Lead Developer of SPF Anti-Spam Scheme Interviewed

penciling_in writes "CircleID has a great two-part interview with Meng Wong, lead developer of the anti-spam authentication scheme Sender Policy Framework (SPF). He has responded to various questions (which also touches on issues previously raised by Slashdot folks), including the merger with Microsoft's Caller ID, incompatibility of SPF with email forwarding services, and what he thinks about Yahoo's DomainKeys, as well as where he believes the fight against spam is headed. (He has also confirmed that the name SPF and references to sunblock are intentional!) In response to the first question in the interview on how SPF got started, Meng says: 'In 2002 Paul Vixie, the brains behind BIND, wrote a short paper titled 'Repudiating Mail-From'. That inspired two other proposals, 'Reverse MX' by Hadmut Danisch and 'Designated Mailer Protocol' by Gordon Fecyk. In late 2003 I combined the best of both proposals and called the result SPF.' Vixie replies to this reference in comments following the first article."

Re:SMTP

[random_culchie]

No these schemes are designed to work with SMTP.
It would be very difficult to replace something as as popular as SMTP. It would at least have to be backwards compatible with SMTP which means it would expose itself to the same problems as SMTP.
IMO SMTP does a good job apart from its obivous faults.

If I got $0.01

[Senator+Bozo]

for every article about new anti-spam schemes, I would now be richer than I would have been had I gotten $0.01 for every spam mail urging me to buy penis-enhancing pills.

Re:If I got $0.01

[Bigby]

Does this anti-spam article have anything to do with the SPF lifeguards on Son of a Beach?

SPF

[pubjames]

My understanding of SPF is this:

the recipient checks that the sender has authoritiy to send out email for the domain, i.e. if you send an email from whatever.com via SMTP server 123.123.123.123, the recipient checks that 123.123.123.123 has the authority to send email for whatever.com by checking it's SPF record (which similar to an ordinary DNS record).

So, we all have to set up SPF records for our domains or our emails will get rejected by some ISPs. Is my understanding right?

Re:SPF

[arr28]

So, we all have to set up SPF records for our domains or our emails will get rejected by some ISPs. Is my understanding right?

When SPF discovers that a domain doesn't have an SPF record, it returns a code that says just that. The recipient chooses what to do next. So it is conceivable that once SPF uptake is near universal, some people may choose to reject mail from domains without a record. However, that's some way off yet.

Re:SPF

[merlyn]

The default is "permissive, use OTHER means to detect spam". So the system is entirely voluntary for participation. No "flag day".

However, right now, if someone claims to be "@stonehenge.com", and sends that mail from somewhere other than the machines from which such mail should originate, any SPF-checking-recipient will rightfully reject such mail. That's because I took about five minutes to add the right SPF record to my server.

SPF is not a comprehensive solution. It's merely a solution to help us from getting joe-jobbed, having spam "appear" to come from us. Until you voluntarily add SPF records for your domain, you will continute to get joe-jobbed unknowingly.

Re:SPF

[a24061]

I work from home a lot, so some of my e-mails sent from home have my personal address (which happens to be with my ISP) but some of them have my work from-address. Wouldn't this system obstruct that?

Also, many people use a different e-mail address from their ISP but are forced to route their mail through their ISP's SMTP server. How would they get around SPF?

Re:SPF

[IceFreak2000]

That's precisely my concern as well.

Re:SPF

[pjrc]

the recipient checks that the sender has authoritiy to send out email for the domain.....

Yep, that's right

So, we all have to set up SPF records for our domains or our emails will get rejected by some ISPs. Is my understanding right?

Nope, that's wrong.

Messages only get rejected when a SPF does exist for the claimed domain and the MTA transmitting the message is not a valid sender for the claimed domain. Messages are NOT rejected simply because the claimed domain fails to publish a SPF record.

If you do not publish a SPF record, no messages claiming to be from your domain get rejected. This is true today, and it is likely to remain true even after SPF is widely deployed.

Of course, if you have a domain name, it is certainly in your best interest to publish a SPF record. Well, that is if your all email transmits from certain servers or one of the many other very flexible ways SPF's syntax can specify. Publishing a SPF record is the only way you can cause SPF-aware receivers to reject messages that claim to be from your domain, but are actually forged by spammers, virus programs, phishing scammers, and so on.

Re:SPF

[eraserewind]

How about those of us who don't own IP adresses? Does it allow us to use something else, like digital signing with a hidden key whose pair is regestered in the DNS?

Re:SPF

[RollingThunder]

I believe that an ISP could decide to bounce if a domain has no SPF record, but that's true BOFH territory and would break their mailserver pretty badly.

Re:SPF

[Hellkitten]

some of them have my work from-address. Wouldn't this system obstruct that?

Only if you don't send them through your job email server

Also, many people use a different e-mail address from their ISP but are forced to route their mail through their ISP's SMTP server. How would they get around SPF?

Tunneling / Adding your ISPs mail server to your works SPF info / Asking your ISP nicely

Re:SPF

[pjrc]

How about those of us who don't own IP adresses? Does it allow us to use something else,

Yes, it is very flexible, with many other alternatives.

like digital signing with a hidden key whose pair is regestered in the DNS?

This isn't an option, but there are many alternatives.

Firstly, you must own a domain name. If you don't have a domain name and you're sending email using someone else's domain name, you need to contact the adminstrator for the domain you are using.

Let's assume you have a domain name, you're running your own mail server, and a dynamic IP number assigned by your ISP. To make this work, you're already publishing DNS records for your domain that get updated every time your IP number changes. If your server transmits your mail, SPF is much easier than what you're already forced to do... just publish "v=spf1 mx -all", meaning that all messages come from your server.

Suppose you're not really running your own server. Maybe someone else receives for you and forwards the messages. This is common with "vanity domains" (a name specific to you). Maybe when you transmit, you relay through your ISP. In that case, you could use the "include" type if your ISP publishes a SPF record, or if you know the IPs of their servers you could specify their IP number, or if you only know the netblock assigned to your ISP, you could "ip4" with a mask for all your ISP's IP range.

Or maybe you transmit directly from your dynamic IP number without relaying through your ISP. Again, SPF can handle that too... as long as you know the range of IPs your ISP uses to assign for you. Just use the "ip4" type with a mask (or mulitple "ip4" if you ISP assigns from more than one pool of IP numbers).

Whatever you do, you can specify additional methods to cover the other possible cases, so that your messages won't get rejected.

Re:SPF

[Antique+Geekmeister]

Your understanding is close. Those domains that *decide to* publish SPF records, Microsoft CID tickets, etc. will do so. The new software proposals will support both, although the SPF domain setup is vastly lighter weight.

For the foreseeable future, if you don't publish SPF, your email will still work. But if you do publish SPF, you help prevent forgery of your domain's name by spammers, people doing "joe jobs" to get you in trouble, and all the damn virus and worm email lately that pretends to be from you and gets you all the irritating bounces.

Because SPF acts in the first few packets sent in forged email, in the "MAIL FROM" line of SMTP transmissions that is normally processed via DNS to list the claimed name of the incoming host and its real domain name, there's very, very little extra processing and you can drop blocked connections extremely quickly. This can save a huge load from your mail server, which is a huge deal for domains like aol.com and hotmail.com and big sites whose mail servers are being hammered.

Remember, over 50% of all email is now spam. Anything so lightweight that will block so much of it for those of us who use that tool, and force the rest of the email to be so much more easily tracked as being from a forgery friendly domain, is a big deal. This also helps put a spike in the growth of "zombied" machines, by helping prevent them from being able to forge valid user's domains. Coupled with mail servers that insist that your domain does, in fact, exist in order to claim that your mail is from a real domain, it helps quite a lot.

Re:SPF

[a24061]

Only if you don't send them through your job email server

You can't do this if your ISP is blocking port 25 out and forcing you to go through its own mailrouters. And that's just the sort of ISP that would not be interested in helping you out with SPF.

Re:SPF

[Hellkitten]

You can't do this if your ISP is blocking port 25 out and forcing you to go through its own mailrouters.

See the last paragraph of the post you replied to, and add the option "Changing ISP"

Re:SPF

If you get your work to list your ISPs outbound mailservers as permitted, you will be fine.

If a business is going to get into the SPF game, I think it would be entirely reasonable for them to list all local ISPs - it is but a tiny drop in the ocean of outbound mailservers.

So - folks from those ISPs would be able to spam with a company from-address.

Cheers, Andy! [posting anonymously to preserve my moderation]

Re:SPF

You can't do this if your ISP is blocking port 25 out and forcing you to go through its own mailrouters.

ssh -L 25:work.mail.server:25 work.machine

Job Done.

Re:SPF

[arth1]

Messages only get rejected when a SPF does exist for the claimed domain and the MTA transmitting the message is not a valid sender for the claimed domain. Messages are NOT rejected simply because the claimed domain fails to publish a SPF record.

If you do not publish a SPF record, no messages claiming to be from your domain get rejected. This is true today, and it is likely to remain true even after SPF is widely deployed.

How is this supposed to stop spam, then? The spammers will simply make sure they use a domain that doesn't have SPF records.

--
*Art

Re:SPF

[squiggleslash]

Remember, over 50% of all email is now spam. Anything so lightweight that will block so much of it for those of us who use that tool, and force the rest of the email to be so much more easily tracked as being from a forgery friendly domain, is a big deal.

While over 50% of all email may be spam, it's doubtful that over 50% of all email comprises of joe-jobs. Certainly, that's not reflected in my Yahoo Bulk mail folder.

Please remember that despite the enthusiastic over selling of SPF's proponents, SPF is not an anti-spam system and shouldn't be viewed as one. It's an anti-joe-job system. In some ways, it's sorely needed, but if anyone expects this to make any kind of major dent in the volumes of spam these days, they're likely to be majorly disappointed.

Re:SPF

[Joe+U]

Simple, set your anti-spam filtering software to favor SPF publishers.

Here's a overly simple example:
Assume all mail gets bounced with a score over 5.

Email Text:
Buy some Herbal Viagra (tm) at http://scam.artist
-----------

Keyword 'Viagra' +5
Valid SPF record -2
Total score: 3

Keyword 'Viagra' +5
No spf record 0
Total score: 5

Keyword 'Viagra' +5
Invalid SPF record: +10
Total score: 15

Re:SPF

[Not_Wiggins]

Couldn't setting up an SPF record lead to another kind of DOS attack?

As a spammer, I could joe-job you, and even if the spam is rejected as not originating from "you," I could (potentially?) bring your server to its knees handling SPF record requests.

Or, would this be impractical anyway, given the nature of the checks?

Re:SPF

[Smallpond]

I would much rather serve 1 million TXT requests then get 1 million bounced emails and my domain listed in hundreds of blacklists.

Re:SPF

[chris_mahan]

And what about zombie boxes where outlook is cheerlfully spewing forth spam at near lightspeed from a valid user email account?

Will Silly sPam Fighter help then?

I say we need to have a no-email week. Send everything to dev/null.

The only way to deal with spammer is by forcing the government to hand out 10 year prison sentences for spammers. Send 1000 emails in one day, go to jail.

First offense: Letter in the mail.

Second offense: a visit by 2 FBI agents.

Third offence: get a lawyer and some K-Y jelly, you're gonna need it.

If your PC is zombied, and you do nothing the first 2 times, you still go to jail. It's like buying a gun, not locking it, and your little brother takes it to school. The first time you get a stern lecture. The second time you'll get charged with child endangerment.

Spam from foreign contries: Block all email from that country for 90 days at a time once more than 1000 spams have been received. The foreign government will take extraordinary measures to punish the culprits and reestablish communication with the US. They would lose millions per day if email did not come through.

Now, some might say these are drastic measures. And they may spell the end of email. Well, wake up and smell the coffee. Email as we know it is gettting to be too expensive for the benefit it provides.

Re:SPF

[jrumney]

Asking your ISP nicely

Your ISP can't do a thing about what senders are valid for your work email address.

The real solution is to convince your work of the need to be able to send from other addresses and get them to end their SPF record with ?all (neutral) instead of -all (hard fail).

Re:SPF

[JuggleGeek]

How is this supposed to stop spam, then? It doesn't stop spam. Paul Vixie posted a comment which can be found at the end of the article. In part, he says...

No "designated sender scheme" will ever be able to cut down the amount of spam that's sent, or received. All it can do is help domain holders avoid the brand dilution of having their domain name forged by spammers. This is a valuable contribution, but we must make it clear that none of these schemes will stop or even slow spam, and that their benefits accrue to domain holders, not to spam recipients.

I myself believe it will help, as any time spam tries to forge itself, if the SPF shows that it's fake, it can be tossed at will. Domains without SPF could be given higher "spam ratings" in spam detection software. Spammers, of course, can set up domains themselves, publish the SPF, and go that route - but they won't like that as it doesn't help them hide like the cockroaches they are. Their domains will quickly be blacklisted, too.

I figure anything we can do that makes it harder for them to hide, and easier for us to sort the legitimate email from the crap, the closer we are to a solution. This isn't a solution - it's a step towards a solution. But it's a good step.

Re:SPF

[Xenophon+Fenderson,]

You can't do this if your ISP is blocking port 25 out and forcing you to go through its own mailrouters.

What about VPN? I POP my work email to my laptop, but every time I check mail, I'm on the VPN so as to avoid any (well-meaning) transport filtering along the way. Besides, the admins of the mail system in question haven't figured out SMTP/TLS, POP3S, or IMAPS yet, and I don't want my unencrypted login going out over the Internet.

Re:SPF

[craters]

This also helps put a spike in the growth of "zombied" machines,

I thought spikes were for vampires, not zombies. Hopefully I'll never have a 'vampired' machine. I couldn't deal with all the blood sucking from my fingertips. :-)

Re:SPF

[walt-sjc]

Yes you can if your work has it's email setup correcly with the SMTP Submission port (587) which is designed EXACTLY for this reason. Trivial to do with most clients and servers (exim on your home gateway and / or work server for example.)

Re:SPF

[WuphonsReach]

but some of them have my work from-address.

You should be VPN'ing into your work LAN and sending the work e-mails via your employer's SMTP server. If you're officially working from home, then the company is responsible for making sure that you are able to do so. (Such as being able to send e-mail out as an agent on behalf of the company.)

But that's only if your employer publishes restrictive SPF records for their domain. If they choose not to publish, well, nobody is forcing them to. Your company just won't get the benefits of being protected from joe-jobs (or being able to point at SPF records to disprove a job-job attack).

AOL and some of the other large ISPs already have rules in place requiring companies to whitelist their outbound e-mail servers. This is just a better system of doing so, where the information gets stored in DNS under your direct control, rather then having to register with every ISP on the planet.

Re:SPF

[arth1]

I myself believe it will help, as any time spam tries to forge itself, if the SPF shows that it's fake, it can be tossed at will. Domains without SPF could be given higher "spam ratings" in spam detection software.

In that case, there is an unfair penalty to those of us who can't use SPF, and we risk getting our legitimate email blocked. Which makes me question whether this is really an altruistic effort from Meng Wong and Microsoft, or just a method to capitalize on the spam problem, proposing a solution that will push itself, due to it disfavouring those who opt not to use it.

Regards,
--
*Art

Re:SPF

[0x0d0a]

For the foreseeable future, if you don't publish SPF, your email will still work.

This is another thing wrong with SPF.

For a protocol to work on the vastly disorganized and chaotic Internet, it needs to work when members are not fully compliant with the protocol or are acting oddly.

SPF is much like the existing massive effort to try to stop open relays (which has been going on for a long time and clearly has not stopped spam). Both methods are predicated on being able to make everyone fully and correctly implement the behavior for *anyone* to benefit -- or else spam still comes through.

SPF isn't even a good anti joe-job tool, because almost all the time a joe-job/phishing scheme goes on, people don't have a mental mapping from the institution ("Citibank") to all the domains and subcontractors that might be used ("citibank.com"? How about "citibank-customerservice.com"?) I guarantee you that my mother would fall for "citibank.banksystems.net"). Regular Joes aren't familiar with the DNS structure, and in any event, administrative and political structures don't always maintain a hierarchical flow that maps to DNS. I'm sure the registrars would love to push a "register everything spelled like, based on, or sounding like your domain!" solution -- it's wildly impractical.

Remember, over 50% of all email is now spam. Anything so lightweight that will block so much of it for those of us who use that tool, and force the rest of the email to be so much more easily tracked as being from a forgery friendly domain, is a big deal. This also helps put a spike in the growth of "zombied" machines, by helping prevent them from being able to forge valid user's domains. Coupled with mail servers that insist that your domain does, in fact, exist in order to claim that your mail is from a real domain, it helps quite a lot.

The problem is that you're making the (known wrong) assumption that spammers do not adapt and use new tools. Remember the Baysian filtering advocates, that were *sure* that spam was at an end? No, new tools just went out. Yeah, at the time SPF is deployed, a lot of people won't be using updated tools. How long do you think that will last? Even the SPF people's FAQ talks about the fact that they know that SPF isn't sufficient. Where I disagree with the SPF people is that they at least view SPF as a good foundational tool to help build systems that might potentially stop spam someday on. I see SPF as an extremely weak, course-grained, and ill-thought-out authentication system.

Re:SPF

[0x0d0a]

SPF is not a comprehensive solution.

Agreed.

It's merely a solution to help us from getting joe-jobbed, having spam "appear" to come from us. Until you voluntarily add SPF records for your domain, you will continute to get joe-jobbed unknowingly

No. SPF does not even do this. For this to happen, the following must occur:

(a) The user must be able to know that email that originates from a server is trusted in content. SPF cannot do anything below domain granularity. If a machine on an "authorized-to-send-mail" IP is compromised, it can send mail, and with most setups out there, mail that looks like it's coming from anyone at the company. Break #1 WRT SPF as an anti-joe-jobbing mechanism -- SPF relies on an invalid assumption that anyone that can send email through a server is trusted. Existing systems like PGP or S/MIME are much more appropriate for this, as they have end-user granularity rather than domain granularity.

(b) The user must have a mental mapping between the institution involved and all domains and contractor domains involved with that institution. This is not currently present. My mother will believe that "Citibank" stuff is legitimate if it comes not only from "citibank.com", but "citibank.net", and more esoteric stuff like "citibank-customerservice.com" or "citibank.bankingsystems.com". This is SPF-as-an-anti-joe-job-mechanism break #2 -- a required mental mapping between institution name and domains are not present.

(c) SPF is broken in a number of ways as an authentication scheme for domains. It uses DNS as a transport (not secure, and makes very little sense, given the limitations of DNS WRT what SPF is trying to do) without attempting to establish a secure transport on top. It uses IP-based authentication for the mail system (did *nobody* learn from the days of the r-services and IP authentication leading to horrible security breeches) *as well* as to the authentication server (the DNS system). This is a third break as an anti-joe-job tool -- just because a domain may be trusted does not mean that the message that you are reciving is a legitimate message from that domain.

SPF is largely, as a friend of mine would put it, a masturbatory system. It lets corporations claim that they're "doing something" about spam, and CIOs feel good about what they're doing. It will employ many sysadmins for a long time who will keep tweaking it in the hope that the next adjustment or just one more deployement will be that Holy Grail to stop spam. In reality, it merely breaks existing functionality and diverts resources and research from legitimate anti-spam efforts, like client-to-client encrytion/signing deployment.

Re:SPF

[0x0d0a]

Messages only get rejected when a SPF does exist for the claimed domain and the MTA transmitting the message is not a valid sender for the claimed domain. Messages are NOT rejected simply because the claimed domain fails to publish a SPF record.

Mail servers certainly *can* do this. Every person that claims that SPF can eliminate spam claims that this will at least eventually happen.

Re:SPF

One solution is to have your company open up port 587 for your ISP and allow you to send authenticated email via that port.

Re:SPF

[Hellkitten]

Your ISP can't do a thing about what senders are valid for your work email address.

When i said ask them nicely I ment it. You just didn't realize what you're supposed to ask. You need to explain to them (politely) that you need to access port 25 on your work mailserver or they will lose you business for selling incomplete access to the internet. Depending on their policy they will let your traffic through or you'll have to look for other ISPs, if the terms and conditions you signed up for didn't say anything about sertain traffic beeing blocked you probably could get out of any contract you have with them easily

Unfortunately that's not an option for everyone so you could also try tunneling the traffic into your work server (ssh vpn whatever), or get the ISP mailserver added to the company SPF. Yet another possibility is to use dialup to connect to work, just for sending mail.

Re:SPF

[ahodgson]

There is no one who "can't use SPF". If your DNS provider doesn't support it, make them support it or leave. It's not like it's hard to find someone competent to do DNS for you.

Besides, it will take a certain adoption rate before people start blindly blocking non-SPF-compliant domains.

Re:SPF

[JuggleGeek]

In that case, there is an unfair penalty to those of us who can't use SPF, and we risk getting our legitimate email blocked.

I don't think I said what you think I said.

If you send mail from a domain which says "Yes, we are SPF compliant" then systems receiving that mail can check, and toss any noncompliant mail, knowing it's forged. If your domain doesn't publish SPF records, nothing has changed - spammers (or anyone who wants) can still forge your domain at will, and systems are going to continue to accept your mail. The primary incentive is to make it harder for people to forge your domain, and easy for people receiving mail to tell if the mail from your domain is legitimate, or faked.

Eventually, *if* SPF gets a very wide user base, then mail servers (receiving mail) could just dump noncompliant mail - but that seems very unlikely unless essentially every legitimate domain was already SPF compliant. More likely, at that point antispam software would use that information as *one* data-point in deciding if it was spam or not. That wouldn't be the deciding factor, it would be one of many.

When you say "those of us who can't use SPF", I'm not sure who you mean. I log on via SWBell DSL, in Dallas, using a dynamic IP. My domains mail server is run by a friend, out of state. When I send mail, I send it through that server, using SMTP-AUTH. SPF records will show that for my domain, the IP of my mailserver is the only legitimate IP. When spammers forge my domain, it's to my advantage if people can easily (automatically) check and dump the forgeries. They aren't good to anyone but spammers. And what, as things stand, keeps your mail from being blocked as spam? People already use blacklists, antispam tools that essentially guess "Looks like spam" or "looks OK", and similar things. Your mail can already be blocked, even if it's legitimate.

BTW, forgeries aren't rare. They happen with my domain every day - usually by an online pharmacy. Currently, http://www.dslk1.com/ is forging my domain.

Re:SPF

[arth1]

There is no one who "can't use SPF". If your DNS provider doesn't support it, make them support it or leave. It's not like it's hard to find someone competent to do DNS for you.

"Can't use SPF" doesn't only imply technical ineptitude -- there's mail services that SPF breaks (including, but not limited to remailers and MTAs behind strict firewalls), and thus SPF can not always be used for service or policy reasons.

As for changing DNS hosting, that won't help if you have to go through upstream mail hosts not under your control. Like millions of cable users without affordable broadband alternatives have to cope with.

If someone wants to launch an alternative email service like this, fine -- just don't force it on SMTP email. It's not entirely compatible with the current standards.

--
*Art

Re:SPF

Thank god, Thank you.

The sane voices against SPF need to unite, but it is a losing proposition because those against will be accused of "not wanting to do the right thing".

Little will people realize that with both Iraq and SPF their freedom is taken away because of one person's pet peeve.

Why do I need a Microsoft license for this?

[dpotter]

Quick Google search on "senderid" (the name of the merged CallerID and SPF protocols) yielded a link to Microsoft's description of thbe protocol, including a link to their implementation license (Acrobat doc).

IANAL, but the text of this agreement seems to indicate that this implementation license applies to any products that "implement and are compliant with" Sender ID (section 1.2), and that Microsoft may subsequently terminate the license (section 3).

Anybody familiar with this? Is there a RFC for Sender ID?

Re:Why do I need a Microsoft license for this?

[arr28]

Anybody familiar with this? Is there a RFC for Sender ID?

See the RFC background reading page for links to SPF RFCs. To the best of my knowledge there is no SenderID RFC yet.

In the mean time (and it may be some time), it is advised that SPF records are published since Microsoft has agreed that SenderID will be back compatible with such records.

Re:Why do I need a Microsoft license for this?

[arr28]

IANAL, but the text of this agreement seems to indicate that this implementation license applies to any products that "implement and are compliant with" Sender ID (section 1.2), and that Microsoft may subsequently terminate the license (section 3).

IANAL either but SPF predates Sender ID and the details were made public without licensing requirements. Therefore, I'm pretty sure that most jurisdications won't require you to have a license from Microsoft or anybody else to implement SPF.

Remember, there are already over 20,000 domains publishing with SPF plugins for the major MTAs. Just pop over to pobox for details.

Re:Why do I need a Microsoft license for this?

A new IETF Working Group (WG) has been formed to look into the subject and may eventually produce some RFCs. The WG will have its first meeting during the next IETF meeting in San Diego, Aug 1-6, 2004.

While it's not a RFC yet and nothing has been finalized, here's the latest on the subject in terms of a draft submitted by both Wong and MS:

http://www.ietf.org/internet-drafts/draft-ietf-m ar id-core-01.txt

Some related documents:
http://www.ietf.org/internet-drafts/dr aft-ietf-mar id-rationale-00.txt
http://www.ietf.org/internet- drafts/draft-ietf-mar id-csv-csa-00.txt
http://www.ietf.org/internet-dr afts/draft-ietf-mar id-csv-intro-00.txt

As for why you'd need a license for this, it may the case that MS has a number of pending patents on the concept (orginally termed Caller ID) and the license mentioned prior is meant to assure people that if this makes it out there as a standard, they will have a license to practice with having to pay royalties. How much trust can you put in that ...

Re:Why do I need a Microsoft license for this?

XML has no place in DNS records, CallerID is the Microsoft way of gatecrashing the party. When we do need to extend SPF, Microsoft gets to flex its patent muscle; the same tatics it used against OpenGL once it had sufficient market penetration with Direct3D. I'm sure Microsoft engineers (hangers on, paid whores etc..) are fine folks, but when you enter into dealings with Redmond, you've got to expect the worst.

Re:Why do I need a Microsoft license for this?

[0x0d0a]

IANAL, but the text of this agreement seems to indicate that this implementation license applies to any products that "implement and are compliant with" Sender ID (section 1.2), and that Microsoft may subsequently terminate the license (section 3).

Don't implement any extensions or non-compliant behavior in your mail server. :-)

Improvements to the scheme are totally unacceptable?

Re:SMTP

[BigDork1001]

IMO SMTP does a good job apart from its obivous faults.

IMO Windows does a good job apart from its obvious faults too.

Vixie: SPF will not slow spam

[Cardinal+Biggles]

Paul Vixie's comment:

All it can do is help domain holders avoid the brand dilution of having their domain name forged by spammers. This is a valuable contribution, but we must make it clear that none of these schemes will stop or even slow spam, and that their benefits accrue to domain holders, not to spam recipients.

I'd have to disagree with Paul Vixie here. Most of the spam today comes through compromised home machines on a broadband line. Of course, spammers could include the zombie they're using in their SPF record and use their own domain in the "Purported Return Address", but that would make them so traceable that they might as well spam from their own systems.

So I'd definitely disagree that SPF/SenderID will not discourage spammers. It will certainly discourage the worst of them: the guys who don't want to be found out.

Re:Vixie: SPF will not slow spam

[arr28]

Furthermore, SPF enables domain reputation systems such as GOSSiP (currently under design) which enable domain's to be given a "spaminess" score based on their previous behaviour. MTAs could choose to reject unreasonably spammy domains because they'd know that the email really was from that domian and the reputation was based on emails that were known to be from that domain.

Without SPF, you don't know who your email is really from so you can't do domain based reputation.

Re:Vixie: SPF will not slow spam

[warrax_666]

Most of the spam today comes through compromised home machines on a broadband line.

But usually those zombies connect directly to port 25 of the recipient's SMTP server. That would be prevented by SPF if the sender domain doesn't include the zombie machine's IP in its SPF record. If the zombie is actually using the user's proper (sender) domain and sending through the ISPs mail server, then SPF doesn't help directly, but it gives the ISP the power to simply monitor what is sent and shut the zombie down if spam is being sent.

Re:Vixie: SPF will not slow spam

The spammers will simply send "from" the regular addresses of the users of the compromised machines.

Re:Vixie: SPF will not slow spam

[FireFury03]

In the short term it probably won't help very much - spammers will just spoof domains that don't do SPF. As time goes on we can slowly weight SPF in our spam systems - i.e. mails from domains that don't publish SPF records are more likely to be spam. The fact that you're going to lose more mail you're sending if you don't pull your finger out and publish records will make more people add records.

As more people add them, the chances of a un-spf'd domain being spam increases yet more, so we can weight it towards the spam end of the spectrum a bit more in our MTAs. The whole thing should (hopefully) snowball to a point where when it gets to a high proportion of domains publishing SPF records (e.g. 95%) we can take the decision to outright block anyone who isn't.

At that point, the only ways to send spam are:
1. register your own domains and spam from them with SPF records set accordingly.
2. hijack the domain belonging to the compromised machine you're sending the spam from.

In the case of (1), this makes it rather traceable and the SPF records would have to allow large numbers of machines to post - we can weight the spam systems based on how many senders are covered in the SPF records - a domain that says that 16 million machines can send from it is more likely to be spamming you than one that says it has a single mail sender. It also costs a (small) amount of money to register a domain and doing some kind of distributed blackhole system against that domain would mean the spammers would have to keep registering new domains. It'd be nice if the domain registrars actually bothered checking that the domain is registered to a real address and there are easy ways of doing this - if you're paying for the domain by credit card then store the address of the card holder since you know that is a real address that can be held accountable (unless the card was stolen, in which case the spammers have broken some quite serious laws).

In the case of (2), the owner of the compromised machine will get hell and be forced to fix it (we would be in a situation where you know that the owner of the domain the spam came from would be in some way responsible for the spam and you wouldn't be attacking an innocent 3rd party by making a complaint to the domain owner).

Re:Vixie: SPF will not slow spam

[cornice]

Actually it's still all a question of economics. If a programmer or team of programmers can take their investment in time and resources and multiply it by a practically infinite number of spam recipients and spam relays then their work will continue and spam will continue. The day that it takes more money/time/work to send a spam than it returns is the day that spam will stop. Right now it's simply too cheap and easy to send spam. Making that task more difficult and removing some ability to leverage the thousands of open relays will cut down on spam. It will also force spammers to concentrate around the remaining relay resources where they can be more easily identified and stopped. Right now everyone in your neighborhood is a potential spam relay. Annonymous zombie relays provide a virtual jungle for spammers to hide in. Take away a layer of annonymity and the cost of spamming will grow and the flow of spam will slow.

Re:Vixie: SPF will not slow spam

[evilviper]

Without SPF, you don't know who your email is really from so you can't do domain based reputation.

Yes, but with SPF, a spammer just has to register plenty of disposible domains, and have a bare-bones DNS server running. Then, the spam gets through, and it's always comming from a different domain...

Re:Vixie: SPF will not slow spam

[arr28]

Without SPF, you don't know who your email is really from so you can't do domain based reputation.

Yes, but with SPF, a spammer just has to register plenty of disposible domains, and have a bare-bones DNS server running. Then, the spam gets through, and it's always comming from a different domain...

Firstly, domains cost money. This drives up the cost of spamming, thereby making it harder (no pun intended) to earn a living from.

Secondly, who says that email from "no reputation" domains is going to get through?

Re:Vixie: SPF will not slow spam

[evilviper]

domains cost money.

Very, very little. And you can use each one to spam a LOT of people.

Secondly, who says that email from "no reputation" domains is going to get through?

Anyone with a brain. No domain would have the opportunity to get a good reputation if you don't let the first few emails get through.

And, if you are operating on a whitelist, you're not really using e-mail. E-mail is supposed to allow you to be contacted by people who haven't contacted you before... Whitelists make email almost completely usless, and take away all the reasons it became popular in the first place.

Re:Vixie: SPF will not slow spam

[arr28]

domains cost money.

Very, very little. And you can use each one to spam a LOT of people.

Not with SPF + a reputation system (e.g. GOSSiP which was where this thread started). As soon as you've sent the first few spam, the reputation systems will have you as a bad guy and no more will get through. (The expected configuration will make GOSSiP a global reputation system.) Now rather than being able to spam several million per domain, you might get lucky and get a few hundred through. Even with inexpensive domains, spamming has just got much less cost effective.

Re:Vixie: SPF will not slow spam

[evilviper]

Even the best reputation system is not instantly updated all the time. It's most likely many thousands of emails will get through to reader's eyes before they update the reputation data. After all, it's not like it takes a long time to send an email...

Re:Vixie: SPF will not slow spam

[arr28]

Even the best reputation system is not instantly updated all the time. It's most likely many thousands of emails will get through to reader's eyes before they update the reputation data. After all, it's not like it takes a long time to send an email...

The expected use of GOSSiP goes something like this.

o Get MAIL FROM
o Do SPF check
o Do GOSSiP check
o Receive email
o Run through spam filter of choice
o Send update to GOSSiP server based on result

The GOSSiP system does "online" checks so the data is up to date.

Re:Vixie: SPF will not slow spam

[evilviper]

I'll start investigating GOSSiP. But frankly, if it operates at you describe it, it's going to waste an amazing ammount of bandwidth, and I doubt many will use it.

Additionally, even a live check will only work if somebody has already classified it as SPAM... Surely people aren't checking their email every minute, and even if so, probably not individuals that you "trust", so I still believe a lot of spam can get through before there's time to block it.

Re:Vixie: SPF will not slow spam

In addition, while it might not reduce the spam, it will certainly reduce the bounces that stem from forged From: lines.

While my domains have only a handfull know usernames, some spammer got the bright idea to cross the userlist from each domain with all other domains, and so creating a fresh set of "adresses" (mostof them bogus, of course).

Apart from spamming people to death with these, they also put their adresses into the From: lines (joe-jobbing you). This causes a lot of bounces, sometimes way more than you get spam!

In addition, people with these emails on their harddisk (maybey they got spammed and kept the spam) might catch a virus, which then tries to send itself to these adresses or forges the From with them => even more mail and bounces.

While SPF might not do anything against the spam/virus etc, it will reduce bounces - if you know the email-from is forged, there is no need to send an error back.

best wishes,

tels http://bloodgate.com/spams/stats.html

Re:Vixie: SPF will not slow spam

[0x0d0a]

Without SPF, you don't know who your email is really from so you can't do domain based reputation.

SPF is the least trustworthy of the the current Big Three domain authentication schemes -- DomainKeys is ahead. None of them are particularly great authentication schemes, especially since all of them are limited to domain-level granularity (one machine with an authorized IP at a company gets compromised, outsiders have to ban the entire company's domain, rather than just the sending key).

Basically, it's awfully easy to DoS a reputation scheme with very minimal compromises involved. And any sort of throwaway-domain scheme is very hard to deal with with a reputation scheme, especially since an integer representing a global reputation may not be sufficient (and is how most folks want to do reputation schemes). Russian company A may trust Russian company B, but I'm less likely to trust random mail from a Russian domain. I'm more likely to trust mail from a person that interacts with people that I interact with than otherwise.

SPF is a very weak tool to allow doing this.

Re:Vixie: SPF will not slow spam

[ahodgson]

So block all mail from domains registered to nameservers in blacklisted IP space. That's what we used to do before spammers started forging everything.

Re:Vixie: SPF will not slow spam

[Grayswan]

How about the combination of RBLs + SPF as being a complete solution? If you think about it, RBLs are already reputation systems, but have a lot of false positives. Wouldn't SPF put a complete stop to that downside? Then you could REALLY use RBLs so it wouldn't matter how many domains a spammer registers because you block their IP. Am I missing somethig?

Re:Vixie: SPF will not slow spam

[Grayswan]

In the short term it probably won't help very much - spammers will just spoof domains that don't do SPF

I would suspect that such domains will get joe-jobbed so much that they will find out exactly what SPF is and how to implement it with exponentially (function of time) increasing zeal.

Re:Vixie: SPF will not slow spam

[evilviper]

But I'm not talking about spammers using their own servers... I'm talking about hijacking a legit machine, and setting up a minimal DNS server on it, registering a domain, then sending out a good chunk of e-mail from it.

Re:Vixie: SPF will not slow spam

[evilviper]

Just responded to a similar question, posed by someone else:

http://slashdot.org/comments.pl?sid=113072&cid=959 0414

spf?

[kwoff]

Great, SPF now not only protects from the sun, but from spam as well. I bet we could get XML involved somehow, too.

Re:spf?

[tarunthegreat2]

But does it run Linux? And could you imagine a beowulf cluster of these babies in Soviet Russia, you Insensitive CLOD! Sorry, just don't have anything positive to add, so resorting to memes....

Re:spf?

Great, SPF now not only protects from the sun, but from spam as well.

Man, that joke is so old I saw it coming 2 stories ago.

Re:spf?

[Antique+Geekmeister]

Too late. The new Microsoft CallerID system is already XML based, which is causing a great deal of contention among the developers who are furious at having to support a very complex and unnecessary protocol simply in order to allow people to steal CID keys from Microsoft's customers to send their spam. The "CID" keys are going to correlate very highly with actually being spam, probably even more than those "haiku" headers or the "click here to remove" entries do.

Confused

[IceFreak2000]

OK, I'm worried; unless I've completely missed something here, it seems as though the 'little guy' could get hit quite badly by SPF.

Let me explain; my domain is handled by a hosting provider here in the UK. Because I don't have a static IP address (and also because I don't want the hassle of handling a publicly visible SMTP server), I've set up a single mailbox with the hosting provider that acts as a catch-all account.

Locally, behind my firewall, I use fetchmail to retrieve the contents of this account, and I use qmail to distribute the mail into various IMAP folders; naturally I'm also using ClamAV and SpamAssassin as well.

All well and good, but the problem is that my domain hosting provider does not allow SMTP relay *at all*. Therefore, I use the SMTP relay service provided by my ADSL provider.

Obviously, neither my local qmail system nor my ADSL providers' SMTP relay will be listed in any SPF records; how will I be able to carry on locally managing my mail without automatically being rejected by SPF-aware mail servers?

Re:Confused

[jollis]

Use your own domain for outgoing mail AND either do not publish an SPF record for it, or publish one pointing to your Internet Serive Provider's SMTP server.

If the DNS provider for your domain doesn't enable you to publish an SPF (needs a 'txt' record), you'll need to ask them to, or change providers. But something tells me the laggard will quickly figure it out, since SPF is nearing critical mass.

Re:Confused

[tanguyr]

Obviously, neither my local qmail system nor my ADSL providers' SMTP relay will be listed in any SPF records; how will I be able to carry on locally managing my mail without automatically being rejected by SPF-aware mail servers?

1) If your provider's SMTP relay isn't listed in an SPF record, then it will still work (for now) until people start saying "i only accept mail from servers with valid SPF authentication".

2) When that day comes around, you can publish your own SPF info for your "vanity" domain using the sfp include syntax and pointing to your provider - basically saying "whoever can send mail for my provider's domain can send mail for my domain as well"

Re:Confused

[arr28]

All well and good, but the problem is that my domain hosting provider does not allow SMTP relay *at all*. Therefore, I use the SMTP relay service provided by my ADSL provider.

Obviously, neither my local qmail system nor my ADSL providers' SMTP relay will be listed in any SPF records; how will I be able to carry on locally managing my mail without automatically being rejected by SPF-aware mail servers?

You're in a rather unusual situation. It sounds like your provider allows you to receive email but provides no facility for you to send it.

Putting aside your own situation for one moment, do you think that it is better to have global email sender authentication or allow domain hosting companies to provide half an email solution?

Yes, some things will have to change for SPF but it has been designed such those are real minority cases where there are obvious and simple solutions. (Here, your provider, like many other providers, could provide you with access to an SMTP server.) We are already seeing this in the free DNS providers who didn't previously provide for TXT records but, as a result of SPF - which requires SPF, many do.

Re:Confused

[johnjones]

yeah I'm confused as well because this is not going to work well

I think they are saying they want you have to rewrite your headers in a sane way this part is callerID and you can use SRS workaround

meanwhile in the REAL world...
as far ass I can see SPF is going to be extra work for ISP and host providers

your hosting provider is going to have to provide a SMTP server that you can post msg's through and make it secure (via SSL etc so you dont send passwd plaintext)

AOL love this because they have very few mail servers and lots of users using their pants email client which post's directly to their servers so no change in user's config...

so expect your hosting costs to go up if you want mail with it...

personally I would prefer that they delt with public key distrubution so that we could effectivly trust people with keys and build a web of trust about email...

regards

John Jones

Re:Confused

[IceFreak2000]

Yes, but 'changing providers' isn't really an option - unless anyone out there can recommend a provider that supplies domain hosting for 50 quid bi-annually, with ASP.NET.

If I don't include an SPF record for my domain, how long (assuming SPF does reach critical mass soon) before mail servers start automatically rejecting/weighting heavily as spam?

Re:Confused

[IceFreak2000]

You're in a rather unusual situation. It sounds like your provider allows you to receive email but provides no facility for you to send it.

Not that unusual; I know of a fair number of small companies with similar setups.

Putting aside your own situation for one moment, do you think that it is better to have global email sender authentication or allow domain hosting companies to provide half an email solution?

Obviously, it's better to have some form of global email sender authentication; the problem as I see it is that there are too many components to this system that are potentially out of end users control (how many small companies have direct control of their DNS records, and more importantly, how many would actually know how to set up the SPF record correctly?)

I sincerely hope that my worries are proved wrong. There's one thing for certain, there has to be a solution to the spammers out there - I'm just not sure if this is it.

Re:Confused

My domain hosting (namezero) has ALREADY done this. If they can't write some little script to alter each of the dns records, then would you really WANT them to be dealing with your domain?

CLearly we are building a web of trust up. It clearly shows that if an email has been sent from [blah] then the email has not been spoofed. If we add password requirements for email, then we've just made the spamming game a whole lot harder.

As a user of SPF, I'm now waiting for YOU LOT to go get it installed and working. It's not *that* hard to add.

Re:Confused

[Xrikcus]

Take the "or" appoach of adding an SPF record containing your ISP's domain. SPF has an "include" record, so in your DNS you can say "Any server allowed to send mail from myisp.com is also allowed to send e-mail for mydomain.com". So your ADSL provider's servers can send mail for you. So if someone gets an e-mail you sent through your ADSL provider, they look up the domain, see that your ISP's domain list is important too, look that up, find the smtp server is listed there, and allow the mail through.

Re:Confused

[Karl+Prince]

OK, I'm worried; unless I've completely missed something here, it seems as though the 'little guy' could get hit quite badly by SPF.

If you have no SPF records published , your email will continue to be treated as it is now (heavily checked for spaminess), so you should be no worse off.

I use the SMTP relay service provided by my ADSL provider.

You can publish this information in an SPF record.

If you trust the relay service to only relay your domain for you, ie an authorised login, with your domain allowed for you but no other users, then it's very easy to setup, and SPF aware servers will be confident whether your mail is from you (via your secure providers relay) or a forgery.

However reality is very different, providers relays do not normally limit the domain of users, even when authorised, so there is a risk of of users of your providers relay forging your domain.

Because of this you can publish an SPF record that states your domain policy, with the providers relay being "neutral" (? prefix). The effect of this is not as good as the secure example, but considerably better than nothing.

Any mail coming from your domain, through the providers relay being considered neutral, therefore as if no SPF, so you may think no apparent gain, why bother. However, any email using your domain, but not from your providers relay would be treated as a "FAIL", so there is a significant benefit.

Yes, a "clever" spammer could use a zombie within your providers network send mail using your domain through the providers relay, but it would only score a "Neutral", so normal spam filtering would apply, as it would for you.

It's not perfect, but since you are not able to secure the providers relay for your domain, its still a pretty good outcome.

Re:Confused

[KillNateD]

Obviously, neither my local qmail system nor my ADSL providers' SMTP relay will be listed in any SPF records; how will I be able to carry on locally managing my mail without automatically being rejected by SPF-aware mail servers?

I work for a web hosting company, DreamHost, and this is the only minor stumbling block for us and our users. Although we can generate good default SPF records for a majority of our customers, we probably host a couple thousand people who use random SMTP servers (either their ISP's, their office's, or ones they run themselves).

We'll naturally provide those people with a method to add any of those SMTP servers to their SPF record (and that's what your web host should do), but there will likely be a bunch of tech support generated from people's mail getting rejected because they didn't know to add weird SMTP servers to their SPF record.

So for now we're taking it slow.

Re:Confused

[EtherMonkey]

the problem is that my domain hosting provider does not allow SMTP relay *at all*. Therefore, I use the SMTP relay service provided by my ADSL provider.

Why the emotional attachment to an obviously inqdequate hosting provider? I don't know the market in the UK, but in the US I have hundreds of hosting providers asking as little as US$4 per month. The one I use at this price has no problem relaying as long as I authenticate first. My only complaint is they are not looking into implementing any system such as SPF at this time. (I'll bug them into compliance).

Re:Confused

If they can't write some little script to alter each of the dns records, then would you really WANT them to be dealing with your domain?

Yes. Because hiring people competent enough to handle SPF will double the hosting costs for an average vanity domain.

Re:Confused

how many would actually know how to set up the SPF record correctly?

This is further complicated by the fact that the SPF syntax is quite complicated. Like a lot of open standards, the engineers could not resist putting everything but the kitchen sink in the SPF syntax. So we have a case of the "microwave problem" or the "blinking 12:00" problem--the engineers designed the user interface instead of getting feedback via focus groups and user interface design experts, resulting in a complicated and obtuse UI.

Re:Confused

[Keith+Maniac]

Oh good.

Now everyone on his ADSL provider can send email from his domain as well. Great protection there.

How long before spammers start harvesting SPF records looking for easy targets?

SPF won't protect anyone but large companies with easily-recognizable, often-spoofed names (uh HOTMAIL, YAHOO).

Meanwhile, they make things harder for everyone else, while not actually protecting against spam. All I see in this thread is "Change your service provider!", "Rewrite your mailing list software!", "*You* change this, *You* change that".

Fuck that.

How about not breaking widely used protocols for meaningless bullshit. SMTP is totally b0rked, and everybody knows it, but a half-assed patch is not the answer.

Re:Confused

[Grayswan]

..users using their pants email client..

Those must be some fancy pants. Do they come with a fax machine, too?

Re:Confused

[bcrowell]

Unlike the parent poster's, my two domains have a static IP, which they share. They're registered with Network Solutions and Gandi.net, and hosted by ev1. (In case anyone's interested, no, I would not recommend either of these registrars, and no, I'm not proud of ev1 for giving in to SCO's extortion.)

I'm not a DNS guru, so can someone use crayons with me -- how do I actually go about registering my domains to support SPF on outgoing mail? There's this webapp for creating the text of the SPF record, but then what? Would the registrar have to provide a mechanism for me to add the record? The web host?

Re:Confused

[Xrikcus]

In the current situation everyone at his ADSL provider AND the rest of the world can send mail from his domain. His ADSL provider can at least rate limit to stop individual compromised machines sending too much spam, and can do something about customers that are sending spam generally, as at least the mail is now going out through their servers, and being a (hopefully) respectable company you have someone to talk to, and if necessary to mount a legal challenge against. If the spam is coming from half-way round the world, it's much harder to do something about it.

I'm not sure how good a thing SPF is at all, but I'm certainly not sure that your argument against it is reasonable. You're moaning about people being asked to change things... what else do we do?

Why not everyone use PGP ?

[johnjones]

explain this to me

if you are going to HAVE to use ESMTP why not add the ability to look up public key for domain ?

if you are doing the domain why not query for user ?
finger server or in DNS record ?

is this in the spec ?

in the future then everyone can use weak crypto for emails and not send everything plain text
(speak to the person in internet cafe or bussiness and they dont understand that their msg is transmited plaintext and maybe through other peoples servers who may or may not read the email )

it would be nice to say we thought of providing keys but people dont have to use them...

regards

John Jones

Re:Why not everyone use PGP ?

[thogard]

The reason is commonly called "plausible deniability"

If thats not enough for you, what would happen if a virus started sending out illegal material and someone had signed it with your key?

Re:Why not everyone use PGP ?

[LuckyStarr]

That has not to be the case.

The idea is to place the public-key in DNS and the private key(s) on the mailserver(s). Not the dial-up users sign the mails, but the relay-servers. The dial-up users log in with their SMTP-AUTH password as they are used to.

So if a virus is hijacking a dial-up machine, it only must catch the SMTP-AUTH password, which boils down to the same situation as today.

Re:Why not everyone use PGP ?

[Beryllium+Sphere(tm)]

Why doesn't everyone use PGP already? It's been out since 1991. It's never had the success it deserves.

One issue that comes to mind is that signature verification is relatively expensive. Another is that it's fragile: regular PGP users often see their signatures fail to verify because an MUA changed the line wrapping. I think we need a standard for canonicalizing messages before hashing, but that's just my opinion.

"If you think cryptography can solve your problem, then you don't understand your problem and you don't understand cryptography." That's maybe a little rude but it's good to remember that crypto only changes one problem into a different problem. We'd have to manage the public keys, and we'd still be dealing with today's problem of insecure machines being taken over.

Re:Why not everyone use PGP ?

Why doesn't everyone use PGP already? It's been out since 1991. It's never had the success it deserves.

Because key management is hard for the general user. Combined with the fact that very few people use it (e-mail encryption suffers from the "network effect") and the ease-of-use issues with the various plug-ins or other implementations.

Re:Why not everyone use PGP ?

[0x0d0a]

Why doesn't everyone use PGP already? It's been out since 1991. It's never had the success it deserves.

Because it's a pain in the ass to use. You ever tried it? The only client I've seen where it's remotely usable is mozilla+enigmail -- even mutt has serious issues.

For PGP/GPG to be widely used, major clients must:

* Support automatic key downloading.

* Support automatic encryption/signing (*not* having to manually do so on a per message basis or copy/pasting or hitting a special key to decrypt)

* Support opportunistic encryption. The current interface on most clients is that emails are not encrypted unless a person explicitly and manually tells their client to encrypt to a given person, manually imports the key, and manually sets up trust with that person. That isn't going to happen for everyone I know, even though I'm a bit of a security nut. If you have a key in your keyring that purports to belong to someone, it should be used (unless you explicitly tell your client not to do so). It doesn't hurt security, and it can help it. You can always explicitly tell your client "use this key always with these recipients" as you did before, but this means that the *default* is to be secure rather than insecure.

* It should be much more transparent than it is today. If people don't want to deal with key management, they should get what signing and encryption we can give them without it. If they *do* want to use trust management features, then they can take advantage of those and ensure that they're using proper keys and the like. SSH would *never* have taken off as a telnet replacement if it *required* manual key distribution -- yes, automatic key distribution is a bit less secure, but it's generally a Good Thing, and the paranoid nuts who require a secure connection to a place or two can still use good ol manual key distribution.

And before you say "well, why don't you do it", I'm actively submitting patches to achieve exactly this.

One issue that comes to mind is that signature verification is relatively expensive. Another is that it's fragile: regular PGP users often see their signatures fail to verify because an MUA changed the line wrapping. I think we need a standard for canonicalizing messages before hashing, but that's just my opinion.

Hmm...you see this even with MIME-format PGP?

"If you think cryptography can solve your problem, then you don't understand your problem and you don't understand cryptography." That's maybe a little rude but it's good to remember that crypto only changes one problem into a different problem. We'd have to manage the public keys, and we'd still be dealing with today's problem of insecure machines being taken over.

"If you think cryptography isn't necessary to solve your problem, then you don't understand your problem and you don't understand cryptography."

Cryptography is necessary to do the kind of authentication that the anti-spam people want to do.

It just isn't, alone, sufficient.

Re:Why not everyone use PGP ?

[kirkjobsluder]

Add to this, the problem of having your private key available when you need it, no matter which computer you happen to be sending mail from.

Re:Why not everyone use PGP ?

[0x0d0a]

The Internet *does* need a standard way to allow access to files and information (PGP keys, preferences, and the like) across any Internet host securely, but that's a problem for another day and a better authentication scheme.

Re:Why not everyone use PGP ?

[0x0d0a]

Oh, and just to emphasize -- PGP (well, a PGP-like system) is a much, much better solution than SPF. I just think that the reason PGP hasn't taken off isn't because of computational cost, but because the UIs for it on the client are universally bad.

Re:Why not everyone use PGP ?

[Agar]

For PGP/GPG to be widely used, major clients must:

* Support automatic key downloading.
* Support automatic encryption/signing.
* Support opportunistic encryption.
* It should be much more transparent than it is today.

You mean like this?

"PGP Universal. . .shift[s] the burden of securing email messages and attachments from the desktop to the network in a way that is automatic and entirely transparent to users."

* Two-way policy enforcement
* Automatic and transparent
* Comprehensive and self-managing (automatic key generation)

Re:Why not everyone use PGP ?

[0x0d0a]

"major clients".

The problem is that this isn't "major clients" -- even mozilla+enigmail isn't an out-of-box solution. In the case of PGP Universal, you're buying an additional product just to do secure email. It really has to be nothing more than "install email client, use encrypted email with key generated during setup".

Re:Why not everyone use PGP ?

[Agar]

Yes, but why couldn't an ISP or web host be a "major client"? Then, all their customers would have encrypted e-mail with no additional product required. Seems like a pretty good solution (no pun intended).

good luck with that

[DrSkwid]

my webmail rightly lets me send with whatever From: field I choose

So I can emailwise be both at work and at play from the same webmail

for spamming from a zombie (with an IP of 111.222.123.124)

From: zombie@111.222.123.124
Subject: Stop spam now!

or it wouldn't be too much trouble to look up the MX record of 111.222.123.124 and set an appropriate From: header accordingly

This scheme is as temporary as any other and it also prevents me from sending mail with my own computer, I will have to route my mail through my ISP's mail server in order to tag on to their SPF

oh well, something's got to give

Re:good luck with that

[AKnightCowboy]

This scheme is as temporary as any other and it also prevents me from sending mail with my own computer, I will have to route my mail through my ISP's mail server in order to tag on to their SPF

What's your problem with doing that? If you're coming from DSL, cable, dialup, or some other residential service then you should be relaying through your ISP and your ISP should be blocking outbound port 25. It doesn't hurt you to relay through an additional hop and add an additional 5 seconds to your e-mail. If your ISP introduces intolerable delay then find a new one or complain that their service is unacceptable. If you're worried about relaying SSL mail to work for business purposes so you can post with your @work.com address then you should be using port 465 (smtps) anyway with authentication to connect to your work's mail server, authenticate via cram-md5 or even just a password so it opens relaying for you and then out you go.

Re:good luck with that

[aussie_a]

your ISP should be blocking outbound port 25

Woah! When did it become a standard for ISPs to block port 25? I sure as hell am happy they don't do that 'round here, otherwise people wouldn't be able to telnet to through port 25. Yes, there are legitimate uses for port 25.

Re:good luck with that

[DrSkwid]

What's your problem with doing that? If you're coming from DSL, cable, dialup, or some other residential service then you should be relaying through your ISP and your ISP should be blocking outbound port 25.

why *should* I ?

what business is it of anyones what ports I use and who's right to block it?

certainly if the provision is in one's contract then one can't argue but it seems a drastic solution to Zombie Windows PCs and Open Relays that I should have my service curtailed.

But, like I say, something has to give

Re:good luck with that

[a24061]

You must be lucky enough to have several good ISPs competing for your business. Here I have one broadband supplier which refuses to guarantee its e-mail service works. Most of the time it does, but sometimes outgoing e-mail gets queued for long periods of time with no warnings to the senders.

Re:good luck with that

[jrumney]

I will have to route my mail through my ISP's mail server in order to tag on to their SPF

What's your problem with doing that?

I have 4 accounts at different domains set up in Mozilla, and use different addresses to send depending on which account the mail is relevant to. But Mozilla only lets me specify one SMTP server. See the problem yet?

Re:good luck with that

You do realize that a STARTTLS command can initialize a SSL/TLS-encrypted session on port 25, right? Your mail client can opportunistically try STARTTLS (I've seen some servers that don't give a proper response to EHLO)...

Re:good luck with that

Charter blocks port 25 out bound.

I was VERY upset when they did this as it inhabitted me from diagnosing problems with my production email servers that were also on their network (on commercial accounts).

I moved and my current DSL ISP allows port 25 connections INBOUND. Now THAT is a feature

Re:good luck with that

> my webmail rightly lets me send with whatever From: field I choose.

Then it's not in compliance with RFC2476:

If an MSA is not able to determine a return path to the submitting user, from a valid MAIL FROM, a valid source IP address, or based on authenticated identity, then the MSA SHOULD immediately reject the message. A message can be immediately rejected by returning a 550 code to the MAIL FROM command.

OR it is deliberately doing forgery itself, by using one Return-Path, but passing it along with another.

Re:good luck with that

[paco+verde]

hmmm...http://www.mozilla.org/start/1.5/faq/mail -news.html#multiple-smtp

That's the Mozilla FAQ for setting up multiple SMTP servers. That feature has been in there since at least 1.0, probably much longer.

Re:good luck with that

[walt-sjc]

Telnet does not use port 25. It uses port 23. BTW, Telnet???? How about using something secure such as ssh?

Re:good luck with that

dumbass, he wasn't using telnet for remote login. he was using to to diagnose the SMTP servers by directly connecting to them like a MTA/MUA would.

Re:good luck with that

[Feztaa]

I'm not sure about traditional mozilla mail, but thunderbird is more than able to set up more than one SMTP server. You just have to click 'advanced' and specify all the ones you need, then go into the server settings for each account and choose the proper smtp server to use.

That's how I do it, and it lets me use my university email address and my ISP's email address, both going through their own respective SMTP servers.

Re:good luck with that

dumbass, he didn't say that. If it's blocked it makes no difference. If he is an MUA, he should be on port 587....

So zombies reply they send it. Big deal..

[crovira]

The machine was taken over from Joe Sixpack in the first place.

He won't know why his box is just a bit slower than usual. Soo he thinks DSL is all bull because is hardly faster than his ol' dial-up.

Get a thousand zombies sending a hundred spam a minute and you see that its not so tough to send a hundred ACK signals as well...

Potential end result: 1,440,000,000 spams/day from ONE infected net.

Go after the spammer's clients instead. Spam and you get jail time and a whopping big fine, paid locally, regardless of the jurisdiction you're in.

Re:So zombies reply they send it. Big deal..

[Jokkey]

I'm not certain that I understand your point.

SPF states that the DNS server of the sending domain says who is permitted to send mail. Unless spammers' zombie machines are DNS servers, they'll never get a chance to reply that they sent the messages or send ACK signals or anything of the sort.

Going after the spammers' clients is a good idea, but there's also value in pursuing technical solutions such as this.

FOAF-based reputation system

[KjetilK]

Furthermore, SPF enables domain reputation systems such as GOSSiP (currently under design) which enable domain's to be given a "spaminess" score based on their previous behaviour.

That's interesting! I'd like to plug two bug reports of mine (I wish I had time to hack, but I haven't). Friend-of-a-friend makes great start for a reputation system, at least for whitelisting people you know well.

So, I there's a Spamassassin bug on this, and it has generated some interest.

Now, the problem is to generate FOAF-records easily and reliably, and for that, I suggest for example enabling KAddressbook to export them.

Crypto - the magic fairy dust

[pjrc]

Every spam article, someone posts an opinion that if everyone would just use crypto (usually PGP is suggested), all these problems would be solved. After all, strong cryptographic authentication proves the message is from a legitimate sender, so the arguement usually goes, so the relatively weak authentication offered by SPF / Caller-ID / Sender-ID is only sub-standard.

For a moment, neglect the high costs, complexity, worldwide legality and PKI problems of crypto, which are all solvable at some cost. They aren't the fundamental problem.

Strong authetication answers the question:

Is this message almost certainly authentic?

That's a very nice to know if you need to place a high level of trust in the message, such as correspondance from your bank. Today email is virually worthless (in the absence of PGP) for trusted messages.

Saddly, the answer to this question is not valuable for filtering out junk. The question that needs to be answered instead is:

Is this message almost certainly forged?

PGP does not answer this question. Neither does Yahoo's DomainKeys. There are many circumstances where the signature can not be verified. You can not use the failure to verify a PGP signature as a reliable means to filter out junk.

SPF and MS Caller ID are designed to answer this second question reliably enough to discard forged messages. They answer this question for all domains that publish SPF records (aol.com, gmail.com, etc) regardless of whether SPF is widely adopted by the rest of the world.

When the claimed domain published a list of designated senders, and the sending MTA's IP number isn't among them, you can be certain the message is a forgey and discard it (or close the connection before the data phase, saving bandwidth).

PGP and other crypto signature schemes simply do not deliver this ability to detect forgey. They only detect authenticity.

Re:Crypto - the magic fairy dust

[cpghost]

Ashcroft and others won't be happy with this. Of course, PKI/PGP/... can be used in non-encryption mode only to sign messages. BUT, they can also be used to encrypt. As soon as this kind of software is ubiquitous, wiretapping would be much more difficult for the NSA and other agencies.

Re:Crypto - the magic fairy dust

[theCoder]

PGP is just as good a method for spam fighting as SPF. It gives you the same information -- the difference is what you do with it. I think we agree that in the absence of either a PGP signature or an SPF record, normal filtering rules apply, and this case isn't really interesting. The question is what to do with an SPF or PGP success or failure.

With SPF success, the mail is accepted as usual, and with SPF failure, the message is (I assume) bounced. Correct me if that's incorrect.

With PGP success (verified signature), the mail is accepted and authenticated. With PGP failure (bad verification), then the message is almost certainly forged (who would incorrectly sign a legitmate message?). There is a third case where the message is signed, but the public key is not available. However, this case is essentially the same as the not having a signature at all, so it doesn't really apply (it would be the same as having a malformed SPF record).

Your contention is that !authentic != forged, which is not true. You're right that PGP and SPF attempt to solve the different problems you identified, but I don't think that end result is any different. PGP and other crypto signature schemes were explicitly designed to detect forgery -- that's why they're there! If a message fails PGP, it is not authentic, and therefore forged (or otherwise can't be trusted).

Setting up the PKI and getting everyone to use PGP is a tremendous task, but it is worth it, since PGP has a number of benefits (such as encryption) and very few of the disadvantages of SPF (mail forwarding is broken). It's only real disadvantage is the inherent loss of anonymity, though that is lessened since nothing necessairly ties a PGP key to a real person.

Re:Crypto - the magic fairy dust

[0x0d0a]

Every spam article, someone posts an opinion that if everyone would just use crypto (usually PGP is suggested), all these problems would be solved.

A lot of us are arguing that strong crypto is *necessary*, not that it is *sufficient* on its own.

For a moment, neglect the high costs, complexity, worldwide legality and PKI problems of crypto, which are all solvable at some cost.

The high costs? How many, exactly, CPU cycles would you spend to avoid bandwidth from spam?

Worldwide legality? Get real. Russians haven't supposed to be using OpenSSL for trusted stuff in the government for years. Nobody cares about that, because it's ridiculous. Encryption software is everywhere.

PKI problems of crypto? You have a problem with distributing trusted data to do *crypto*? How about the equivalent trusted-data problems of *SPF*, including the fact that the currently proposed transport mechanism is non-trusted and the designers treat it as trusted, or that the SPF's folks' solution to throwaway domains is some vague hand-waving and the stuggestion of a web of trust -- *exactly* the same thing you're claiming we don't have to deal with.

The only reason anyone is considering SPF is because they're desperate and if you ignore some of the things that the people working on crypto solutions have taken into account (which are necessary to actually have a workable system), you can look sideways at SPF and say "yeah, this probably kinda works". It makes people feel good to have something to deploy, even if it breaks existing legitimate functionality and has zero long-term impact on spam (spammers just run out, buy the latest idot-proof tools, and go to town -- Baysian filtering didn't stop them because they bought *tools* to get around it, and if you think that they won't just buy tools to bypass SPF, you're smoking something). The difference is that SPF breaks far more functionality than Baysian filtering does.

Re:Crypto - the magic fairy dust

[0x0d0a]

Sorry, I got so worked up that I failed to finish my last post.

PGP does not answer this question. Neither does Yahoo's DomainKeys. There are many circumstances where the signature can not be verified. You can not use the failure to verify a PGP signature as a reliable means to filter out junk.

SPF and MS Caller ID are designed to answer this second question reliably enough to discard forged messages. They answer this question for all domains that publish SPF records (aol.com, gmail.com, etc) regardless of whether SPF is widely adopted by the rest of the world.

Bullshit. Give me an example of an environment where email could reasonably pass SPF but not DomainKeys.

I'm not even going to get started on how a system (not necessarily PGP) that does client-to-client signing and encryption is so much more intelligent, breaks in so far fewer cases, and is so much stronger and won't need to be thrown out in a few months.

When the claimed domain published a list of designated senders, and the sending MTA's IP number isn't among them, you can be certain the message is a forgey and discard it (or close the connection before the data phase, saving bandwidth).

"Thanks" to new restrictions imposed on mail service by SPF, yes.

PGP and other crypto signature schemes simply do not deliver this ability to detect forgey. They only detect authenticity.

So, what exactly do you *think* SPF is?

It's a weak authentication scheme. A very weak one, with known attacks and only domain-level granularity.

Any other system that authenticates against the domain (Caller ID, DomainKeys) can do a similar act, and any system that authenticates against the sender (PGP, S/MIME, etc) can do not only that, but provide client-level granularity -- with SPF/Caller ID/(and for any sane deployment, DomainKeys), if someone compromises a workstation at a company and starts sending email as a client from that machine to the local mail server using a variety of addresses, the only action an outside person can take is to blocked the entire domain (try doing this to ford.com or apple.com). PGP and similar systems allow only the owner of the compromised workstation to be blocked, as well as the compromised workstation to be easily identified.

Re:Crypto - the magic fairy dust

[Phong]

Your contention is that !authentic != forged, which is not true. [...] If a message fails PGP, it is not authentic, and therefore forged

You're missing how these are indeed different: What if I send out a message claiming to be from you and don't sign it? How does your email server know that my message is forged? It doesn't unless there is a database of "always signed" senders somewhere, you register in it, and always sign your emails.

With SPF you can publish information for your domain so that any emails that get sent purporting to be from your domain can be easily identified as forged (unless they are actually sent from your domain).

Re:Crypto - the magic fairy dust

[theCoder]

What if I send out a message claiming to be from you and don't sign it? How does your email server know that my message is forged?

That's a very good point, and I see that difference now. However, I'd argue that this is a matter of policy. Public PGP keys are published just like SPF records are, so if you send a message with my address, but don't sign it, whatever verifier will see that I have a public key, but didn't sign the message, and then do whatever is necessary from there based on the receiver's policy (bounce or accept). But I do see your point.

Maybe we need an SPF for the PGP record (signed by the public key, of course) in the PKI. The interesting thing about that is that it would be per user and not per domain. So bob@example.com maybe works from home, so he adds his home and work mail server IPs to the SPF list of his PGP record, while fred@example.com never mails from home, so only has the work IP in his SPF list.

Hmmm... I'm going to have to think about this one...

va lairIE/robbIE, 'developers' of stock markup

shemes, the whoreabully infactdead/pateNTdead PostBlock censorship devise, gnu online dating, & a host of other quick buck scams, interview, still forthcoming?

remember, keep it simple. no questions about the monIE, or whatever happened to the won-eyed girl?

the scriptdead 'answers' have already been prepared buy a cubicle full of phonIE ?pr firm? hypenosys talknicians, & will be delivered onto you, when your questions match them acceptabully.

remember, lookout bullow.

consult with/trust in yOUR creators.... self-promoting by natural attraction since/until forever. see you there?

Moron.

Your envelope FROM is not the same as your From: header. Get that through your skull and then come back.

Re:Moron.

[lseltzer]

Parent is right. The original SPF checks only the envelope, not the fake From: grandparent says he uses.

Something I don't get

There's something I don't get: What if the spamming computer sends a mail, but pretends to be relaying it? He could act as if he actually got the mail from someplace else which makes the fake from-address valid in the view of the receiver.

How does that work?

lucas

Re:Obligatory

[Hellkitten]

(x) It is defenseless against brute force attacks

Explain: how would you brute force it? One way would be to search until you find a domain without SPF information and fake addresses from that. That will reduce the pool of domains you can fake, and be an incentive for them to start using it. In a way it's shifting the damage over to those that doesn't try to help solving the problem, they decide to be easy targets they take the consequenses.

(x) It will stop spam for two weeks and then we'll be stuck with it

It will stop spam from beeing sent with faked addresses from a domain, if the owners of that domain wishes it. That means I will never se a bounce for spam using my address if the recieving end uses SPF, and the reciever willl not see spam that fakes my address as its sender

(x) Users of email will not put up with it

Why not, all I have to do is configure my mail program to use the correct mailserver for outgoing mail

(x) The police will not put up with it

The police has never cared about anything to do with spam, why should they care about this?

(x) Requires immediate total cooperation from everybody at once

Bull. Mail (allegedly) from domains that doesn't publish SPF information will get through, and mail to recievers that doesn't check SPF will come through. Domain owners will be encouraged to implement this because they will se fever (misdirected) abuse reports. Users will be encouraged to implement this because they will see less spam

(x) Lack of centrally controlling authority for email

The owner of a domain is the central controlling authority for email from that domain, that's all you need

(x) Ease of searching tiny alphanumeric address space of all email addresses

Eventually all spam will use a sender address from domains without SPF informations (or nonexistent domains), people will start dumping mail from domains without SPF (or give it a high spamassassin score) and those domains will effectively be forced to implement SPF or see their users unable to send email

(x) Asshats

Which is why you have to use additional measures, such as scoring mail without SPF low, blacklisting domains and ISPS that allow spammers and other kinds of filters. There is no tool that will block ALL spam, but the right combination will reduce it drastically

(x) Unpopularity of weird new taxes

No tax involved

(x) Huge existing software investment in SMTP

It's compatible (actually uses) SMTP, no software has to be replaced. (Unless it already sucks)

(x) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes

And all the mail sent out to SPF using clients using from addresses with SPF domains will be dropped, eventually this number will rise as more people adopt SPF.

(x) Extreme profitability of spam

Making them work harder and reach less people will decrease the profitability, that will make the situation improve

(x) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves

Eventually the spammers will have fewer domains to use for sender addresses, they will have to buy domains (increasing cost) or use domains without SPF. Both can be blacklisted

(x) Outlook

This can be implemented serverside, outlook is not an issue

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical

None has ever been standardised and tried large scale

(x) We should be able to talk about Viagra without being censored

You can as long as you don't forge the sender domain. But if you try to sell it to someone a complaint may well make you lose access to that domain

(x) Countermeasures must work if phased in grad

ok...

[RMH101]

...i own a domain name. i use it for email forwarding to whatever account i happen to be using, so that i can keep the same email address. this is going to break that, isn't it? i'm just a little guy who doesn't run his own smtp server (i'd have a job: my ISP blocks that anyway...)

Re:ok...

[jrumney]

Set up your SPF record as follows: example.com. IN TXT "v=spf1 ?all" SPF has different levels:

• + pass
• ? neutral
• ~ soft-fail
• - hard-fail

Facist admins could still theoretically block neutral, but SPF is not intended to be a full spam blocking system, all it should do is reduce the load on the server by doing less checks on "pass" and blocking "hard-fail", and treat "soft-fail" as already probable spam at the start of other spam checks.

Re:Obligatory

[squiggleslash]

The other guy responded debunking some of these (although occasionally they were relevent.) However, a more important issue is that your checklist is specific to anti-spam solutions.

SPF is not an anti-spam system. SPF is an anti-joe-job system. It happens that the most frequent joe jobs tend to come from spammers, however:

1. Not all joe jobs are spam.
2. Most spam (looking at my bulk mail folder on Yahoo) doesn't involve joe jobs.

A number of people are equating this with anti-spam systems, and that's just wrong. I thought one of the most revealing answers in the interview above was:

CircleID: Who is using SPF today and what level of success has it achieved in the fight against spam?

Meng Wong: In the six months since we declared a spec freeze, 20,000 domains have self-reported at the online registry; that's probably a fraction of the true total. Lots of domains have published records, including AOL, Amazon, Google, O'Reilly, SAP, TicketMaster, Mail.com, w3.org, Earthlink and Verizon. And the ones who haven't published are working on it.

We expect adoption to pick up exponentially; according to some estimates, the number of sites checking SPF doubles every three weeks. SPF plugins are available for all the major Mail Transfer Agents (MTAs).

What's signficant about this answer? It's that it doesn't answer the question. More specifically, it answers the first part of the question, but (rightfully) ignores the second part, because the second part of the question is a "Why are you still beating your wife?" question (a question based upon a false assumption.)

Proper anti-spam systems are based upon dealing with unwanted email, not dealing with non-relevent characteristics. If you create a system that makes it easier to control who gets your email address (such as my solution, Yahoo!'s AddressGuard(tm), and TMDA), then you're implementing a relevent solution, because dealing with spam is about controlling who sends you email. Likewise, if you operate Bayesian, CRM114, Mail.app, etc, AI filters based upon spam, then you're coming up with a relevent (if imperfect) solution, and the solution can work if combined with a whitelist, especially if you can automate the generation of the whitelist through systems like Camram.

SPF isn't such a system, it's designed to deal with a totally different issue. Arguably, given that it breaks mailing lists and forwarding and has many other documentable faults, it really ought to be being used as a measure of last resort, though it's a good idea for mail receipients to implement the logic so that domains that are having these issues can make the choice when they find themselves being targetted.

It'd be nice if every solution to every problem on the net wasn't always promoted as an anti-spam solution...

Too early... it so sad.

[LuckyStarr]

SRS/SPF still have a large number of problems to solve. SPF alone is very good idea, but the special-case of mail-forwarding is not compatible with the current design. As SPF breaks forwarding, SRS is an ugly hack which tries to repair the damage done.

I am not convinced that SRS does not introduce ugly bugs, which enables spammers to circumvent SPF alltogether.

Specifically I think SRS can as easily be forged as mails can be forged today, as noone hinders you to fake a forward which hasnt taken place in the first time. If this forward looks ok, you are in.

Now: Forging Spammer -> Recipient

SRS/SPF: Forging Spammer -> Recipient
^
|
Imaginary Origin

Why should this work at all? Please enlighten me.

Re:Obligatory

[thogard]

People are already scaning for open SPF records.

I was looking at seeing if sendmail could parse the records in the .cf file (no it can't in any sane way), and the very 1st spam I got with my new hacked system had a vaild SPF record. If a spamer gets paid $5000 to send out a million messages, a $15 throwaway domain is nothing...

SPF is well marketed....

[thogard]

Too bad its still broken:
# Its parsing is too complex
# No sane firewall is going to let TXT records through
# No sane firewall is going to let TCP DNS packets through
# The parsing can loop forever
# It will increase DNS scaning as spamers hunt for broken SPF records
# Its too complex to be implimented inside the MTA where it needs to be done
# It can't be properly parsed in sendmail
# ISO 8839 8859 59-15 utf-8 issues for domain names may kill some dns servers

Its a step in the right direction but its the wrong step.

Re:SPF is well marketed....

[Antique+Geekmeister]

Every statement is incorrect with the original TXT DNS implementation of SPF. Unfortunately, adding in the Microsoft CID handling may add enough complexity with its use of XML to make bits of it conceivably true. But the TXT DNS handling is part and parcel of normal DNS handling: the original DNS query for the domain used to log the incoming SMTP connection's real hostname and do forward DNS and reverse-PTR lookups for most mail servers can trivially accomodate the additional TXT lookup. The only way to block TXT DNS records is to block DNS, period.

Re:SPF is well marketed....

[jollis]

# Its parsing is too complex
Complex or not, it's working just fine with quite an array of software.

# No sane firewall is going to let TXT records through
A firewall would need to examine the contents of packets to differentiate a TXT record from a, say, A record or cname. Comparable wizardry is already being performed by mail servers world wide, on a vast scale:
[smegma@cartman smegma]$ host -t txt 84.137.116.38.sbl.spamhaus.org
84.137.116.38.sbl.spamhaus.org text "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL17 101"

# No sane firewall is going to let TCP DNS packets through
SPF does not rely on anything that every other app using DNS doesn't. Also see above.

# The parsing can loop forever
In a horribly written parser perhaps. The same could be said about IRC clients, Web Browsers and just about any application out there.

# It will increase DNS scaning as spamers hunt for broken SPF records
DNS is quite efficient. Unlike RBLs, SPF will work just fine with traditional SOA settings, so cache hits will be plentiful.

# Its too complex to be implimented inside the MTA where it needs to be done
Just where do you think it's already being implemented?

# It can't be properly parsed in sendmail
It is already being used with all popular MTAs, including sendmail, postfix, qmail, exim, courier and ms exchange.

# ISO 8839 8859 59-15 utf-8 issues for domain names may kill some dns servers
Huh?

Parsing complexity might become a bit of a concern with the advent of XML, but as of now, it's dead-simple.

3, Interesting? And I feel like I'm feeding a troll here!

Re:SPF is well marketed....

[rcw-work]

No sane firewall is going to let TXT records through
No sane firewall is going to let TCP DNS packets through

That's a bit of a stretch. Why would you block TXT records? Also, TCP is a perfectly valid transport for DNS and by default most resolvers will use it for zone transfers and any other application where the expected response will be larger than 512 bytes. As a firewall admin wherever I've allowed incoming DNS over UDP, I allow DNS over TCP as well. Not doing so breaks DNS.

Its parsing is too complex
The parsing can loop forever

I don't think this is a showstopper, I mean HTML seems to be pretty popular.

It will increase DNS scaning as spamers hunt for broken SPF records

So?

Its too complex to be implimented inside the MTA where it needs to be done
It can't be properly parsed in sendmail

I guess you've got me there.

ISO 8839 8859 59-15 utf-8 issues for domain names may kill some dns servers

What does this have to do with SPF? Those DNS servers will die regardless.

Its a step in the right direction but its the wrong step.

If you don't like it, propose something. Then get used to taking what you're dishing out.

Re:SPF is well marketed....

[thogard]

Othere than SPF, there is no sane reason for most DNS servers to issue TXT records. There have been several exploits because of broken DNS parsing of unusual DNS records. The prupose of a firewall isn't just to limit ports, it should also stop odd data.

Right now SPF is being done with a large library that gets linked in. I've been finding security holes in MTAs for 17 years and I don't like complex systems built into things that live on my network front door.

There is nothing that SPF does that DNSBL like systems can't do better using existing software and normal data packets. Thats why I feel SPF isn't the right next step.

Re:SPF is well marketed....

[Xformer]

Othere than SPF, there is no sane reason for most DNS servers to issue TXT records.

Really? What rock have you been hiding under?

There is nothing that SPF does that DNSBL like systems can't do better using existing software and normal data packets.

I haven't yet seen a DNSBL system that says authoritatively that a given IP is allowed to send email for a certain domain, much less with the same kind of flexibility that is allowed in SPF.

Re:SPF is well marketed....

[0x0d0a]

For more problems I have with SPF, I've collected links to a bunch of my earlier posts detailing issues I have with SPF in a response to Meng.

In short -- SPF has severe technical problems. Caller ID has almost all the same severe technical problems (and introduces at least the question of patents). DomainKeys has a large number of drawbacks, and even *it* is much better thought out than either SPF or Caller ID.

Re:SPF is well marketed....

[CustomDesigned]

Right now SPF is being done with a large library that gets linked in.

I can only speak for sendmail, but none of the sendmail solutions link in any libraries to sendmail. Every solution uses a sendmail milter. The milter process is started independently of sendmail, and does not required access to any files or privileged network ports - so it runs as an isolated user id. The only I/O required by an SPF milter is TCP for the milter protocol, DNS queries, and perhaps a log file. No patches to sendmail are required.

You may be confusing SPF with SRS, which cannot be fully implemented in sendmail via a milter. However, SRS can be securely implemented for sendmail via a socket map in the latest versions. A patch to support socket maps in older sendmail versions is available - or you can use the (horribly innefficient but workable) solution of a program map.

Re:Obligatory

[norculf]

Score: 5, HAHAHHAHHAHAHAHHAHA.

In return I give you this: http://www.rhyolite.com/anti-spam/you-might-be.htm l

Re:Obligatory

[Hellkitten]

People are already scaning for open SPF records.

I can't say that I'm surprised

I can imagine that spam filters like spamassassin could check if the mail came from a domain with an open SPF record, it would simply be a matter of retrieving the record, doing a little parsing and assigning a score.

If a spamer gets paid $5000 to send out a million messages, a $15 throwaway domain is nothing...

The cost is also time to get the domain in place, less time spent on defeating other anti spam measures. If that spammer is using zombies he'll have to use an open record that a spamfilter rule like the one above would detect. He must eiter accept that less of his spam will arrive or add each single sender machine to the SPF record. In addition I expect we'll soon see domain block lists in addition to IP block lists so each spammer domain will only have a lifited "shelf life".

As I said SPF is no silver bullet by itself, but I believe it will improve the situation, just avoiding joe jobs is worth it in itself and if it can make the spam flow a little slower that's good too.

It's a start.

[Mustang+Matt]

I have people claiming to be from my domain sending spam, so if this will stop or slow them down I'm all for it. I published my records a while ago. It hasn't seemed to make any difference, but maybe it is making a difference and I just don't know it.

Re:It's a start.

[Xformer]

If you don't flag anything that doesn't match as a fail (-all at the end), then you won't see much difference. It also depends on the server receiving such spoofed emails actually doing checks against SPF records.

Most domains out there are defaulting to "neutral" or "softfail" as the default in their SPF records for now until sites that do mail forwarding or web mail (preserving the original envelope FROM address) implement SRS. If you have fairly solid control over where mail from your domain comes from, then you can go ahead and set the default to "fail".

Re:It's a start.

[Smallpond]

No reason to do this. As he says in the article:

Wayne Schlitt ... tracked down all the major forwarding service providers and put them into a whitelist at trusted-forwarder.org.

So you can fail any mail with non-matching spf. Individuals will get bounces if using old-style unix .forward files and will have to update to use remailers.

Re:It's a start.

[Xformer]

Yes, but Wayne says that his list is only a temporary measure. It's not going to be there forever. Besides, not all valid forwarders are in that list... only those that have been found by him or reported as unable to implement SRS (with good reason) by others.

Re:It's a start.

[mikefe]

No.

Since SPF checks the envelope, only if you are not in the spf record for your domain and if you have it set to hard fail would your message bounce.

So the answer is "it will work if you don't fsck it up!"

Has anyone actually SEEN a zombie spamming PC?

[Mustang+Matt]

I've seen a lot of heavily virus infected and spyware infected PCs but I have never seen a PC that I knew was zombified as a spam sending monster.

Maybe I just didn't know it.

Has anyone seen one? What applications are running on them? It seems like maybe we could mess with the spammers if we knew what they were using.

Re:Has anyone actually SEEN a zombie spamming PC?

Yes. My mother's.

The main process was called drvddll.exe. My mother's computer is relatively well administered and got infected anyway. This process delivers messages directly. It is launched from the registry and hides network connections and kills regedit. It also continuously checks the registry to see if its launch key has been removed and adds it back if it has.

Re:Obligatory

[upside]

It does NOT account for Outlook. It's a method for preventing address forgery.

Create a new bug that sends spam with the Outlook and you won't be able to differentiate between spam and real mail from the Outlook user.

Until the patent issues are clarified

Boycott Caller-ID for E-mail is still wary of the new, combined scheme. Neither Meng nor Microsoft has clarified whether the draconian patent schemes from Microsoft's earlier attempt still exist!

We need to pressure the people coming up with the standards to avoid patented schemes at all costs, or assign the patents to a neutral third-party with the mandate of using them defensively.

Re:Obligatory

[Short+Circuit]

That actually helps...With tighter regulations on, for example, using accurate contact info when getting a domain name, bulk-emailers will be reachable by phone and mail.

MOD PARENT UP

[Rayban]

I haven't seen any clarification of these patent issues yet, personally. What about the anti-GPL license that CID has? Is that still there?

what a load...

[johnjones]

ever heard of key signing ?

so you end up with a web of trust...

SPF and Caller ID are a solution until you end up sending emails from your outlook automatically...

oh wait thats been done before

OpenPGP and email clients that support it, go a long way to solving the problem i.e. set your boundrys

I trust bob
bob trusts jane
jane trusts bart
bart trusts lisa

so I think that I want only 3 degrees and everyone else has to tell me via phone fax and friends they want to email then I trust them and their friends...

works a bit like friendster and gmail invites only way of doing things I can see that will work

regards

John Jones

Re:Obligatory

[Hellkitten]

It does NOT account for Outlook.

A zombie machine (infected through outlook or any other means) would have to send mail with addresses it is allowed to send from. That would be a domain controlled by the spammer (can be blacklisted), a domain with an open / nonexistant SPF record(can be filtered on), or a domain it's already allowed to send for (the ISP, which means chances that the machine would be stopped are far greater, or the ISP risks getting blacklisted).

Re:Obligatory

[thogard]

With domains being $15, its trivial to get a domain with fake data. Besides the bulk mailer is just going to use an address of one of the idiots paying them to send out the ads. Remeber this is to solve the joe-jobing issue. If they are willing to do it on-line, why not in the real world.

Locate the servers off-shore instead

[FreeUser]

As for why you'd need a license for this, it may the case that MS has a number of pending patents on the concept (orginally termed Caller ID) and the license mentioned prior is meant to assure people that if this makes it out there as a standard, they will have a license to practice with having to pay royalties.

Rather than give tacit support of software licenses to Microsoft (or anyone else), I'd rather just locate my DNS and mail server overseas, in a sane regime that doesn't recognize software patents, and use SPF irrespective of Microsofts intellectual property grab.

Microsoft obviously didn't invent anything here (the SPF folks did) ... they certainly should not be given government monopoly entitlements to the concept, nor if our corrupt government does grant them such entitlements, should anyone respect it. Locate the infrastructure off shore instead.

Translation

SPF bascially assumes that if you have chosen the solutions that the grandparent has chosen that you are wrong. You now have to do something else. What that something else is is of no concern to SPF. Deal with it.

Re:Translation

[ahodgson]

No, it doesn't. You can add the addresses of your ISP's mail servers into your own SPF record or even refer to your ISP's SPF record if they publish one.

This does NOTHING for SPAM

As a spammer, this is just a cost of doing business.

I'll apply to become a registrar. I'll stock up on cheap $3 domains, and use one for each few million emails.
My bulletproof DNS host will include SPF records that are completely valid - my peer2peer zombies will let me update the SPF records dynamically.

Shame about not leaving any 2-word domain names for you kind folks. You can have 3-dictionary-word domain names until I get there.

Re:This does NOTHING for SPAM

[Smallpond]

No need to change domains because of SPF, keep valu-mail.biz or whatever as long as you want. SPF will prevent you from sending mail claiming to be from citibank.com or paypal.com (should those guys ever get around to publishing TXT records). Every company is going to publish SPF just to avoid being the target of phish scams.

Re:This does NOTHING for SPAM

[0x0d0a]

And so how exactly does this avoid spam, again?

If you want to avoid phishing (especially the economic fraud that you're talking about here), the weak security of the SPF protocol is about enough to inspire a false sense of security without actually doing anything. At *least* use a pubkey-based signing system if you are trying to pull this off.

Hell, if you wanted to use SPF's poor domain-level-granularity and security-depending-upon-nobody-spoofing-DNS, you could just have a big flag for a domain that says "all legitimate mail originating from this domain is S/MIME signed".

Naturally, *this* still wouldn't do a much to avoid phishing, because the email could come from foobar@citibank-customerservice.com or some equally bogus name, but at least it wouldn't be as completely ineffective as SPF.

Re:Obligatory

Proper anti-spam systems are based upon dealing with unwanted email, not dealing with non-relevent characteristics

It seems that the only proper anti-spam solution is to cut of the testicles of anyone that advertises their products with a spammer. Stop the silly technological arms race, and just assault the spammers' supply chain.

Then SPF contributes nothing.

[twitter]

Refuting the parent poster with good logic, you say:

If the zombie is actually using the user's proper (sender) domain and sending through the ISPs mail server, then SPF doesn't help directly, it gives the ISP the power to simply monitor what is sent and shut the zombie down if spam is being sent.

So, SPF contributes nothing. ISPs already have the ability to monitor their clients for spam and shut them down. It also shows that Vixie is not correct about the only benefit he sees for SPF, prevention of domain spoofing. The owner of a zombie machine will send out spam with the targeted domain. Spammers will simply slow the number of messages from each zombie to whatever does not trigger the ISP's monitoring program. The spam will go on and it will come from every big dumb ISP until people quit using crap from M$.

Please RTFFAQ

[mengwong]

All your questions are answered in the papers on SRS which were written by a professional cryptographer and security researcher at the University of Bath.

A lot of very smart people just like you have spent a lot of time thinking through the problems. Much of their thinking is captured in essays and FAQs available online.

http://www.libsrs2.org/docs/

Can't send email via port 25?

[Geekboy(Wizard)]

If you run your own mailserver, you can setup port 587/tcp, which is the smtp-auth port. Configure your MTA to only accept authorized connections. SASL is very common for this. When your MTA connects it issues a STARTTLS, which encrypts the session, then it authenticates as you, and then your MTA can allow it to relay. The 'traveling executive' problem is now solved.

RFC 2554 for more information.

Re:Can't send email via port 25?

[arth1]

If you run your own mailserver, you can setup port 587/tcp, which is the smtp-auth port. Configure your MTA to only accept authorized connections. SASL is very common for this. When your MTA connects it issues a STARTTLS, which encrypts the session, then it authenticates as you, and then your MTA can allow it to relay. The 'traveling executive' problem is now solved.

Sure, so now the traveling executive has to ask the company he visits "Excuse me, but could you please open port 587/tcp on your firewall, so I can send email?".
Yer right.

--
*Art

Re:Can't send email via port 25?

[ahodgson]

Give him a webmail account then. Geesh. How many executives send mail from client sites anyway? If they can figure out how to change outlook to talk to the local mail server they probably figure out how to use webmail.

Re:Can't send email via port 25?

[Geekboy(Wizard)]

I have yet to run into that problem. Most sane firewalls block all incoming packets, but allow outgoing connections (and keep state). And I prefer that to explaining to them why they can't send email over port 25, because earthlink/the hotel/whatever blocks them.

Is this how Slashdot works?

[mengwong]

I'm getting the impression that a lot of the people who post objections haven't bothered to read the FAQ.

I suppose they also write lengthy criticisms of movies based on the teaser trailer and on reading reviews, without actually seeing the movie.

Re:Is this how Slashdot works?

[0x0d0a]

I'm getting the impression that a lot of the people who post objections haven't bothered to read the FAQ.

I *have* read the FAQ. Some of my complaints about SPF are based on its content. I've steadily posted objections to Slashdot in most SPF stories -- at first, I spent ages on each post, writing out lengthy lists of issues. It was only after any SPF people failed to respond that I stopped listing item-by-item issues.

Re:Is this how Slashdot works?

[0x0d0a]

I'll even provide links to some of my criticizing comments.

I am very, very frusterated with SPF. Angry even, which is why I'm so combative. It reminds me of the Bulk Priority flag created by the Internet2 people -- the folks involved were just not *thinking* about how they're impacting existing people. I am fed up with mail servers rejecting email from my personal mail server because it's on dial-up (bad spam filtering idea #1), ISPs blocking my mail server from connecting out because "no reasonable home user would want a mail server" (bad spam filtering idea #2), ISPs silently dropping my email because I had to relay through their server just to get mail out through their system, then moved to a different ISP and forgot to update the relay host (bad spam filtering idea #3)...

Honestly, I have far more dislike for most of the people in the antispam arena (not all, there are some folks that put out carefully reasoned systems) than the spammers. Spammers make me waste a bit of time setting up some filters. They have wasted some of my bandwdith. I don't like them much. Yet they have *still* not managed to inhibit functionality or make my email get dropped, like a small but frusterating subset of antispam people that insist on breaking existing systems for short-term "improvements".

Here's my argument -- if you can't make a permanent solution that will be significantly useful in stopping the problem at hand (reducing spam) for at *least* ten years (remember, Internet email's been around for much longer) and your solution is a huge pain in the ass for regular users, please *don't* push such a system. Spammers are not going to just continue trying to spam into SPF, which is the assumption one has to make to assume that SPF is going to solve anything. They'll just buy the latest idiot-proof tool to avoid SPF, and continue spamming.

Re:Is this how Slashdot works?

[JoeBuck]

SPF will still be useful to me even if it has no impact on spam in general. What I'm most looking forward to is that I'll no longer get bounces from forged email (mainly from viruses) sent out with my email address listed as sender. Widely deployed SPF will put a major dent in the spread of email viruses, and forging the sender will be less successful. If the true sender is used, it will be easier to track down and isolate the infected PCs.

There's an old saying that the perfect is the enemy of the good. SPF won't be a magic bulled that stops spam for "at *least* ten years". There isn't one. But it will help, and the problems with it can be solved.

Re:Is this how Slashdot works?

If the true sender is used, it will be easier to track down and isolate the infected PCs.

What? The zombie spam I get already contains the IP address of the zombie sending the damn mail, that is how everyone files their spam reports to ISPs and BLs
How will "the true sender" help something that doesn't need any help?

Maybe if ISPs put the smack down on zombies quickly then we would only have zombie spam rarely by now and we wouldn't need the SPF/CallerID (PatPend) (tm) (c) 2002-2020 Microsoft Corp.

Malicious forwarders

[miley]

How is SPF going to deal with the Malicious forwarder?

Resent-From: pretendsitslegitforwarder@example.com
From: security@ebay.com
Subject: $I_wanna_steal_your_identity

$Body

Assume that example.com publishes SPF records and that this mail passes that check. The spammer has just passed its authentication check and successfully forged an email.

Lets make this a little more practical. Spammer buys CD of million names.
>grep '@pobox.com'
$id@pobox.com

He then sends mail to $id@pobox.com through his domain (even with valid SPF records). To hide his tracks, he continues forging -- saying that he received the mail from yet another forwarding service (ie, puts in a fake resent-from).

Mail From:
RCPT TO:

Resent-From: $id@pobox.com
Resent-From: spammer
Resent-From: another_forged_legit_domain
From: security@ebay.com
Subject: $I_wanna_steal_your_identity

$Body

Pobox.com receives the mail, validates that the mail is from spammer and forwards it along to the end user. The end user's system verifies pobox's SPF -- bingo, we have gotten a forged email through. SPF delegates the identity check to domains that you do not control. In today's world that is not a good idea.

Today, 60-80% of the mail coming from pobox.com is spam. If the receiver applies pobox's reputation to its mail, then it should reject all its mail. I assume that would not make Meng happy.

More and more people are realizing that authentication is not an anti-spam solution, but that authentication allows reputation and other antispam components to be built on top of it. Unfortunately this is exactly why SPF will fail.

This isn't a new idea

[Zondar]

I know that I personally had an exchange with Scott Hazen Mueller (of CAUCE) via email back in 1999 or 2000, proposing this very thing.

Where we use MX records for sending, I proposed an MS record for authorized Mail Senders. That's all it did, but at least you could look to DNS to see if this remote system was actually a designated speaker for that domain.

Of course, he told me it would never work and that it was unreasonable to use DNS to provide such a service.

Oh well...

Re:This isn't a new idea

[WuphonsReach]

No it isn't really a new idea.

Hell, it's rather obvious once you suffer from a joe-job attack. After all, if you're able to specify which servers are authorized to handle incoming mail, why shouldn't you be able to specify which outbound servers are authorized as well?

The devil, of course, lies in the details of the implementation and how corner-cases are handled. (Witness the problems figuring out how to break forwarding in a minimal manner.)

Re:This isn't a new idea

[0x0d0a]

Of course, he told me it would never work and that it was unreasonable to use DNS to provide such a service.

He's also dead-on right. There are many ways to simply bypass SPF; SPF-like schemes impose a number of limitations on regular email use; the use of DNS is a major part of the problem in SPF, as it's entirely inappropriate for a trusted transport.

The only reason anyone's deploying SPF, broken as it is, is because people will do *anything* at this point if someone promises them *any* reduction in spam -- look at the RIAA, and how they keep trying copy-protection scheme after copy-protection scheme. They've had PhDs doing studies come forward and say "there isn't any feasible way to copy-protect simple stereo audio as you're currently selling it", but they so badly want to believe that they keep buying into the latest scheme. ISPs get a huge amount of flak from customers over spam, and are more than willing to take even idiotic and nonfunctional measures if it (a) lets them believe that they're doing something that will be long-term effective and (b) lets their marketing people have something to trumpet about ("Earthlink's advanced spam-blocking technology")

Limited, but important.

[sff0ghead]

The general approach taken by SPF and friends does
nothing directly to stop SPAM. As numerous other posters
have pointed out, the throw-away domain is still available
to spammers and it is easy for them to generate valid
SPF records for those throw-away domains, even using
zombie networks (with dynamic DNS, you can even limit
the number of IP addresses in the records to mask
the size of the network).

It is useful, though, both immediately and in the medium
term. The immediate usefulness is in bounce processing.
An MTA whose role is to generate or forward bounces
can check the SPF record before action and not send
those for which there is no connection between the
message and the target of the bounce. That's very
useful, since it removes the clutter from the mailboxes
of those who were the targets of joe jobs. (Note that
an MTA forwarding a bounce can do this, as well as
one originating a bounce--that means an enterprise
can do this at the MTAs listed in the MX records).

In the medium term, the SPF record can be used to
limit certain kinds of forgery, making it harder for
social engineering attacks to work. It's not perfect,
by any means, since registration of domains like
"companyname-support.com" will still fool some
users. It also relies to some extent on the first
MTA in a series to perform the checks, as the scheme
gets weaker and weaker with the need to grovel
through more headers to make an association.
In other words, it works well when it is
ORIGINMTA--DESTMTA, but less well when it
is ORGINMTA--IntermediateMTA-IntermediateMTA-DESTMTA,
since the RFC 2822 header (From:, Resent-From:, etc.)
processing gets more complicated. Since the latter is a core
part of the design of email (store and forward), there
are limits to SPFs role in this arena--especially when
spammers decide to pass there messages through multiple
MTAs under their own control to generate the appearance
of this complexity.

In the long term, the hope is that it starts folks toward
a more generic mechanism that allows the sending domain
to describe the characteristics of its email (e.g. all mail
is signed as S/MIME and all signatures derive from this CA)
and the receiving domain to check the characteristics
of the messages it's received against those.

Again, though, this is all about forgery, not SPAM.

Re:SPF (is not an anti-spam scheme)

[WuphonsReach]

How is this supposed to stop spam, then? The spammers will simply make sure they use a domain that doesn't have SPF records.

Simply put, it won't stop spam. (There, I've said it.)

It's not supposed to. The goal of SPF (and the other reverse-MX proposals) is to allow a domain owner to put a dent in joe-jobbing by whitelisting all of the mail servers that are authorized to send e-mail on behalf of the domain. As a mail admin, it lets me say: "Don't bother accepting any e-mail purporting to be from my domain unless it comes from machines X, Y, and Z".

It's the natural mirror of the MX record (which specify what machines are authorized to accept incoming mail for my domain).

Re:Obligatory

[WuphonsReach]

SPF is not an anti-spam system. SPF is an anti-joe-job system.

Gads yes. That's probably one of the biggest issues with the entire SPF idea. People either mistakenly think that it's an anti-spam solution, or else they're mislead to think so by others.

(In fact, my biggest complaint about SPF and some of the extensions is that they stray too far from the anti-joe-job duty and are trying to do anti-spam stuff.)

Re:Obligatory

This article advocates a

( ) technical ( ) legislative ( ) market-based (x) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(x) No one will be able to find the guy or collect the money
(x) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
(x) The police will not put up with it
(x) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(x) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

(x) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
(x) Open relays in foreign countries
(x) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
(x) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
(x) Joe jobs and/or identity theft
(x) Technically illiterate politicians
(x) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(x) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
(x) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(x) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(x) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, l0ser! I'm going to find out where you live and burn your house down!

Re:SPF (is not an anti-spam scheme)

[arth1]

Simply put, it won't stop spam. (There, I've said it.)

It's not supposed to. The goal of SPF (and the other reverse-MX proposals) is to allow a domain owner to put a dent in joe-jobbing by whitelisting all of the mail servers that are authorized to send e-mail on behalf of the domain. As a mail admin, it lets me say: "Don't bother accepting any e-mail purporting to be from my domain unless it comes from machines X, Y, and Z".

That won't help the Joe much, when the MTA's block a message due to the SPF, and then the email bounces back to the Joe just the same. Unless the MTA's are changed to NOT send non-delivery-bounces, it will increase the amount of bounces the poor guy receives.

AFAICT, the only thing it can decrease is the amount of delivered forced email, at the expense of increasing bounces and making forwarding and vanity domains behind an uncooperative (read: corporate) ISP impossible.

Unless, of course, everybody starts using web mail, through companies like Microsoft and Pobox.com, of course... Hmmm...

--
*Art

You got it in 1 guess!

Hey, you can't be new here.

You figure that out WAAAY to fast!

-oo-OO-oo-

Not a load

[Phong]

The "web of trust" idea is not quite right. Unless you're going to require all incoming email to be signed, it doesn't help you to reject forged messages. Such a bold move would result in most people losing all their incoming email (since it wouldn't be signed).

What you'd need would be a way to look up the sender and see if they always sign their messages. If they do and this message is unsigned, it would be known to be a forgery. This method is not as effective as SPF because each user would have to change their email habits individually and publish their intent to always sign their messages individually (somehow). With SPF, each domain can effect the change for all their users, and (as long as the user's email software is setup right), the users will not have to learn a new habit for sending mail -- things just improve as more and more sites publish SPF records (and check it on delivery).

SPF and Caller ID are a solution until you end up sending emails from your outlook automatically... oh wait thats been done before

You'll note that all recent viruses and spam-bots spoof the From header, which means that they would NOT be valid email with SPF enabled for your domain. If virus writers and spammers have to go back to sending their emails with the real domain name of the host they're running on that would be very useful in helping to identify who is responsible for the virus or spam.

Remember, SPF doesn't claim to be a 100% solution to all email problems, nor does it need to be. It slams shut one huge open door in the current protocol, and it does so very effectively. I think it is a very good, targetted solution that will be of great benefit to the net.

The irony...

[This+is+outrageous!]

So we have the Addressing Spam Channel of the leading Intelligence Hub for The Internet's Core Infrastructure & Policies interviewing the lead developer of the lead antispam solution, and half the comments under the interview are from a spamming all-caps shill who repeats his identical message over and over.

Using a providers mail server sucks big time!

Forcing people to use a providers mail server stinks big time. Why should I do that? It compromises my privacy and slows things down. The only people suggesting that as a solution are people that do not run their own mail server at the end of their broad band connection. It's a classic "I'm not using it therefore it's ok to ban it for others".

The very principle of clustering mail from a provider is a little bit stupid as the number of potential mail clients grows. In an idea world, all mail would go directly peer to peer.

- Kim

Re:Mercatur is a hottie

Mercatur hates you.

And me, for that matter.

Re:Obligatory

[0x0d0a]

Explain: how would you brute force it? One way would be to search until you find a domain without SPF information and fake addresses from that. That will reduce the pool of domains you can fake, and be an incentive for them to start using it. In a way it's shifting the damage over to those that doesn't try to help solving the problem, they decide to be easy targets they take the consequenses.

It sounds more than plasubile to me. So, I'm curious. You propose to try, by social pressure, to force *every single* domain to disallow non-SPF email?

Heck, if *that* kind of approach worked (force everyone to use system Foo and use it correctly), that past few years where people *swore* to use that the answer to stopping spam was just eliminating all the open relays ("sure, it'll be easy") should have solved the spam problem. It doesn't work. You must have a system that does not require Internet-wide perfect cooperation.

It will stop spam from beeing sent with faked addresses from a domain, if the owners of that domain wishes it. That means I will never se a bounce for spam using my address if the recieving end uses SPF, and the reciever willl not see spam that fakes my address as its sender

You don't need to do so now. There are existing, workable systems that don't require an iota of effort on the part of the domain mail admin that work fine. One would be to slap a "X-Fromme:" header in all your emails with a secret in it, or hash of a tuple of the to address and a secret, or whatever makes you happy, and have procmail or whatever system floats your boat. It can all be done without leaving the client or screwing with existing infrastructure.

Why not, all I have to do is configure my mail program to use the correct mailserver for outgoing mailBull. Mail (allegedly) from domains that doesn't publish SPF information will get through, and mail to recievers that doesn't check SPF will come through. Domain owners will be encouraged to implement this because they will se fever (misdirected) abuse reports. Users will be encouraged to implement this because they will see less spam

Users will *not* see less spam when they do this unless everyone implements. Why would spamemrs spam with a forged from address from an SPF-enabled domain when there are an infinite pool of non-SPF-enabled domains (or even non-forged addresses).

You must admit one of two things. Either (a) people don't have to deploy SPF records, and SPF is not an antispam system, or (b) SPF requires everyone to completely and fully deploy and it is not workable (no system requiring all nodes to be trusted and not screw up that I know of has ever worked). You can't have both the benefits of requiring SPF records and not have the drawbacks.

Eventually all spam will use a sender address from domains without SPF informations (or nonexistent domains), people will start dumping mail from domains without SPF (or give it a high spamassassin score) and those domains will effectively be forced to implement SPF or see their users unable to send email

As I said above.

Which is why you have to use additional measures, such as scoring mail without SPF low, blacklisting domains and ISPS that allow spammers and other kinds of filters. There is no tool that will block ALL spam, but the right combination will reduce it drastically

The schemes that the SPF people have proposed are vulnerable to DoS attacks. "Asshats" include those people that want to DoS people. Suppose you spoof a little DNS record or two, setting a high TTL on cacheable lifetime, and manage to make AOL's main mailserver think that MSN's SPF record says that the only legitimate mailserver is somewhere in Korea. It'd be funny when millions of emails start getting bounced as spam, eh? It'd be even *funnier* if asshats use the domain-level-reputation-based-tools that the SPF people are advocating to patch over the fact that SPF can't deal with throwaway domains improperly -- say, compromi

Re:Obligatory

[0x0d0a]

SPF is not an anti-spam system. SPF is an anti-joe-job system. It happens that the most frequent joe jobs tend to come from spammers, howev

As I've pointed out below in a number of comments, SPF is not a good anti-joe-job system either. A lot of people have identified the fact that SPF does not actually deal with spam very well, have wondered *why* the designers came up with it, and apparently arrived at the conclusion that it's a brilliant way to avoid joe jobs. It's not.

Proper anti-spam systems are based upon dealing with unwanted email, not dealing with non-relevent characteristics. If you create a system that makes it easier to control who gets your email address (such as my solution, Yahoo!'s AddressGuard(tm), and TMDA)

Your solution would be really nice if more ISPs had good mail servers.

I enjoy the use of Carnegie Mellon's Cyrus mail server, which is set up to allow any address that looks like username[+optionaltext]@andrew.cmu.edu to be delivered to username@andrew.cmu.edu. A number of CMU folks use your approach, and you'll see stuff like tom6+compdiscuss@andrew.cmu.edu on a "compdiscuss" forum. It lets people track where people get their email addresses from, in addition to giving them an effectively infinite number of email boxes -- you can tell students to send current problem solutions to jsmith+15676_hw5@andrew.cmu.edu, for instance.

SPF isn't such a system, it's designed to deal with a totally different issue. Arguably, given that it breaks mailing lists and forwarding and has many other documentable faults, it really ought to be being used as a measure of last resort, though it's a good idea for mail receipients to implement the logic so that domains that are having these issues can make the choice when they find themselves being targetted.

I don't think so -- I think that SPF actually is a misguided effort intended to eliminate spam.

SPF is, when all is said and done, an authentication system, and nothing more. The problem is that it fails a number of basic requirements that most people have on authentication systems -- it can be decieved. It does not provide sufficient granularity of identity (no user-level auth) to implement a number of systems that might be built on top of it that *might* be effective antispam systems. If decieved, a great deal of damage can be done. It natively has an extremely generous "trust" system (once something has been accepted by any SPF-enabled system, it's kosher) or an attackable and DoSable trust system (if domain reputations are used, as vaguely proposed by its authors). It does not allow delegation of authority.

SPF is not a good anti-spam system -- it doesn't stop spam unless everyone uses it perfectly Internet-wide (which doesn't work).

It is not a good anti-joe-job system -- it fails to secure a number of links in the mental association process between an email and a trusted authority (I've detailed this in several comments further down).

It is not even a good authentication system to build poential anti-spam, anti-joe-job, or other distributed Internet systems on -- it can be attacked, DoSed, and provides a very limited set of functionality.

Have the patent issues been resolved?

[dwheeler]

The original SPF is, to my knowledge, clear of software patent problems. BUT Microsoft has quite publicly stated that they're pursuing patents on their caller-id approach. So if they've created a combined approach, the combined approach has all the patent concerns of Microsoft's original approach.

So what's the story on the patent claims? Boycott Email caller id still seems wary, and I see no evidence that Eben Moglen's concerns (such as incompatibility with the GPL) have been addressed.

Any such patent application is likely to be granted, since Microsoft has lots of $$$ to press their case and the patent office has neither the knowledge or time to determine if they're obvious or in any other way counter them.

I remember the joys of dealing with GIF patents. We're better off without this combined approach if the patent applications will make it unworkable.

So, what's the situation?

Re:Obligatory

[squiggleslash]

SPF is not a good anti-spam system -- it doesn't stop spam unless everyone uses it perfectly Internet-wide (which doesn't work).

If everyone did use it Internet wide, how would that help? The vast bulk of the spam I see comes from addresses used legitimately. Spammers will always be able to register domains.

I believe you're incorrect

[aussie_a]

MUDs use many ports, some say to connect with port 23, others say port 25, while more say 1997, 2040, etc. Sometimes people can log into some muds while they can't others. This is because they're using different ports. I think it is a fair assumption to say I am using port 25, 1997, 2040, whatever the mud is telling me to.

And why would I want something more secure then telnet just to play a game? Sheeesh.

Re:Obligatory

[Hellkitten]

It sounds more than plasubile to me. So, I'm curious. You propose to try, by social pressure, to force *every single* domain to disallow non-SPF email?

Well not really social pressure. When enough people remove themselves as targets for having the from domain faked, the chances that the remaining domains will be targeted is greater. I wouldn't want to remain standing as all others drop to the floor when the bank robbers enter :)

It doesn't work. You must have a system that does not require Internet-wide perfect cooperation.

Again you're looking for that silver bullet. SPF can't be used alone (unless we lived in a perfect world, bet then there would be no spammers) SPF gives us one more thing to filter and score based on, but your filters have to be set up with the assumption that there are domains without SPF or with misconfigured SPF:
Mail from doman with SPF, sender is allowed by SPF record => low probability of spam
Mail from domain without SPF => medium probability of spam
Mail from domain with open SPF record => medium probability of spam
Mail from domain with SPF, sender disallowed by SPF record => high probability of spam

Obviously you have to filter/score on other things too

There are existing, workable systems that don't require an iota of effort on the part of the domain mail admin that work fine. One would be to slap a "X-Fromme:" header in all your emails with a secret in it, or hash of a tuple of the to address and a secret, or whatever makes you happy, and have procmail or whatever system floats your boat. It can all be done without leaving the client or screwing with existing infrastructure

I can't see how that is going to prevent anyone from faking the addresses, it would make it easier to filter out bounces to mail I didn't send if that was what you were thinking about. But how would it help with the bandwith cost of the bounces from a joe-job?

Users will *not* see less spam when they do this unless everyone implements.

You are correct, but only if you assume that the users won't be using additional ways of filtering, and feeds the result of the SPF check as input to that filtering

You must admit one of two things. Either (a) people don't have to deploy SPF records, and SPF is not an antispam system, or (b) SPF requires everyone to completely and fully deploy and it is not workable (no system requiring all nodes to be trusted and not screw up that I know of has ever worked).

(a2) people don't have to deploy SPF records, and SPF is not an antispam system by itself

Suppose you spoof a little DNS record or two, setting a high TTL on cacheable lifetime, and manage to make AOL's main mailserver think that MSN's SPF record says that the only legitimate mailserver is somewhere in Korea.

People that can't trust their DNS servers not to cache bogus responses to DNS queries shouldn't depend on DNS for anything, they certainly shouldn't be dumping incoming mail based on it.

You think it's "fun" getting off the blacklist for RBL because some dipshit on your network screwed up now, wait until everyone' using *domain-level* reputation, and any person at your enterprise-class company can screw your domain's reputation over severely, and kill your domain's mail privileges.

Not fun no, I've heard the stories

Obviously a company should have a policy that does everything to prevent this. But that can happen with or without SPF with todays IP blocklists

Especially nasty if that one person is completely innocent, but happens to be using a Windows laptop that picks up a worm...but *that* wouldn't ever happen, would it?

Not so innocent if that person broke company security policy by disabling virus checks, or installed downloaded software from shady sites. It won't happen again after you fire the first one.

All the people out there have to put in new,

GPG trust networks?

[Cinquero]

Why not set up trust networks a la gpg?

Distribute the standard mail apps with gpg compiled in by default and let each user either import or create a key upon account information setup.

Then, when reading mails, there should be two buttons: trust or untrust sender if the message has been signed. When clicking "trust", a message dialog pops up and informs the user how he can do that, eg. not to trust keys just because he had an email conversion with the sender for some time, but rather make a phone call or exchange keys via secure ways.

I wonder if there is any downside -- except that the OSS community should persuade the user somehow to create and trust keys.

Re:Obligatory

[0x0d0a]

Again you're looking for that silver bullet. SPF can't be used alone (unless we lived in a perfect world, bet then there would be no spammers) SPF gives us one more thing to filter and score based on, but your filters have to be set up with the assumption that there are domains without SPF or with misconfigured SPF:

SPF is really nothing more than an authentication system. I've argued elsewhere in this story that SPF is not a very good authentication system. I'm not sure that basing other antispam systems on SPF *is* a good idea.

People that can't trust their DNS servers not to cache bogus responses to DNS queries shouldn't depend on DNS for anything, they certainly shouldn't be dumping incoming mail based on it.

I'm curious -- what folks are you thinking of that *can* trust their DNS server caches not to be poisoned?

And while I agree that it might be nice not to route/blow away mail based on the relatively insecure DNS, it's also done on a regular basis and is a fundamental element in the way email functions. For a close parallel to SPF's DNS usage, consider mail servers with a reverse-MX-required policy.

Obviously a company should have a policy that does everything to prevent this. But that can happen with or without SPF with todays IP blocklists

Right. But with domain reputation, there may be many sources of input and since reputation is probably not binary, it's hard to know exactly "how in the clear" you are. With an RBL, if you fix your open relay, you're in the clear until next time your mail admin screws up. You can be careful to avoid the problem, and easily demonstrate that you are *not* a spam domain by fixing the open relay and sending email to an RBL service asking them to retest your mail server. With domain reputation, you may lose your entire mail service when a few accounts start spamming, and if reports come in over a period of time, even if your domain is cleared and rerated as "not a spam source", you may have difficulty ensuring that you stay above the threshhold as people read their email and send in futher spam reports.

You allow incoming mail from nonexistent domains?

No. But it's easy to register citibank-customerservice.com and then start sending email that *looks* like it comes from Citibank.

Noone should rely on email for anything of importance today.

That's probably true. However, people are desperate for a form of reliable Internet-based communication, and like it or not, email *is* used for crucial communications every day. Social Security numbers and mother's maiden names are both really awful forms of authentication (and SSNs are *specifically* not supposed to be used for authentication), but both are commonly used for exactly that. An ISP can't just get away with saying "well, you shouldn't have been using email for anything important" to their business clients if they go through a software upgrade that suddenly starts dumping 5% of (legitimate) incoming email.

That would depend on the policy of your ISP. It should be possible for a mail server to decide if/how to perform SPF checks depending on the user the mail is for.

Yes, but it "should be possible" today, but ISPs don't generally provide such an option, nor is there any set of extensions to IMAP/POP3 to let you "set" filtering options.