Lead Developer of SPF Anti-Spam Scheme Interviewed

penciling_in writes "CircleID has a great two-part interview with Meng Wong, lead developer of the anti-spam authentication scheme Sender Policy Framework (SPF). He has responded to various questions (which also touches on issues previously raised by Slashdot folks), including the merger with Microsoft's Caller ID, incompatibility of SPF with email forwarding services, and what he thinks about Yahoo's DomainKeys, as well as where he believes the fight against spam is headed. (He has also confirmed that the name SPF and references to sunblock are intentional!) In response to the first question in the interview on how SPF got started, Meng says: 'In 2002 Paul Vixie, the brains behind BIND, wrote a short paper titled 'Repudiating Mail-From'. That inspired two other proposals, 'Reverse MX' by Hadmut Danisch and 'Designated Mailer Protocol' by Gordon Fecyk. In late 2003 I combined the best of both proposals and called the result SPF.' Vixie replies to this reference in comments following the first article."

Re:SMTP

[random_culchie]

No these schemes are designed to work with SMTP.
It would be very difficult to replace something as as popular as SMTP. It would at least have to be backwards compatible with SMTP which means it would expose itself to the same problems as SMTP.
IMO SMTP does a good job apart from its obivous faults.

SPF

[pubjames]

My understanding of SPF is this:

the recipient checks that the sender has authoritiy to send out email for the domain, i.e. if you send an email from whatever.com via SMTP server 123.123.123.123, the recipient checks that 123.123.123.123 has the authority to send email for whatever.com by checking it's SPF record (which similar to an ordinary DNS record).

So, we all have to set up SPF records for our domains or our emails will get rejected by some ISPs. Is my understanding right?

Re:SPF

[arr28]

So, we all have to set up SPF records for our domains or our emails will get rejected by some ISPs. Is my understanding right?

When SPF discovers that a domain doesn't have an SPF record, it returns a code that says just that. The recipient chooses what to do next. So it is conceivable that once SPF uptake is near universal, some people may choose to reject mail from domains without a record. However, that's some way off yet.

Re:SPF

[merlyn]

The default is "permissive, use OTHER means to detect spam". So the system is entirely voluntary for participation. No "flag day".

However, right now, if someone claims to be "@stonehenge.com", and sends that mail from somewhere other than the machines from which such mail should originate, any SPF-checking-recipient will rightfully reject such mail. That's because I took about five minutes to add the right SPF record to my server.

SPF is not a comprehensive solution. It's merely a solution to help us from getting joe-jobbed, having spam "appear" to come from us. Until you voluntarily add SPF records for your domain, you will continute to get joe-jobbed unknowingly.

Re:SPF

[a24061]

I work from home a lot, so some of my e-mails sent from home have my personal address (which happens to be with my ISP) but some of them have my work from-address. Wouldn't this system obstruct that?

Also, many people use a different e-mail address from their ISP but are forced to route their mail through their ISP's SMTP server. How would they get around SPF?

Re:SPF

[pjrc]

the recipient checks that the sender has authoritiy to send out email for the domain.....

Yep, that's right

So, we all have to set up SPF records for our domains or our emails will get rejected by some ISPs. Is my understanding right?

Nope, that's wrong.

Messages only get rejected when a SPF does exist for the claimed domain and the MTA transmitting the message is not a valid sender for the claimed domain. Messages are NOT rejected simply because the claimed domain fails to publish a SPF record.

If you do not publish a SPF record, no messages claiming to be from your domain get rejected. This is true today, and it is likely to remain true even after SPF is widely deployed.

Of course, if you have a domain name, it is certainly in your best interest to publish a SPF record. Well, that is if your all email transmits from certain servers or one of the many other very flexible ways SPF's syntax can specify. Publishing a SPF record is the only way you can cause SPF-aware receivers to reject messages that claim to be from your domain, but are actually forged by spammers, virus programs, phishing scammers, and so on.

Re:SPF

[Hellkitten]

some of them have my work from-address. Wouldn't this system obstruct that?

Only if you don't send them through your job email server

Also, many people use a different e-mail address from their ISP but are forced to route their mail through their ISP's SMTP server. How would they get around SPF?

Tunneling / Adding your ISPs mail server to your works SPF info / Asking your ISP nicely

Re:SPF

[pjrc]

How about those of us who don't own IP adresses? Does it allow us to use something else,

Yes, it is very flexible, with many other alternatives.

like digital signing with a hidden key whose pair is regestered in the DNS?

This isn't an option, but there are many alternatives.

Firstly, you must own a domain name. If you don't have a domain name and you're sending email using someone else's domain name, you need to contact the adminstrator for the domain you are using.

Let's assume you have a domain name, you're running your own mail server, and a dynamic IP number assigned by your ISP. To make this work, you're already publishing DNS records for your domain that get updated every time your IP number changes. If your server transmits your mail, SPF is much easier than what you're already forced to do... just publish "v=spf1 mx -all", meaning that all messages come from your server.

Suppose you're not really running your own server. Maybe someone else receives for you and forwards the messages. This is common with "vanity domains" (a name specific to you). Maybe when you transmit, you relay through your ISP. In that case, you could use the "include" type if your ISP publishes a SPF record, or if you know the IPs of their servers you could specify their IP number, or if you only know the netblock assigned to your ISP, you could "ip4" with a mask for all your ISP's IP range.

Or maybe you transmit directly from your dynamic IP number without relaying through your ISP. Again, SPF can handle that too... as long as you know the range of IPs your ISP uses to assign for you. Just use the "ip4" type with a mask (or mulitple "ip4" if you ISP assigns from more than one pool of IP numbers).

Whatever you do, you can specify additional methods to cover the other possible cases, so that your messages won't get rejected.

Re:Why do I need a Microsoft license for this?

[arr28]

Anybody familiar with this? Is there a RFC for Sender ID?

See the RFC background reading page for links to SPF RFCs. To the best of my knowledge there is no SenderID RFC yet.

In the mean time (and it may be some time), it is advised that SPF records are published since Microsoft has agreed that SenderID will be back compatible with such records.

Re:Why do I need a Microsoft license for this?

[arr28]

IANAL, but the text of this agreement seems to indicate that this implementation license applies to any products that "implement and are compliant with" Sender ID (section 1.2), and that Microsoft may subsequently terminate the license (section 3).

IANAL either but SPF predates Sender ID and the details were made public without licensing requirements. Therefore, I'm pretty sure that most jurisdications won't require you to have a license from Microsoft or anybody else to implement SPF.

Remember, there are already over 20,000 domains publishing with SPF plugins for the major MTAs. Just pop over to pobox for details.

Re:Vixie: SPF will not slow spam

[arr28]

Furthermore, SPF enables domain reputation systems such as GOSSiP (currently under design) which enable domain's to be given a "spaminess" score based on their previous behaviour. MTAs could choose to reject unreasonably spammy domains because they'd know that the email really was from that domian and the reputation was based on emails that were known to be from that domain.

Without SPF, you don't know who your email is really from so you can't do domain based reputation.

Re:Confused

[jollis]

Use your own domain for outgoing mail AND either do not publish an SPF record for it, or publish one pointing to your Internet Serive Provider's SMTP server.

If the DNS provider for your domain doesn't enable you to publish an SPF (needs a 'txt' record), you'll need to ask them to, or change providers. But something tells me the laggard will quickly figure it out, since SPF is nearing critical mass.

Re:Why do I need a Microsoft license for this?

A new IETF Working Group (WG) has been formed to look into the subject and may eventually produce some RFCs. The WG will have its first meeting during the next IETF meeting in San Diego, Aug 1-6, 2004.

While it's not a RFC yet and nothing has been finalized, here's the latest on the subject in terms of a draft submitted by both Wong and MS:

http://www.ietf.org/internet-drafts/draft-ietf-m ar id-core-01.txt

Some related documents:
http://www.ietf.org/internet-drafts/dr aft-ietf-mar id-rationale-00.txt
http://www.ietf.org/internet- drafts/draft-ietf-mar id-csv-csa-00.txt
http://www.ietf.org/internet-dr afts/draft-ietf-mar id-csv-intro-00.txt

As for why you'd need a license for this, it may the case that MS has a number of pending patents on the concept (orginally termed Caller ID) and the license mentioned prior is meant to assure people that if this makes it out there as a standard, they will have a license to practice with having to pay royalties. How much trust can you put in that ...

Re:Vixie: SPF will not slow spam

[warrax_666]

Most of the spam today comes through compromised home machines on a broadband line.

But usually those zombies connect directly to port 25 of the recipient's SMTP server. That would be prevented by SPF if the sender domain doesn't include the zombie machine's IP in its SPF record. If the zombie is actually using the user's proper (sender) domain and sending through the ISPs mail server, then SPF doesn't help directly, but it gives the ISP the power to simply monitor what is sent and shut the zombie down if spam is being sent.

Re:Obligatory

[squiggleslash]

The other guy responded debunking some of these (although occasionally they were relevent.) However, a more important issue is that your checklist is specific to anti-spam solutions.

SPF is not an anti-spam system. SPF is an anti-joe-job system. It happens that the most frequent joe jobs tend to come from spammers, however:

1. Not all joe jobs are spam.
2. Most spam (looking at my bulk mail folder on Yahoo) doesn't involve joe jobs.

A number of people are equating this with anti-spam systems, and that's just wrong. I thought one of the most revealing answers in the interview above was:

CircleID: Who is using SPF today and what level of success has it achieved in the fight against spam?

Meng Wong: In the six months since we declared a spec freeze, 20,000 domains have self-reported at the online registry; that's probably a fraction of the true total. Lots of domains have published records, including AOL, Amazon, Google, O'Reilly, SAP, TicketMaster, Mail.com, w3.org, Earthlink and Verizon. And the ones who haven't published are working on it.

We expect adoption to pick up exponentially; according to some estimates, the number of sites checking SPF doubles every three weeks. SPF plugins are available for all the major Mail Transfer Agents (MTAs).

What's signficant about this answer? It's that it doesn't answer the question. More specifically, it answers the first part of the question, but (rightfully) ignores the second part, because the second part of the question is a "Why are you still beating your wife?" question (a question based upon a false assumption.)

Proper anti-spam systems are based upon dealing with unwanted email, not dealing with non-relevent characteristics. If you create a system that makes it easier to control who gets your email address (such as my solution, Yahoo!'s AddressGuard(tm), and TMDA), then you're implementing a relevent solution, because dealing with spam is about controlling who sends you email. Likewise, if you operate Bayesian, CRM114, Mail.app, etc, AI filters based upon spam, then you're coming up with a relevent (if imperfect) solution, and the solution can work if combined with a whitelist, especially if you can automate the generation of the whitelist through systems like Camram.

SPF isn't such a system, it's designed to deal with a totally different issue. Arguably, given that it breaks mailing lists and forwarding and has many other documentable faults, it really ought to be being used as a measure of last resort, though it's a good idea for mail receipients to implement the logic so that domains that are having these issues can make the choice when they find themselves being targetted.

It'd be nice if every solution to every problem on the net wasn't always promoted as an anti-spam solution...

Until the patent issues are clarified

Boycott Caller-ID for E-mail is still wary of the new, combined scheme. Neither Meng nor Microsoft has clarified whether the draconian patent schemes from Microsoft's earlier attempt still exist!

We need to pressure the people coming up with the standards to avoid patented schemes at all costs, or assign the patents to a neutral third-party with the mandate of using them defensively.

Re:It's a start.

[Xformer]

If you don't flag anything that doesn't match as a fail (-all at the end), then you won't see much difference. It also depends on the server receiving such spoofed emails actually doing checks against SPF records.

Most domains out there are defaulting to "neutral" or "softfail" as the default in their SPF records for now until sites that do mail forwarding or web mail (preserving the original envelope FROM address) implement SRS. If you have fairly solid control over where mail from your domain comes from, then you can go ahead and set the default to "fail".

Please RTFFAQ

[mengwong]

All your questions are answered in the papers on SRS which were written by a professional cryptographer and security researcher at the University of Bath.

A lot of very smart people just like you have spent a lot of time thinking through the problems. Much of their thinking is captured in essays and FAQs available online.

http://www.libsrs2.org/docs/

Can't send email via port 25?

[Geekboy(Wizard)]

If you run your own mailserver, you can setup port 587/tcp, which is the smtp-auth port. Configure your MTA to only accept authorized connections. SASL is very common for this. When your MTA connects it issues a STARTTLS, which encrypts the session, then it authenticates as you, and then your MTA can allow it to relay. The 'traveling executive' problem is now solved.

RFC 2554 for more information.