentially no overhead is involved in this.
My main spam related problem is that I can't send mail from my residential IP to aol.com, rr.com, and some others. Will this provide such a great spam filter that those ISPs will stop blocking me ? I suspect not, because I suspect those people just want to force me to get a higher priced fixed IP. (I suspect RR doesn't care if I spam for a little side income, as long as I pay more and don't do it enough to cost them more than I am paying.)
Besides my residential IP with its dyndns name, I maintain two other mail servers for small businesses (less than 4 employees each). Is there any reason I should employ this solution ? Do I get anything I don't get by running spamassassin at home and for my clients ?
Come on, sell me on this. However, you have an uphill battle, because my main problem isn't spam, it's the people who treat me like a spammer. (Some analogies to terrorism and John Ashcroft may come to mind.) It costs me and my clients the same whether the network is slow from a spam flood (usually virus related) or not. The human attention factor is not large, with filters applied and updated.
I know I'm going to put the SPF records in as soon as I get a chance, but these statistics aren't terribly optimistic so far:
http://www.infinitepenguins.net/SPF/register.php
This system serves to monitor the take-up of SPF. So far, 274 domains with SPF records are known.
As yet, only a count of registered domains is displayed; more analysis tools will appear once the number of domains increases.
Of these:
84 parse cleanly
0 parse with warnings
173 parse with errors
17 are yet to be checked by this system
Imagine how this might increase AOL's or hotmail's network traffic, while they gain nothing from it.
Well, they do gain, actually -- if the plan works, it will blot out quite a lot of spam. AOL and Hotmail spend an astronomical amount of money dealing with spam in the current situation (it doesn't help that lots of spammers forge AOL or hotmail return addresses... I'm sure those bounces crank out the bandwidth required). If they need to pay for more bandwidth and more servers to support SPF, I have to imagine that will be much cheaper than the manpower they have to support to fight the problem now.
Besides, how much extra bandwidth is really involved? Wouldn't it work like other DNS records, and be cached all over the place?
I don't know enough about the technology to properly address your second point... but I think because we're dealing with DNS servers here (instead of needing to contact the mail servers) this may actually work out. Sure, some people run mail servers from home, etc., but DNS is usually provided free by an ISP; there are also free DNS hosts.
Either way, I'm rooting for it. Spam is killing email.
There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
Okay, I am not trolling here, I'm serious. This plan will be moderately successful at preventing joe-jobs on unwitting victims. If you control the DNS for a domain, you can say who is allowed to send mail for that domain. Therefore, if a spammer attempts uses your domain in the "From:" header then it will only be delivered to those hosts that are NOT checking the SPF records. That's an important distinction, because getting everybody on the planet to do something is very hard, so this will never completely wipe out the possibility of joe-jobs. And there are the possible negative effects here, for example employees not being able to send company email while on the road without hassle.
But that aside, how does it reduce spam? The spammers will always be able to find a domain to stick in the "From:" header. They can choose to use a domain that they do not control that has not yet added SPF to their DNS or they can choose to use a domain that they control. In either case it's trivial for them to get their mail from their system to yours, and that's all that they really care about anyway -- the "From:" header has always been meaningless to spammers anyway, it's not like they would be forfeiting the ability to receive replies or something.
Note that in the case of using a domain that they don't control, we're back to the issue of "until everyone on the planet does this, there will always be some domain somewhere that can be forged." And even should those run out, spammers can just register anything for $7 a year, or less for bulk registrations. (They already do this when they're playing hosting tricks, to bounce you around from one host to another.)
Now, you might say that at least with this implemented you could discover what those domains are that the spammer is registering for use with his spamming. That is true. But, we've had the concept of a blocklist for ages, that's nothing new. Everyone has ranges of IP addresses that they won't accept mail from, and some very kind organizations have even maintained lists of "bad IP addresses", so you might expect a similar thing to happen with domain names. But all you have to do is look at the current state of blocklists and you'll know this doesn't buy you much. We already have blocklists, and they're riddled with problems. You're back to playing whack-a-mole with the spammers. They make a spam run with example.com, you block example.com; they make another run with example.org, you block example.org. You're always one step behind, while the spam piles up in your inbox. You might make the point that this inconveniences them, but you have to realize how many domains there are out there that are available for forging. The SPF-protected domains will be the vast minority of all domains for the forseeable future.
So, in summary: This might be moderately effective at preventing joe-jobs. It will not make a significant change, however, until everyone on the face of the earth that's not a spammer both updates their DNS and updates their MTA software to check these records. The likelyhood of this happening any time soon is quite small. And even if this were to happen, the spammers would still be able to deliver piles and piles of garbage to your inbox though domains that they control. You're back to blocklisting, which we've had for quite some time now.
So, I ask seriously, what does this do to combat spam that is really all that significant? I applaud any developments on the antispam frontier, but let's not get too carried away with visions of this somehow "plugging the insecure SMTP hole", or anything remotely resembling it.
From a security standpoint, this is a dumb idea. Really dumb. It's stupid, open to a ton of attacks, and does diddly about spam. However, it's probably going to get some popularity for the following reasons:
* Folks hate spam, and will glom onto anything that claims to reduce it with the gullibility of a cancer victim being scammed by a faith healer.
* It's easy for IT folks to implement. The CIO can say that he "implemented an initiative to reduce the most frequent user complaint, saving the company N dollars". He doesn't give a damn about whether he actually *accomplishes* anything, just whether it looks good.
* SPF is a pet project of someone. Obviously not someone who's a security person, but someone.
* There's money in it for consultants. The firewall craze made many many people very much money. The promise of a *new* even less useful system that can be used to pry money from companies is quite appealing.
Things that *could* reasonably be done to combat spam:
* Limit email amplification.
* Require one of a number of pay or auth systems for email.
* Whitelisting
* Allowing clients to publish rules to mail servers (so that a client whitelist, for instance, would allow a server to avoid soaking up any bandwidth at all...this would be a useful set of IMAP extensions).
Frankly, unless a bunch of engineers get together and put out a *useful* RFC (i.e. not this crap) a la PNG, there's probably going to be an industry consortium that decides what to do. And standards committes have an awfully low rate of getting-it-right.
May we never see th
Some people here have complained that this might not work because everyone on the planet would need to use it and even then spammers could use their own domains.
Certainly it's true that nearly everyone will need to get on board for this to work. Fortunately, it should be an easy update on both the MTA and DNS ends.
The real advantage here, I think, is that it will make filtering and blacklisting much easier. Instead of trying to filter on 18 zillion weird rules and scads of IP addresses, some of which may have some valid users, you just need to filter on domain names.
For this to work, we will need one or more trustworthy registries of bad domain names. And it should probably be distributed, with a way to continually update it by automatically propagating the list of bad domains to all clients. There should be a way to get a domain into the blacklist very quickly if anyone receives spam from that domain.
Alternatively, a system could be in place to treat all new domains as bad by default. That has obvious problems though -- how would you get your domain trusted? Would it require a VeriSign like identification process? I would oppose that -- I think people should be able to buy domains and freely run email servers on them without paying some central "authority."
My biggest concern with this idea is that I run a domain where I give out POP email addresses to people. I'm still trying to figure out how that will affect me.
If they couldn't get consensus inside the IRTF's spam working group, what makes them think they can get it in the IETF community at large (I love the note to the RFC editor - HA)
I have mod points and I am not afraid to use them
My home ISP is SBC, and while they may let me send mail through mail.swbell.net, chances are that's not the name of the outward-facing ring of mail servers they have (I am assuming they actually built an enterprise-class mail service, of course, which is a lot to assume about SBC).
How do I get all the names of their outward facing servers, which may not leave my original mail.swbell.net in headers as my first stop?
Speaking of editing headers, what's to stop the Asian remailers from having their servers generate fake preceding headers using legit server names and faked user names? Or even real user names, when they find them or want to get someone in trouble? If they claim to be downchain of a legit sender, what help is SPF?
Get off my launchpad!
That's it. That's really it, at least for publishing your permissions. So simple I already did it for my domains.
http://www.ietf.org/internet-drafts/draft-danisch- dns-rr-smtp-03.txt
http://www.danisch.de/software/rmx/
Without this default ("v=spf1 a mx ptr -all"), spammers will be able to find domains that don't use SPF.
SPF is all well and good if you intend to have all of your users send mail through your short list of approved hosts. Some places can swing this. Good for them.
I have run a vanity domain for myself and a handful of friends from high school since the mid 90s. They use their vanity accounts to get mail, since it forwards to wherever they happen to be now. I want them to be able to send mail as those accounts, but SPF won't let that happen.
The SPF-approved answer is "have them relay through you with something like authenticated SMTP". Yeah, right. I'm not about to open up a bunch of extra crap on my mail server for a handful of people who run around and do stuff all over the world at times.
With SPF, I either cut a huge hole for my entire domain for every network one of my friends happens to inhabit, or I screw all of them by limiting it to my own personal network. There's no middle ground, and it puts me in a bad spot.
I'd much rather say user A is allowed to send mail from network A, user B from network B, and so on. That would let my friends send mail from a few designated places without any trouble. For the true globetrotters, I'd just disable all network restrictions on their address at the expense of possible spoofing.
Everyone seems to be hung up on things like SPF because it uses DNS, so they don't have to write a new protocol, servers, or clients. That makes it very tempting, and that's why this article is here.
The registry was only actually completed today; the parser wasn't fully operational before that (it was just online for testing).
Unfortunately some of you caught the parser while it was buggy... it *should* be fine now.
It's also correct that some of the records were produced before the standard was finalised. All these bugs should now be out of the system (I'm going to regret saying that)...
It's probably not obvious (see also: article on /.) but those stats are voluntary ones based on people that -might- have read the mailing list that -might- have put something into a web form.
It is certainly not exhaustive.
http://fudge.org
A lot of folks have commented that this won't do anything to reduce spam, because spammers will just register new domains and send from those.
But, those new domains won't have any data in people's Bayesian corpus; they will be neutral in affecting spam probability scores.
On the other hand, domains that publish SPF records will be protecting their domain names, which means that those domain name tokens in people's Bayesian corpuses will count positively towards the message not being spam.
In other words, publishing SPF records for your domain can keep your domain from becoming a spam keyword in Bayesian filtering. I think this will likely improve the effectiveness of Bayesian filters overall.
SPF isn't a silver bullet -- and does not claim to be -- but every little bit helps.
this requires too many levels of parsing and difficulty on the client. it also "tells too much", a better answer involves knowing the IP and the return-path and examining:
:)
1.0.0.10._spf.example.com
for a "valid" record. existing RBL-publishing software can be used, existing RBL-scanning clients can be used, we won't need to set up DNS-over-TCP servers, and we don't give any information we don't have to.
note, and this is very important. what we're looking for is what would better be called a "reverse MX"-- something that describes where mail _comes_from_ so users with separate mail-clusters for outbound and inbound can identify themselves
as such.
RR's are dumb anyway...
Advantages:
* utilizes DNS compression for what it's worth
* no fancy parsing required
* no new levels of indirection
* no sendmail-style configuration barf
* doesn't publish anything special
Disadvantages:
* doesn't require thirty pages to describe
A lot of spam is supposedly coming from compromised hosts. Those systems will probably have a SMTP server on the local network that can be used. It is probably even already configured with the configuration easily found (outlook/mozilla/etc?). So, the software, instead of running it's own SMTP server, looks up the configured one and uses that, with a made-up account name on that server.
You still get the spam, it even looks more authentic!
Jason
Like whitelisting, SPF works for a while.
Then the spammers build up a database of SPF information, and whenever they get access to a server to spam through, they make their software use one of the correct SPF-allowed domains for that server, to generate the fake From: addresses.
e.g. they 0wn 1000 Windows boxes of Comcast users, so they look up the SPF info from Comcast's DNS records, and use those domains to generate the fake e-mail addresses when spamming using those 0wn3d boxes. When spamming via their collection of open relays in China, they use SPF-valid From: addresses for those open relays.
In short, SPF provides zero protection once spammers work out how it works and build the necessary database into their spamware, which I reckon will take them maybe a week. That's assuming enough people even deploy it to make it worth hacking around in the first place.
Believe me, I wish something as simple as SPF could stop spam. I have no position in the anti-spam world to protect; the stuff is nothing but a nuisance and time sink to me.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
Early versions of SPF actually had reverse lookups like 1.0.0.10._spf.example.com. I actually like the new TXT format better since it is more flexible and easier to write for most domains.
:)
There is a careful tradeoff between "too simple" and "too complex". I have seen other similar proposals doomed by getting too complex, because they bow to what the users want and then nobody wants to write the code. At the same time I have seen proposals doomed because they were not flexible enough to handle most cases.
If you're looking for "something that describes where mail _comes_from_ so users with separate mail-clusters for outbound and inbound can identify themselves" - SPF is it, exactly. With SPF you CAN do reverse-IP style lookups like DNSBLs do, but for most domains it will be easier to just say "v=spf1 +mx +ptr +include:rr.com -all" which basically means "Allow from my MX, and anything with a verified PTR-DNS name in my domain, plus also allow from rr.com"
Anyway, I think SPF is a good compromise between simple and useful -- it is not too simple to be useless and not too complicated to get adopted. I think so far the plug-ins for SpamAssassin, Sendmail, qmail etc. have taken on the average "a few hours" to write.
Yes, it is similar to RMX, DMP, and MS. For my money, I don't care that much which proposal wins as long as we do SOMETHING. Cleaning up all forged mail is going to take a long time, so we should get started NOW
But didn't Coppertone standardized SPF over 20 years ago?!
-- thinkyhead software and media