Spammers Are Early Adopters of SPF Standard

nazarijo writes "In an article entitled Spammers using sender authentication too, study says, Infoworld reports that a study by CipherTrust shows that SPF and Sender ID (SID) aren't nearly as effective as we expected them to be when combatting spam. The reason? Spammers are able to publish their own records, too. 'Spammers are now better than companies at reporting the source of their e-mail,' says Paul Judge, noted spam researcher and CipherTrust CTO. Combined with low adoption rates of either SID or SPF (31 of the Fortune 1000 according to CipherTrust), this means that the common dream of SPF or SID clearing up the spam problem wont be coming true. Wong, one of the original authors of SPF and a co-author of SID, says that it was never intended to combat all spam. Weng, another researcher in the space, says that this is just one of the many pieces of the puzzle needed to combat spam. Various SID implementations exist, including a new one from Sendmail.net based on their milter API, making it easy for you to adopt SID and try this for yourself."

A Change Needs to be made

[CypherXero]

OK, We need to change SMTP completely. It was created back when the internet was somewhat new, and spam e-mail was unheard of. The protocol itself needs a change.

Re:A Change Needs to be made

[pikine]

A more reasonable change would be SMTP-TLS, employing a policy of using authorized certificates like the secure websites. This protocol is already there, but it's the wide adoption that is the problem.

Re:A Change Needs to be made

[rokzy]

who marked this flamebait?

some time ago...
-"the laws of Newton and Kepler don't explain the orbit of Mercury. The theory itself needs a change."
-"oh teh no3s U R teh fl4meba!tz0rrrzzzzz!!!!!one"

Sometimes something new is needed. This is called progress and is strongly associated with the concept of learning from your mistakes.

Re:A Change Needs to be made

[ZorbaTHut]

How would you change it?

Why can't these changes be integrated into SMTP-as-we-know-it?

It's all very nice to say "it needs to change", but until you explain why changing it is the best solution - or even vaguely useful - it's not going to happen.

Re:A Change Needs to be made

This is silly. SMTP is a valuable protocal and email over SMTP is a valuable service.

If you want other mail protocols, they exist - I think exchange servers can exchange email without them - and uucp can as well - but the reason SMTP survives is because of its benefits.

If you have a spam problem, quit using your email address to signing up for stuff from questionable organizations.

Re:A Change Needs to be made

If you have a spam problem, quit using your email address to signing up for stuff from questionable organizations.

Agreed totally. We solved 90% of the spam problem here by giving employees 2-email accounts each - one for work & reputable partners and one for other signups, etc.

I had used the same approach in the past when I ran an affiliate program that invovled many questionable sites (pron sites); and while the junkmail account got trashed quickly, the official work one stayed clean for all the many years I was there. Don't give your email to spammers, and you won't get spam.

Re:A Change Needs to be made

[mattdm]

Sounded more like:

"The laws of Newton and Kepler don't explain the orbit of Mercury. This whole 'science' stuff needs to change. It was created a long time ago, and it's time to throw it all out and start with something new."

Maybe that's not flamebait, but it is silly. Changing theories to match new data metaphorically maps very well to adding SPF to SMTP -- not to throwing the whole thing away.

Re:A Change Needs to be made

[T-Ranger]

If you are talking about using TLS to ensure authenticity of a source, then SPF does that (somewhat). If a message claims to be from domain X, and domain X uses SPF and already only allows messages from their servers, then that message is from domain X. TLS, as far as authenticity goes would add nothing. The only difference is that spammers would now also have to buy a TLS cert.

About the only attacks that TLS would pervent would be IP spoofing. These days, that is very, very hard.

What would TLS add?

Re:A Change Needs to be made

[rokzy]

no I think the "scientific" response would be to do a whole new protocol but one which allows compatibility with SMTP with large warning signs.

just like General Relativity was an entirely new theory but gives the same results as Newton so long as you don't have large masses/high speeds etc.

Re:A Change Needs to be made

[timmi]

but lately spammers have been combing through their addresses and if they have say, jdoe@isp1 and jdoe@isp2 they'll attempt to send mail jdoe@a through jdoe@zzzzzzzzzzzzz

If they don't get a bounce message, they try jdoe1@*

but in some ways it works against them.

because you can get spam even if you never post your address, spam filtering software companies can set up honeypots, that are soon innundated with spam, and they know it's all spam, because they never told anyone about the address.

Re:A Change Needs to be made

[DA-MAN]

300 dollars a year to verisign . . .

Re:A Change Needs to be made

[martin-boundary]

No. SMTP and related technologies are nearly thirty years old. It's been debugged, and some bugs (e.g. spam) remain. Fix the bugs (ie write extensions), don't rewrite the protocol.

It's like Rumsfeld says (I never thought I'd quote him on slashdot :-):

known knowns: solved SMTP protocol issues.

unknown knowns: bugs in proposed SMTP modifications.

known unknowns: the solution to the spam problem.

unknown unknowns: other mail problems.

If you scrap SMTP just because of spam, then the next thirty years will be spent refixing old bugs we fixed years ago, and new bugs from the new protocol on top of that.

Re:A Change Needs to be made

[T-Ranger]

My registrar charges $24.95.

Re:A Change Needs to be made

[ONU+CS+Geek]

What would TLS Add?

Much more money in the pockets of Verisign, et al., keepers of the ever-coveted root certificates.

Re:A Change Needs to be made

[ferricoxide]

TLS does not directly ensure sender authenticity, at all. Authentication provides the authenticity piece. All that TLS does is protects the authentication session , and optionally the message contents, from prying eyes.

SMTP-to-SMTP TLS, using third-party certificates (Verisign, Thawte, et. al.) allows one server to Verify that another server has been vetted by the third party authority. It doesn't necessarily say that "this is a trustworthy, non-spam source".

-tom

Re:A Change Needs to be made

[DA-MAN]

Do you even realize we're not talking about domain registration?

Verisign, before buying NetSol, was only in the business of selling SSL Certs. Now, I don't know about you but the cheapest SSL Cert's I've seen are fifty from www.freessl.com.

Re:A Change Needs to be made

[Donny+Smith]

WTF do you care if someone makes money?
It's like saying people should get over flu without using any medicine because buying it makes pharmaceutical companies make money.

The idea is if sommeone is REALLY bothered by that little spam that gets past their Spam Assassin or whatever you use, they can pay 25 bucks a year and get rid of that 1% or so that goes past the filters.

If you think it's cheaper to use some other way or delete manually, do it that way. For many a company 25 bucks is well worth the benefit.

Re:A Change Needs to be made

[T-Ranger]

I do. My registrar chages $9.99/year for domains. They chage $24.95/year for SSL certs. They also have different certs for $99.99 - the difference being so far as I can tell, the number of browsers supported. (96% vs 99%) I wont say that compatability is less important for a (hypothetical) world where SMTP-TLS is common/necessary, but the total installed bass would be less, and managed by smarter people.. That is convincing 1,000,000 email server admins to add a CA to their cabundle is easier then convincing 1,000,000,000 of the unbathed masses to do the same to there browsers.

Re:A Change Needs to be made

[osu-neko]

WTF do you care if someone makes money?

Reread the post you're replying too. There's no problem with people making money. The question was, what does this add beyond that? If the answer is nothing, which it apparently is, then it's wasted money -- the $25 is NOT worth the benefit if there is none.

The idea is if sommeone is REALLY bothered by that little spam that gets past their Spam Assassin or whatever you use, they can pay 25 bucks a year and get rid of that 1% or so that goes past the filters.

Sorry, at my company that figure is about 5%, even with SpamAssassin's flagging threshold lowered to 4.0, and 5% of the spam we receive comes to hundreds of messages per day. I'd happily, joyously pay $25/year to ANY company, even Microsoft, if they could do something about that last 5%...

Re:A Change Needs to be made

[T-Ranger]

...Which SPF provides, for free. If you have SPF set up on your domain, and only allow mail from your servers, others who receive mail claiming to be from your domain can verify that. Which is exactly the same thing as TLS provides, in this context.

What TLS (or x509) _should_ provide is "proof" that domain X owners are in fact who they claim to be. But: a) if you think they actually do any real checking, you're a fool. and b) domain registrars are supposed to verify their WHOIS information. In other words, SMTP+SPF+WHOIS should be as good as SMTP+TLS, as far as authentication goes. The difference is that TLS would bring in an extra entity, and require an extra cost to domain owners. Since the third party may very well be exactly the same party who sold the domain in the first place, you dont even get a "second opinion" on the validity of the ownership.

Again: What would TLS add?

Re:A Change Needs to be made

[ferricoxide]

I fail to see why this is in reply to my post. The only thing I stated that TLS is used for is protection of user authentication credentials. In and of itself, TLS doesn't really enhance message source authenticity. -tom

Re:A Change Needs to be made

[DA-MAN]

Spammers have money, smtp-tls will not make it any harder for them to spam. Only way to stop spammers would be to whitelist-only e-mail and reject everything else.

Even then, users with worms or malware will be sending out spam as themselves. In otherwords, there is no way to stop spam with the infrastructure we have today! We can definately reduce it with simple stuff like Vipuls Razor and Spamassassin, but that's about as good as it gets.

What needs to happen is isp's need to block all outgoing smtp connections except to their own mail server by default. This mail server needs to then monitor for too many outgoing connections per minute or hour.

Then mail admins will have to run a smarthost configuration to the isp mail server. If this is not adequate for the mail admins server, they will need to be registered with their isp to get outgoing port 25 access. This will require authenticating a contact person by either Government Issued ID.

The list of authenticated 'blocked' mail administrators will then be put on a web site with a copy of their Government Issued ID (address and all) for all to see. Users on this list should be blocked from being a registered mail administrator for 7 years, like bankruptcy. This list should be shared and accessible by all isp's, that way all spammers are cataloged and dealt with.

We can still use it as a spam prevention tool

[hchaos]

All we need to do is block emails from anyone using SPF or SID.

Re:We can still use it as a spam prevention tool

[sploo22]

Well, there goes all mail from aol.com. Such a tragedy.

Oh wait...

Re:We can still use it as a spam prevention tool

Anyone remember that stupid Habeas anti-spam header? Once spammers started spoofing it, I switched off the positive scoring in SpamAssassin to keep them from slipping pass my filters. So much for "making sure your message is heard".

Re:We can still use it as a spam prevention tool

Yeah, it's just like the immense value of finding a stock analyst who's wrong 90% of the time.

The point of SPF

[pikine]

... is not to block spam, but to identify the source of an e-mail. Spammers can definitely identify themselves if they so choose. I think it is still a welcoming trend.

Re:The point of SPF

[forevermore]

The point of SPF is ... to identify the source of an e-mail

This point needs to be emphasized. The whole point of SPF is to prevent spammers from falsifying return addresses. If they want to publish their own legitimate SPF records, then by all means let them. Then we can just block them by their domain names without any fear of blocking legitimate email.

Re:The point of SPF

[CodeMaster]

Exactly the point. I'd love to see that the spam I get is tagged with SPF - will make scripting and filtering the spam even easier with a way to actually track down precisely where the spam is coming from.

get a free ipod! This really works... 2 more gmail invites left!

Re:The point of SPF

[eugene+ts+wong]

I agree. With more spammers pretending to be themselves, then there should be less of them pretending to be us. That means that we may see less bounced messages.

Re:The point of SPF

[10scjed]

right, so, now the spammers are properly identifying their mail origins instead of using spoofed headers- this will enable white/black-listing to finally be effective, without the worry that the spammer will just rotate from one 0wned windows zombie to another and start sending mails from their domain.

Re:The point of SPF

[MarsDefenseMinister]

Actually, that's not what it does. SPF can help to prevent a Joe-Job.

SPF is just a record that says "all mail from this doman should come from this IP address." If you get a mail from the domain, but not from that IP address, it's fake.

SPF doesn't not identify the source of an e-mail. For that, you just read the headers.

Re:The point of SPF

[termigan]

Ah, but if they vouch for the validity of Domains they own (could be one in use only temporarily, but oh well) we can quickly have a registry and say, 'This domain has sent spam messages' and know that either it's an open relay, or compromised or even worse overtly friendly to spam. If they spoof the validity of the sender of email coming from domains they don't own, that would a failure of the system.

Anyone know how SPF accounts for intentional relays like forwarding mail from one account to another?

Re:The point of SPF

[Da+Web+Guru]

Ah, but if they vouch for the validity of Domains they own (could be one in use only temporarily, but oh well) we can quickly have a registry and say, 'This domain has sent spam messages' and know that either it's an open relay, or compromised or even worse overtly friendly to spam. If they spoof the validity of the sender of email coming from domains they don't own, that would a failure of the system.

So, who will maintain this registry? And how will we prevent abuse of it? And what will happen in this scenario:

user@isp.com send out spam through their (valid) email account. user2@isp.com does the same thing, along with user3, user5, user452, etc. isp.com gets listed in this registry for sending spam. user@isp.com gets their account terminated (along with the other spammers), but doesn't get their entry removed from the registry in a timely manner (maybe it is not easy to get "de-listed"). What happens to the thousands (tens of thousands, millions) of other users at isp.com? Are they going to have to suffer because of a few errant spammers (that subsequently had their accounts terminated)? I don't want emails from myfamily@isp.com to be blocked because of an overzealous spam registry...

even spammers

need sun protection

Re:even spammers

don't tell http://www.sun.com/Sun (sun.com) that :-)

Article Poster Doesn't Understand SPF

Idiot. The point of Sender ID systems is to make it easy to track down spammers and enforce spam laws. Sender ID isn't meant to stop spam like spam filters or sender payment schemes but make laws enforcable.

Re:Article Poster Doesn't Understand SPF

Trying to fix the technical ineptitude of slashbots with informative posts is like trying to kill dolphins by getting drunk and pissing in the ocean: an admirable cause, but flawed execution.

Re:Article Poster Doesn't Understand SPF

[kfg]

. . . like trying to kill dolphins by getting drunk and pissing in the ocean. . .

Hey, if dolphins don't want piss in the ocean they should just hold it until they find a restroom like the rest of us are supposed to.

KFG

Re:Article Poster Doesn't Understand SPF

Agreed, poster obviously doesn't understand the purpose of SPF. Why does everyone seem to think it's supposed to be a spam blocker, then complain when it isn't? SPF is useful, but not for the reasons people seem to think.

Slashdot editors: why did you publish this gleefully ignorant rant?

Isn't this what we want?

[Carnildo]

Isn't putting up SPF records exactly what we want spammers to do? If they've got SPF records, running an RBL against spam domains should be easier and more accurate.

Re:Isn't this what we want?

[jmorris42]

You do realize how cheap it is to register a domain, right? Unless you can RBL one in under an hour it probably won't raise their cost of doing business all that much.

Re:Isn't this what we want?

[YankeeInExile]

Well, a quick off-the-cuff idea is thus: Expand SPF or its moral equivalent to offer a web-of-trust style interface. That is: Each piece of email comes with a pointer that says, in effect, This piece of email is from mydomain.com ... people who think that mydomain.com is cool are yourisp.com otherisp.com white-hat-geeks.net

So, I suppose what I'm proposing is a distributed whitelist.

Re:Isn't this what we want?

[Carnildo]

Assumed it takes an hour to add a domain to an automated blacklist. I think it could be done in five minutes or so, but let's be generous:

24 domains/day * 365 days/year * $12/domain = $105,120

That's a hundred thousand dollars they didn't used to need to spend each year. Automated blacklisting in five minutes boosts the costs to well over a million dollars a year.

Re:Isn't this what we want?

[AtOMiCNebula]

But now, spammers have to invest money in what they're doing. It doesn't matter if it's much or not, but it is something. It's more than what they were paying before, so unless they don't mind cutting into their profit margins, they're going to be affected by this.

Compare what it used to be with how it is now. It used to be that spammers could use any domain they want. Now they can only use domains they own (assuming they're using SPF), and as soon as one domain is RBL'd, they're going to need another domain. More work for the spammers. And more cost too.

What I'm trying to say is that, yes, domains are cheap. But now they're paying for domains that they didn't have to before.

Re:Isn't this what we want?

[taustin]

Most spam comes from spammers who are already registering domains faster than you can possibly add them to a block list.

Re:Isn't this what we want?

[Prong]

You are partially correct. It does marginally increase the cost of doing business for spammers, but remember that the major spam houses have the capital to lease major bandwidth, and have for some time. Having to madly swap domains to get is only going to swamp smaller spammers with enough extra cost to kill them. The big boys are going to keep chugging along, and the big boys are the biggest source of spam (obviously).

What I like about SPF is that as larger ISPs adopt it, I can stop worrying about accidently filtering their domains just because of the domain name on the From: header. I'm fully aware I'm still going to have to filter, but it's nice to know that "tightvagina@yahoo.com" actually came from an authorized Yahoo mail server. Combine that with any number of of rational filtering schemes, and you have a much lower false positive rate, with the bonus being that you didn't have to take the whole message from a sender who fails the SPF check.

Re:Isn't this what we want?

[Mark+Bainter]

It used to be that spammers could use any domain they want. Now they can only use domains they own (assuming they're using SPF),

Wrong. Spammers using SPF just means other people can't use their domains to send spam. It doesn't mean they can't use other people's domains not protected by SPF.

Re:Isn't this what we want?

[pjrc]

This exact idea... to build a sender reputation system on top of sender authentication, is already being worked upon.

Re:Isn't this what we want?

[AtOMiCNebula]

Well sure, but that problem will lessen as adoption of SPF/SID progresses. Not to mention, once it gets widely adopted (it will, give it time) people will configure their mail filters to flag mail from domains without a SID/SPF entry.

Just give it time. I agree that this doesn't mean much right now, but we're getting there.

Re:Isn't this what we want?

[BasilBrush]

SPAM works on huge volume/extremely low profit margin. Cost per domain registration soon negatively affects profitability vs generating random spoofed domain names.

Re:Isn't this what we want?

[Technonotice_Dom]

It's actually kind of like PageRank in a way. Depending on the reputation of the linking (or in this case, sponsoring) website, the rank of the website increases (or in this case, the calculated validity of the e-mail).

In fact, a PageRank type algorithm would probably work very well - you'd need either a central database somewhere, or a P2P network sharing the information.

Re:Isn't this what we want?

No we want no spam, which means deciding a criteria that spammers are unlikely to fulfil. (Note sending email is easier than replying to it, especially in bulk).

Now we need a method for deciding if a new SPF domain is one we want to accept email from.

As someone who uses challenge/response, I could challenge the first post from a domain. But since challenge response basically deals with the spam problem today, I'm not motivated to make the few lines change to the scripts, and work out the consequences if the first email from a domain is unwanted but later ones are wanted.

Hmm seem all that effort with SPF could have been side stepped if they had just deployed challenge/response instead - heck Outlook already implements whitelisting, it would have taken MS about a day of coding.... Of course they couldn't patent challenge/response ;)

Sure SPF is nice to mop up the few remaining malware that uses address books of my correspondents to spread themselves, and bounces of same, but it misses the big target which is the spam itself.

Re:Isn't this what we want?

[ion++]

no it would not work. The spammers would just link to themselves.

Re:Isn't this what we want?

[Technonotice_Dom]

Yes, but they wouldn't have much reputation to go around unless somebody else who has a good reputation says they trust the spammers, so it wouldn't do much for them (unless somebody with a good reputation went bad). PageRank hands out the reputation that is given to you through links to places you link to.

Remember, when searching Google, on some searches you will bring up a some spammy links, but this is mainly done through keywords, URLs etc, PageRank IMHO is fairly reliable.

Weng and Wong are the same person.

The principal author of SPF is Meng Weng Wong. Just one person. Doofus.

Re:Weng and Wong are the same person.

Yes, look at Mong Weng Wang in his full splendour!

Re:Weng and Wong are the same person.

The principal author of SPF is Meng Weng Wong. Just one person. Doofus.

Solly.

Re:Weng and Wong are the same person.

[m1kesm1th]

I thought they looked alike.

Re:Weng and Wong are the same person.

Seriously. This is one of the worst article submissions I've seen, right up there with some of Roland's stuff.

Re:Weng and Wong are the same person.

But didn't they get the Wong name in the end?

Re:Weng and Wong are the same person.

No. but three Wrights do.

Wow

[FiReaNGeL]

Spammers are like viruses, they adapt amazingly fast. You thought that this new technology would hinder their 'business', but they turn it to their advantage! Oh look, a valid sender ID... i'll just open this mail, it can't be spam, right? Right?

Oh well, at least filters are getting VERY good at catching 99% of it.

Re:Wow

[erick99]

Yes, filters are getting very good. Gmail has excellent filters and a "report spam" button for anything that makes it through. I still get 200+ spam a day but they go into a spam folder. My confidence level in the spam folder, after several months of "training" is very high. As a result, I rarely look at it. I just dump it every few days. The folks who truly do not want spam will use filters. The spammers can trump any other technology thrown at them.

Cheers,

Erick

Re:Wow

[Doctor+Crumb]

The point of SPF is not to whitelist servers that have it. Instead, the purpose is to not trust (and possibly blacklist) servers that don't.

Re:Wow

[haruchai]

of course, what I consider to be the biggest problem
with spam still remains: the sheer number of message s which must be accepted and filtered.
Does anyone have any idea what the real cost of spam
is in terms of dollars, bandwidth and time?

Re:Wow

[Desert+Raven]

Actually, that's not the point either.

The point is to not trust mail from domains having SPF records, where the sending server is not listed.

Whether or not AOL *has* an SPF record is not relevant. What is relevant is that *if* AOL has an SPF record, any mail with an AOL envelope sender should come from a server covered by that SPF listing.

Re:Wow

[Technonotice_Dom]

You don't seem to understand what SPF does...

It's simply a system to verify that an e-mail purported to come from domainx.com was actually sent through mail servers they've listed in the DNS records for that domain.

It's nothing to do with spam as such - it'll hopefully be a stop to viruses and spammers from faking sender domains. Instead they'll have to fake it to come from a domain that doesn't have SPF (which hopefully within the near future, there will be very few of), or register their own domain, implement SPF and then be blacklisted.

Understanding SPF

[grasshoppa]

Understanding SPF as I do, I can't see how any one expected this "end the spam problem".

It'll cut down on problems where forged senders are the main symptom, dramatically. That both includes viruses ( virii ) and some spammers.

But, as is stated, it's completely possible for spammers to keep their dns records updated too.

Now, if only we could get the whois accurate. ;)

Re:Understanding SPF

[aardvarkjoe]

You know, spammers don't just forge the sender for fun. It's an integral part of their methods of staying a step ahead of being shut down. If you can prevent them from doing it, then you make it that much more difficult to spam. (Of course, we haven't reached that point yet.)

Re:Understanding SPF

[moreati]

It'll cut down on problems where forged senders are the main symptom, dramatically. That both includes viruses ( virii ) and some spammers

And there in lies the wonderful synergy of SPF and blacklists. Without From address forging it becomes much to perform the follow sequence:
1. I received a Spam message from domainx.com, either:
(a) sender was a verified user of domainx.com, spf records check out
(b) no spf, sender likely forged
In case (a) inform the ISP of domainx.com, if further verified Spam messages are received from domainx.com, blacklist it.
In case (b) if SPF is in widespread use for ligitimate mail then the soam message is easier to mark as such (less need to resort to expensive statistics on the body). If SPF is not widespread there is less benefit.

Regards

Alex

Re:Understanding SPF

[Jane_Dozey]

But then the main symptom is probably going to change rather than go away.
Blocking one form of attack will most likely mean an increase in another, or a new one entirely.
I doubt very much that SPF will be an end to spam, even if it is widespread.
People need to be taking away the incentive for spammers to bother. Would _you_ send out millions of emails if you weren't going to make any money?
This is a social problem, not a technical one.

Re:Understanding SPF

[Flower]

My personal opinion is the spammers are using SPF as a legal tactic. They can try to disavow liability if someone accuses them of sending unwanted spam. "Did it have our SPF data? No? It wasn't us." It makes them seem reasonable and staying on the straight and narrow.

As to whether that is the actual case....

Re:Understanding SPF

[moreati]

I never claimed SPF will be an end to spam, as long as we have the possibility of unsolicited mail some of that unsolicited mail will be unwanted (spam, malware or other).

SPF is intended to vastly reduce spam from it's current levels. If it's use were widespread then all the zombies spewing out mail with forged addresses & all the open relays become much less effective.

Basically by making From address spoofing much much harder it becomes much easier to identify spammers and stomp on them.

We can never completely remove the incentive to spam, it's a very extreme example of the Last Mile Problem. There will always be a few morons out of the millions, who pay money for PEN!S 3NL4RGM£NT P!LL5 after receiving a piece of Spam. All we can do is reduce the incentive and increase the costs to the spammers - by identifying then blacklisting, suing, arresting and cluebatting them into the ground.

Re:Understanding SPF

[Mark+Bainter]

It'll cut down on problems where forged senders are the main symptom, dramatically. That both includes viruses ( virii ) and some spammers.

Yeah, IF you got adoption, it would cut down on some viruses. But the few that forge addresses would just adapt to use an email address on the machine in question. Which, in all likelihood, will be a valid one, sent from a valid ip address.

Re:Understanding SPF

it becomes much to _________________ perform the follow sequence:

Please insert verb.

Re:Understanding SPF

Reasonable point, except that the compromised machine is probably owned by some know-nothing on a cable modem, whereas the ISP mail servers are probably maintained by people who understand rate-limiting, outbound virus scanning, and whose reputation as an ISP depends on their preventing spam from issuing from that server. So yes, I think it will have a considerable effect.

Re:Understanding SPF

[grasshoppa]

In order for the email address to be "valid", under SPF, it'd have to be the mail server for the domain.

So, the spammer would have to send the spam, in bulk, FROM the user's computer, to their ISPs email server, for forwarding.

I don't know about you, but my email server is pretty indiscriminate about who's email it checks. Further, and I know I'm not alone in this, I use tarpitting, compiled in, in case my server ever does get rooted.

SPF is being adopted, because it's benifits are obvious. I, for one, would like to stop receiving these huge emails only to find out they're yet another email virus doing the rounds.

Re:Understanding SPF

[jez9999]

'It becomes much easing to perform the follow sequence:'

I think you meant 'adjective'.

Re:Understanding SPF

[ion++]

wont work, because you would never see the spam and would thus never complain.
If the SPF check does not validate, you just reject the mail.

Re:Understanding SPF

[Flower]

You're assuming that everyone will do the SPF check.

Did anyone expect this would reduce spam?

[knighten]

This is certainly what was expected by everyone I've discussed this with!

No one claimed it would end spam

What it does end is domain spoofing (joe jobs), and it adds a level of accountability. If spammers are using their real domains, great. We go to their registrars, most of which have anti-spammer policies, and we get it yanked. If it costs the spammers money, it's a good thing.

But that's not the point of SPF

[hypnagogue]

The point of SPF was not to eliminate spam, but to eliminate spoofing. If successful, this is enables effective and cheap spam filtering by forcing spammers to use domains that can easily be blacklisted.

In other words, SPF is working correctly, brighter tomorrow expected, move along, nothing to see here.

Re:But that's not the point of SPF

this is enables effective and cheap spam filtering by forcing spammers to use domains that can easily be blacklisted

And we all know how effective blacklists are, right?

The problem with SPF is that it breaks one of the features of SMTP that makes it useful - the ability to send mail from a different location without having to change your email address. If my employer implemented SPF, I wouldn't be able to send work email from home.

If blacklists are the ultimate answer, RBLs are much more effective at stopping spam, and they don't break any features of SMTP.

Re:But that's not the point of SPF

[eric76]

Actually, it doesn't even eliminate spoofing.

It just limits the domains that the spoofed addresses can originate from.

That's why I don't like SPF and hope it fails miserably. We need something stronger.

What I'd like to see is that the SMTP server requires users to authenticate themselves to send e-mail and signs the e-mail to assert that the from e-mail address really is the address of the sender.

For example, suppose you have an account at example.com, hypnagogue@example.com, and so do I, eric76@example.com.

With SPF, I can send e-mail with hypnagogue@example.com as the sender address.

If, on the other hand, I had to authenticate myself as hypnagogue@example.com, it would be much more difficult. I could put hypnagogue@example.com as the sender, but the server would insert a header line identifying eric76@example.com as the real sender and sign it so that the receiver could verify that it really came from that sender.

Of course, a blacklist would still be necessary.

A note on blacklists. The usual approach is to blacklist the server. To be really useful with SPF, the blacklist would have to cover the domain without regard to the server involved.

Consider the following scenario.

Assume that example.com is owned by a bunch of spammers who have control of many home machines. Assume that 1.2.3.4 and 1.2.3.5 are two such machines. Then the spammers could use 1.2.3.4 on Sunday to spam aol.com and 1.2.3.5 to spam yahoo.com. They could then set their modified DNS server to answer SPF requests from aol.com to identify 1.2.3.4 as the valid SMTP server and they could answer SPF requests from yahoo.com to identify 1.2.3.5 as the valid server.

So one spammer with a lot of computers could mix them up day by day and it might take a while to get all the IP addresses listed.

But if you instead blacklisted on the domain name itself, all you would need to blacklist is example.com. It wouldn't matter which computer they used to send the spam.

Re:But that's not the point of SPF

[bigberk]

The point of SPF was not to eliminate spam, but to eliminate spoofing

That's what I thought too, but the people pushing SPF think otherwise, quoting from their page:

"What do the customers want? They want to communicate with their friends and family; and they want to not get spam. They do not particularly care if a few eggs are broken along the way."

Re:But that's not the point of SPF

For example, suppose you have an account at example.com, hypnagogue@example.com, and so do I, eric76@example.com.

With SPF, I can send e-mail with hypnagogue@example.com as the sender address.


No, no, no, no, no. Why are people having such a hard time understanding this?

You can only send email as hypnagogue@example.com if the example.com SPF settings allow you to do so. If they require you to send mail through the example.com outgoing SMTP server (as all trustworthy domains do), that means you have to authenticate to the satisfaction of that server. If example.com is trustworthy, they'll be using SASL, so you will NOT be able to send it without authentication.

Re:But that's not the point of SPF

"The problem with SPF is that it breaks one of the features of SMTP that makes it useful - the ability to send mail from a different location without having to change your email address. If my employer implemented SPF, I wouldn't be able to send work email from home."

You would! Provided you're still using your company's SMTP server,

the idea isn't to verify your client IP (since most decently configured SMTP are not open relays) but to verify that an email from yourdomain.com should originate from smtp.yourdomain.com rather than smtp.somespammer.com

Re:But that's not the point of SPF

[Directrix1]

Ever heard of SMTP AUTH? SPF doesn't break shit.

Re:But that's not the point of SPF

[adolf]

It's not even very valuable as a blacklisting tool.

All a spammer has to do to side-step your domain-based blacklist is register a new domain.

And with new domain registrations are currently selling for less than $5, that's just a trivial cost of business (and it -is- a business - many of these fuckers actually make money).

New domains, thrice daily, all with valid SPF, for $15? Were I a spammer, I'd be jumping all over it. Expect software, soon, to automate the process.

SPF is just an simple authentication mechanism to verify the sender's domain. It, in no way, means that the domain means anything.

What it -will- help with is killing things like Bagle and Netsky which systematically forge the sender addresses in email. With any bloody luck, this will reduce the number of times I have to hear "Hey, I got this message that says I sent a virus to a guy in Canada that I don't even know!" from people who actually do have up-to-date virus protection.

Unique Internet-user ID

Why not?

License it from your government like a passport.

It would allow the officials to track down paedophiles, drug-dealers and spammers. No drawbacks, except that if you're living in China you might run into trouble for sending certain kind of e-mails but that's China's internal business (and don't you dare to give me that "let freedom ring"-crap).

Insecure? 'nuff said.

[nerd256]

despite backing from software giant Microsoft Corp
---
I give all products an objective and just comparison (based on their names)

This surprises anyone?

*sigh*

In theory, when all spammers are forced to publish SPF records, along with all legitimate e-mail senders, it will be easy for legitimate companies to develop e-mail reputations for Internet domains that do and do not send spam, he said.

So it'll be just like the RBLs we have now, only you won't be able to send work email from home?

Re:This surprises anyone?

[beakburke]

You will be able to send "work email from home" if your company uses SMTP AUTH like it should (or webmail or SMTPS) if your ISP blocks outbound port 25.

Re:This surprises anyone?

[chill]

So it'll be just like the RBLs we have now, only you won't be able to send work email from home?

SMTP AUTH over SSL/TLS to your work's mail server and you can send all the work e-mail from home you want.

Charles

SenderID != Spam Solution

[Manip]

SenderID is not designed to combat spam (although many uninformed individuals think it is), it was designed to fix a fundamental problem with the E-Mail system.

You can not guarantee that an E-Mail originated from the source it said it did.

Which effectively makes black-lists useless.

With SenderIDs you are able to build effective Black-Lists/White-Lists because you can guarantee that an E-Mail came from the location it said it did. And thus decrease the amount of spam.

I'm not sure who wrote this 'study' but the fact that I know more than them says a lot.

SURBL SPF

[DBA_01123]

I have found SURBL - Spam URI Realtime Blocklists to be pretty effective the last while. While everything else is forged and loaded with junk text the actual links back to spammer web pages have to be at least partially valid.

All the more reason...

[Mateito]

... to declare open season on spammers.

"What good is Viagra if you .. have no balls... .. fucker"

Re:All the more reason...

[Zocalo]

"What good is Viagra if you .. have no balls... .. fucker"

If you've castrated the spammer properly, shouldn't that have been "fuckee" and not "fucker"? ;)

Re:All the more reason...

"What good is Viagra if you .. have no balls... .. fucker"

No, no. It's five syllables, then seven, then five. 7-3-2 is completely unharmonious.

Re:All the more reason...

[Mateito]

> No, no. It's five syllables, then seven, then
> five. 7-3-2 is completely unharmonious.

These adds you spam me
To enhance my sex prowess
Wont help you, fucker.

Re:All the more reason...

[geminidomino]

If you've castrated the spammer properly, shouldn't that have been "fuckee" and not "fucker"? ;)

No. Would YOU fuck a spammer, castrated or not? Neither would anyone else. ;)

You need the support of your DNS provider

[smartin]

I actually tried to set up SPF for my site this morning after reading another /. article. Turns out my DNS provider does not support TXT records and gave no indication of a willingness to do so. If it turns out that SPF and some other combination of technologies will prevent me from getting spam as well as prevent my email adress from being spoofed as the From: address on spam sent to others, i guess register.com is about to lose a customer.

Re:You need the support of your DNS provider

[Sylver+Dragon]

Send them a question on it, via the website. If enough of their customers do this, maybe they will make a change. (I a register.com customer as well, and just sent off a question on it.)

Re:You need the support of your DNS provider

[Llanfairpwllgwyngyll]

Hmm. Sounds more like your "DNS Provider" doesn't support a way for you to put TXT records in place. The actual DNS software itself WILL support TXT records unless it is the worlds most bizarre DNS software :-)

Move your DNS to someone like www.xname.org who support the whole lot, and the service is free (supported by donations)

This doesn't mean you have to change your REGISTRAR, just where the DNS is delegated to for your domain.

Re:You need the support of your DNS provider

A list of SPF-enabled DNS providers and registrars is available here : http://www.spf.idimo.com/

Re:You need the support of your DNS provider

There is a list of DNS providers who support TXT records here: spf.idimo.com

Re:You need the support of your DNS provider

[taustin]

Why on earth are you not running your own DNS server? It's not rocket science. Hell, even spammers can (and do) figure it out.

Re:You need the support of your DNS provider

[Malc]

Use Easydns. They've provided an interface for SPF for months. I've used them for 3.5 years and been very happy. Not the cheapest, but very reliable and good customer service.

Re:You need the support of your DNS provider

[funky+womble]

Seconded... Since I have static IP but don't really want lookups being done over DSL, I've been using their secondary-only service, not listing my primary in the gtld-servers or NS records. Secondary is reasonably priced and working very nicely (support for bind notify or web-based reloads) - and of course in this case, as they're just doing a zone-transfer you can have whatever records you like. I used to use their more expensive web-based service which I was happy with too - I'd highly recommend easydns.

Re:You need the support of your DNS provider

[tepples]

That is, unless you have a long-term contract with a web hosting company who requires you to use the web hosting company's DNS.

Re:You need the support of your DNS provider

You're an idiot if you signed a long-term contract with a web hosting company which restricts you like that.

Re:You need the support of your DNS provider

[JuggleGeek]

I use justthe.net, and have for some time. Steve has set up SPF records for my domain - I'm sure he would do it for others if you need a new host.

Appearantly, some people missed the point...

[Otto]

If spammers are now forced to identify themselves in their emails, by means of having a domain and publishing SPF records for that domain, then good.

That was the entire point.

In combination with anti-spam laws, now we have the ability to actually identify the spammers flooding our inboxes and take legal action against them for doing so.

There is no technological means that will allow random people to email you and yet prevent them from emailing you spam. Technology is simply not capable of distinguishing spam from non-spam with a 100% success rate. We can get really close, but there will always be false-positives and false-negatives in any system. And any system is vulnerable to clever hacking around the filter. You can make it terribly difficult to do so, but you can't make it impossible.

The goal of SPF never was to stop spam, it was to force somebody who sends you email to be accountable for doing so, by providing a method to track down who they are. At least, it's a good start for this sort of thing.

Re:Appearantly, some people missed the point...

[realdpk]

Heh, so when a spammer has a SPF record that states the IP sending the spam (some Chinese proxy) is valid, what will that get us? Proof that they really are sending it from China?

Re:Appearantly, some people missed the point...

[taustin]

Spammers already use automated systems to sign up for dozens of domain names at a time, using fake contact info. Nothing can be done about that, because the after life of a spam domain is less than the time it takes to detect the bogus contact info anyway. And the whole thing likely operates through a zombied proxy, making it impossible to track down the real point of origin. Add in a stolen credit card number (spammer would never do something criminal, would they?), and you have a system where adding in SPF records is one extra line of code to the section that adds in the other DNS records.

SPF will do nothing to stop, or even slow down, spam. And the more people who use SPF to whitelist, the more it will increase spam getting through.

Re:Appearantly, some people missed the point...

[Otto]

Heh, so when a spammer has a SPF record that states the IP sending the spam (some Chinese proxy) is valid, what will that get us? Proof that they really are sending it from China?

Well, yes, but it's also proof that they really owned the domain that sent the email, because it's the domain's SPF entry that told you it was legit. Which means you can try to track down the owner of that domain.

Re:Appearantly, some people missed the point...

[Mark+Shewmaker]

Heh, so when a spammer has a SPF record that states the IP sending the spam (some Chinese proxy) is valid, what will that get us? Proof that they really are sending it from China?

It means that we can look up the domain in a reputation/blacklist server, and reject the message if it's from a known spammer or spamming domain.

Or we can accept the message if it had been from a reputable company or domain.

Or we can greylist the message if it's from a new or unproven domain, delaying message acceptabnce by a few hours, (by that time spamming domains may have gotten into the blocklists.)

The end result is that new domains that haven't proved themselves yet will have to deal with some greylisting-related delays while they build up their reputations.

Eventually accreditation providers will probably spring up, vouching for new domains that haven't yet built up a reputation, but who have met the accreditation provider's requirements and have posted some sort of bond. If you trust this accreditation provider, you can use the reputation whitelist he maintains and avoid greylisting his bonded customers.

If you don't, then you can just still greylist domains you don't yet trust, but who haven't (yet?) proved themselves to be spammy.

In the end, spammers using SPF is just a great result. It would be like burglers leaving copies of their drivers licenses, or in-person scammers giving you copies of their drivers license, so that you could more easily query for reports from their previous, displeased victims.

(As a side note, one long-term advantage would be the likely transition from IP-based to domain-based block lists, such that email providers need only protect against forgeries, and cross-customer forgeries, and not be sooo overburdened about possible is-it-or-isn't-it a spamming customer. I personally think it would be fantastic if email service providers could simply provide good technical service, not have to spend so much effort and resources in protecting against possible spammy customers, and yet their spammy customers simply get blocked by everyone anyway without their non-spammy customers getting blocked. I'm hoping that SPF and SenderID checks can eventually make that possible.)

In other news

[Dirtside]

Wong, one of the original authors of SPF and a co-author of SID, says that it was never intended to combat all spam. Weng, another researcher in the space, says that this is just one of the many pieces of the puzzle needed to combat spam.

Wung, on the other hand, claims that a variation of SPF will eventually win the day, while Wing, yet another researcher, believes that any acronym that can be confused with sunscreen will inevitably fail. And someone named "Wang" would like you to know that you can increase your penis size by 20% in just 2 hours!

Re:In other news

None of this is accurate of course because two W*ngs don't make it right.

Re:In other news

[dan_bethe]

Okay, hold up now, that's just *Wong*!

Good thing too...

[haxor.dk]

... that there's finally a broad consensus about standards adherence.

Re:Good thing too...

Microsoft and their 'standards' eh?

SPF is an anti-forgery tool, not an anti-spam tool

[cas2000]

SPF doesn't and can't block spam.

it has a different purpose. it prevents some email address forgeries. its main use is to allow a domain owner (e.g. an individual or an organisation or a corporation such as a bank) to specify exactly which hosts are allowed to send mail claiming to be from that domain.

in other words, it can be used to block forgeries such as phishing spams and viruses, but it is not a general purpose spam blocker.

it does that job reasonably well (or, it will when it is implemented by enough mail servers). to complain that it doesn't do a job it was never designed to do is just absurd.

It's not meant to stop spam

[FattMattP]

this means that the common dream of SPF or SID clearing up the spam problem wont be coming true.

Argh! It's not meant to stop spam. It's meant to stop joe-jobs.

What the?!

[Gentlewhisper]

So that's it??

Any chance that "Wong", "Weng" and possibly "Wang" and many others are all really one person?

The department just create new names to make themselves look big :)

Then again, I seriously doubt it is meant to fix anything, it is just to create a new intermediatary so that we will have to end up paying them.

Constantly paying and paying, can't run away from it in Corporate Amerika!!

The real solution ...

... to spam is fear. Fear is brought on by threats of imminent bodily injury backed up by action. Chairman Mao was right: Power comes from the barrel of a gun.

Technological measures have not worked. Legal measures, where they exist, have proved worthless. That leaves the tried-and-true vigilanty method.

If you believe you will get the holy living crap beat out of you for doing something, chances are considerably less that you'll do it. Ask any abused child. Half a dozen broken kneecaps and dislocated hip joints on the bodies of half a dozen well-known spammers just might do a world of good.

Nothing else does (he says as he dumps his 100,000th spam of the day).

These are only the easy solutions

[Dracos]

The only real way to combat spam is to also stop sites and spammers from selling email addresses to each other. If the spammers don't have their most precious commodity, they can't spam.

Important notice: please update your USBank info!

[coyote-san]

There are four separate "spam" problems:

• Unsolicited but legal mail from a legitimate mail server
• Unsolicited mail (legal or not) from hijacked systems, open mail relays, etc.
• Viruses
• Fradulent mail

SPF can be circumvented in the ways we're already seeing for the first category, but it should knock out the second two (and probably related) problems.

As for the final one... law enforcement may still not take phishing seriously. But I bet Citibank, US Bank, et al do. They're probably losing millions of dollars cleaning up the mess left by phishers, and that money would go a long way towards making phisher's lives miserable and cautionary tales for others. These organizations are large enough that phishers can't even hide behind international borders - piss of Citibank by protecting phishers and that bank may decide that it's not worth doing any business in your country.

Well, duh

[taustin]

How could anyone possibly have thought SPF would reduce spam in any way?

No system that is under the technical control (like SPF) will reduce spam, since the spammers will simply comply. In the case of SPF, all the need do is add in a new section to the script they use to automate signing up for dozens of new domain names at a time, to add the SPF records. (These scripts already add in the other DNS records, so this is trivial.)

And no system that is under the control of someone other than the domain holder will ever be used. (Like the .mail scheme from Spamhaus, where the registrar controls your DNS records.) Only insane people will tolerate that.

The solution to spam involves dark alleys and cattle prods, not wacky technical solutions that won't do anything.

Thoughts from the peanut gallery

[jd]

First, the two quoted experts are Weng and Wong. If somebody posts that they both work at Wang, I am going to scream.

Second, I'd have thought that it would be obvious that trivial authentication would be useless. It's like using the existance of an X.509 certificate as proof that a site is genuine, notwithstanding that anybody can download a roll-your-own certification program and generate their own.

Third, it's ironic that corporations (who lose millions, if not billions, to fraud each year) aren't the least bit interested in authentication of any kind, whereas spammers (who probably make a very livable income from fraud) are adopting it in droves.

This last one is the most bothersome. Many (but by no means all) corporate websites use SSL for credit card info, but that's about it. And even then, usually only the server has a certificate. Client-side authentication is extremely rare.

Even for business-to-business networking, where you would have thought it very important that both ends of the connection are who they say they are, it's extremely rare to find even the most basic of security measures. IPSec? Kerberos? Nah. I've worked for companies - and even Government agencies - that were quite confident that their .rhosts file would only allow legit users access to their computers.

It's a sad day, when the only e-mail you can be sure is genuine is the e-mail that's pure crap.

Just goes to show...

[Mateito]

Wong, one of the original authors of SPF and a co-author of SID, says that it was never intended to combat all spam.

... that wong was wrong all along. So long.

If you use a chisel as a screwdriver

[Flower]

it's your own damn fault when you cut your finger.

impossible

[geoff+lane]

The only reasonable spam solution is email acceptance rate limits by the major email routers.

A zombie PC will rapidly move from a low emmission of emails to a much more rapid rate. If the upstream email routers rate limit email transmission based on historical information you strangle the spam at source.

Spam isn't eliminated, but it's seriously limited hopefully to the point where it is
unprofitable.

All other methods do not address the major characteristic of spam, the large number of emails and the very low response rate.

Re:impossible

You're an idiot. That "solution" makes mailing lists unusable.

Re:impossible

There are no major email routers. 99.99% of email (that I've seen) goes:

sender's computer -> sender's ISP -> my ISP -> my computer

The ISPs may have multiple computers in there, but they can basically be considered one entity, since they're not carrying other ISP's mail traffic.

Why all the fuss?

Slightly OT perhaps, but for the life of me I don't understand why everyone gets so upset about spam. Don't get me wrong.....I hate having to delete all the spam I get, but it's nothing compared to the physical junk mail I get in my mailbox. I think that's twice as annoying as spam.

With spam, I select some messages, hit delete, they're gone. With junk mail in my mailbox, I have to haul it from the mailbox to the trashcan, sort through it to make sure nothing is real mail I actually want, and throw it away. It wastes paper, it fills up waste recepticals faster and IMHO, far more annoying than spam.

Yet it receives far less attention.

SPF working perfectly

[NigelJohnstone]

But that's the point isn't it! Its to stop spammers hiding behind faked addresses. If they publish proper SPF records then the spammer black list catches them.

If they fake their address to a domain publishing SPF records then the SPF check fails and the message gets flagged for aggressive filtering them.

Either way they're screwed.

Re:SPF is an anti-forgery tool, not an anti-spam t

[joeljkp]

Wait, wait. SPF prevents you from sending an email from one domain with a different @domain.com?

I have a university e-mail address that ends with @msstate.edu. But I don't live on campus, I live in the surrounding town and so am not on the msstate.edu domain. My SMTP host is nctv.com.

Right now, I can just set up my mail client to use email_address@msstate.edu and send it through nctv.com. Will SPF prevent me from doing that and force me to use webmail or something equally inconvenient?

The day after

[qucmd]

Just imagine we manage to kick the spam out of the internet with this temporary fixes, what happen next? I bet we'll get sloppier or disable the filters as they are so effort and time consuming. And them the spam will kick in again.
Folks. We need a definitive solution, not temporary patches.

Let me explain this

[Trailer+Trash]

Two of my domains are used in the from address of spams, to the point that I often get thousands of bounces per day. This is the "reward" for years of turning spammers in and getting them tossed from their ISP's.

These sender id schemes won't stop spam at all. It's easy for a spammer to modify his dns to show the correct records and allow him to send.

But, here's the thing: HE DOES IT TO HIS OWN DOMAIN. We can then blacklist his domains and force him to keep coming up with new ones. Whack-a-mole, yes, but at least the "moles" aren't at legitimate domains.

You can complain all you want about how this isn't going to stop spam. Maybe it won't for you, but it will cut down the worthless junk hitting my mail server.

Re:Let me explain this

You're an idiot. With Sender ID, the authorities can find out who he is by his domain and hit him with the appropriate penalties. Without Sender ID, tracking down spammers often takes too much effort and makes spam laws almost unenforceable.

Re:Let me explain this

No, you're an idiot. Grandparent understands SPF just fine. It means recipients' mail servers will REALIZE that the spams they recieve, which claim to be from his domain, are in fact not, and NOT PELT HIS SERVER WITH POINTLESS BOUNCE MESSAGES.

This isn't about catching spammers.

This isn't about stopping spam.

This is to prevent email forgery.

And that's it.

Get it?

Re:Let me explain this

And you couldn't blacklist his URLs? Why would it be any harder for him to set up new domains for emailing than it is for new domains for URLs?

Blah blah blah type too fast blah blah blah.

I won't pay $300/year to send mail

[Wesley+Felter]

'nuff said.

Re:I won't pay $300/year to send mail

[timts]

well, your company and your ISP will. :D
you dont have to have your own smtp server any way.

SPF + Reputation = No Spam

[Titusdot+Groan]

SPF was not, by itself, intended to stop spam. It was intended to stop spoofing and phishing (ie. somebody claiming to be from Citi Bank asking you to update your info).

However, once SPF is adopted it allows several things:

1. Whitelisting of well known domains that use spf (eg. ge.com, ibm.com, etc)
2. Blacklisting of well known spammers who use spf (ie. workable rbls)
3. More aggressive spam content filtering of everybody who isn't using SPF -- after all you've whitelisted a LOT of the important people already.

I fully expect the anti-spam vendors to eventually come up with reliable whitelists based upon SPF eventually.

Re:SPF + Reputation = No Spam

[catenos]

More aggressive spam content filtering of everybody who isn't using SPF -- after all you've whitelisted a LOT of the important people already.

And the cool thing with tools like Spamassassin[1] is, that their method to generate scores (via genetic algorithm) will automatically adapt to how effective a spam indicator SPF has become. So the risk that the filtering could be too aggressive is very low, as long as one uses sound tools.

In fact, it won't be one score, but several, like:
- SPF used and valid
- SPF used and invalid
- SPF not used
- SPF check failed (i.e. DNS down or something)

The funny thing is, if SPF is adopted by spammers more rapidly than by legitimate users, it could even be that a valid SPF entry is considered a low, but significant spam indicator for a while (until adoption gets better). :-)

[1] And yes, it looks like they support SPF, they only don't support Microsoft's Sender-ID.

Re:SPF + Reputation = No Spam

[KjetilK]

I'd like to see something like FOAF used for whitelisting. I posted a SA bug about it, and then there's things like Trust and Reputation in Web Based Social Networks . I think this looks like a workable approach.

Re:SPF is an anti-forgery tool, not an anti-spam t

[QuickFox]

to complain that it doesn't do a job it was never designed to do is just absurd.

Wrong. To complain that it doesn't do a job it was never designed to do is just Slashdot.

switch DNS providers

[mattdm]

I had my couple of domains at register.com which increasingly sucked. This was the last straw, and I finally switched over to pairnic and I've been much happier. Although I haven't gotten around to setting up SPF yet, they *do* let you set arbitrary TXT records.

First comes the sender verfication

[NoMercy]

Then comes the blacklist of senders, so spammers can't send emails as joe@microsoft.com and instead have to send emails as joe@viagra4less.com and then you can just block viagra4less.com :)

Fake contact info...

[Otto]

I admit that a spammer signing up for domains using zombied proxies and fake contact info is going to make it difficult to track 'em down that way. But you really have to take on one problem at a time, here.

You might consider bitching at the registrars and the system that allows somebody to buy a domain name with fake, unverified information and stolen credit cards. Something really should be done about that as well, don't you think?

The SPF faq on Throwaway domains.

[nlinecomputers]

From the SPF objections page at http://spf.pobox.com/objections.html

Throwaway Domains

(From John Levine:) Or spammers can register throwaway domains of their own, since burning an $8 domain for a 10 million message spam run isn't much of a deterrent.

Throwaway domains can be listed in sender blacklists which respond in real time to automated discovery methods.

SPF needs to work in hand with reputation schemes.

There are many possibilities. The reputation scheme most familiar to people is the DNSBL, which blacklists IP addresses. RHSBLs are the analogue for domain names. A number of them are listed at the bottom of Blacklists Compared.

% dnsip yahoo.com.spamdomains.blackholes.easynet.nl

% dnsip amazingoffersdirect.net.spamdomains.blackholes.eas ynet.nl
127.0.0.2
%

Greylisting is another approach. It is elegantly simple, but it has three disadvantages.

1. People don't like to have to wait for real mail. After a while your users will say, "why is mail from my mom always getting delayed by an hour?" and you'll have to whitelist all your users' moms.
2. You need to do custom whitelisting for entire domains, because Yahoo Groups does not respect transient failure errors --- it treats them as permanent.
3. It is trivial for spammers to get around greylisting, because spammers don't actually queue messages; everything's just an entry in a database. Spammers aren't stupid. They can just repeat the run. Until they figure this out, greylisting will work.

Some suggest that reputation schemes would eventually be a lot like credit rating agencies: they don't say "yes, approve this loan"; instead they tell you what an individual's credit risk is, and it's up to the bank to decide.

Similarly a reputation service would provide a spam vs total ratio: (numbers are made up)

domain: yahoo.com
born: 199501
total: 4.3E12 messages
spam: 1.2E3 messages
ratio: 2.8E-10

domain: superspammer.net
born: 200303
total: 6.3E7 messages
spam: 3.4E7 messages
ratio: 0.53

Of course those numbers would have to be based on SPF-verified domains. There would be three types of domains--- SPF, "best-guess-match", and non-SPF publishers. "Best-guess-match" means the domain would have passed SPF tests if it had declared "a mx ptr" mechanisms. But that's a small detail.

Any major ISP could track these stats pretty easily and build their own reputation system. Or non-ISP organizations like Cloudmark could too. I expect The Internet will come up with a good, free one that's built right into MTAs like Postfix and Sendmail.

The algo would work something like this:

If the sender domain is known to the reputation system, we can make the decision based on local policy. (Local to the domain, or even to the individual user.)

If we don't have a lot of data on the sender domain, (eg. maybe the domain hasn't been around very long) we can do greylisting for the first pass; if our reputation service has good response times, we can expect it to have an answer ready the second time the sender tries. Or we can accept the mail but content-filter it, then report the results to a reputation system.

Obviously we need to introduce expiry and all that other stuff, but that's the basic idea.

And it would become an accepted social standard that if your domain hasn't been on the Internet very long, you wouldn't expect your mail to get through to people right away.

There's lots of research going on in the reputation systems space. It doesn't seem to be a fundamentally hard problem.

Basically you end up only accepting mail from known trusted domains. If you are just starting a domain then your mail may be held up or even bounced by some users. Just as new car drivers get higher insurance so can new email domains have to pay in boun

One thing Usenet has taught me...

People who expect the Internet to be place of order will die unhappy.

SPF not an effective anti-joe-job tool

[0x0d0a]

SPF is not an effective anti-joe-job mechanism either. I have posted analysis (very negative) of SPF's anti-spam and anti-joe-job capabilitites to Slashdot before.

The reason SPF isn't good at anti-joe-jobbing is that there is no trusted map for users between a domain name and a company identity. If I send an email from @boa-international.com or @bankofamerica.banknetwork.com, end users won't consider the fact that it doesn't come from @bankofamerica.com. SPF is fundamentally tied to domain names. Furthermore, SPF has only domain-level granularity, which means that the larger the company, the weaker the anti-joe-job factor. It just takes compromising one computer anywhere at Ford to be able to send trusted "Ford official customer service" email.

SPF is (a) not a good anti-spam mechanism, and (b) not a good anti-joe-job mechanism. It is a very weak and fairly broken authentication scheme. It lacks trust management (despite the fact that the SPF people admit the need for trust network management). There are known attacks on SPF that will beat it, like the fact that it rides on an easily spoofable protocol (DNS) and does not attempt to establish a secure connection on top of it.

I'm not saying that PGP is ideal, but it could be used to provide a foundation to build a strong, effective anti-spam mechanism that doesn't suffer from SPF's flaws.

Note that Microsoft's Sender ID largely suffers from the same problems as SPF.

Yahoo's Domain Keys is actually somewhat better built (provides for a more sane delegation of mail server authority, and so forth), but still is a fairly inflexible and ineffective system.

Designing secure systems is very hard, no matter *how* good at it you think you are. It took a *long* time to get SSL reasonably mature and free of attacks. Throwing out a system like PGP which *is* mature, well-tested, well-built, flexible, and in favor of something new hacked up is really not a very wise decision.

That doesn't mean that we should just take PGP and whitelist people that you know (knowing that someone's identity is correctly associated with their email address is a different thing than knowing whether they won't spam you), but if there are flags like "authorized to authorize people as legitimate email parties", non-boolean trust metrics ("I trust this person .5, he trusts this person .1, so I trust the second person .05, which is above my threshhold of .001"), and some form of feedback mechanism ("This person spammed me so I trust not only him not at all, but the person that trusted him less") you have major benefits -- you have carry-over reputation ("Linus just got a new email address, but it's endorsed by his old email address") and the like. Futhermore, you can have a "company postmaster" PGP key, which is used to sign keys of employees at a company, so when a large company opens a business relationship with that company, it just has their own postmaster (which their local users trust) sign the key of the other postmaster.

Re:SPF not an effective anti-joe-job tool

SPF is fine for preventing joe-jobs, this is exactly what it was designed for and not to stop spam, prevent phishing attempts or cure user stupidity. If you come up with anything valid, let us know.

So what if they are?

spamassassin/trunk/rules/50_scores.cf says it all right here:

#
# SPF
# Note that the benefit for a valid SPF record is deliberately minimal; it's
# likely that more spammers would quickly move to setting valid SPF records
# otherwise. The penalties for an *incorrect* record, however, are large. ;)
#
ifplugin Mail::SpamAssassin::Plugin::SPF
score SPF_PASS -0.001
score SPF_FAIL 0 0.000 0 0.875
score SPF_SOFTFAIL 0.500 0.842 0.500 0.500
score SPF_HELO_PASS -0.001
score SPF_HELO_FAIL 0 0.405 0 0.001
score SPF_HELO_SOFTFAIL 0 1.002 0 3.140
endif # Mail::SpamAssassin::Plugin::SPF

Sendmail doesn't give points for giving a hostname that resolves. However, it rejects the connection when the hostname doesn't resolve. Same thing here.

Re:Important notice: please update your USBank inf

[The+Blue+Meanie]

law enforcement may still not take phishing seriously. But I bet Citibank, US Bank, et al do.

And you might actually lose that bet. I received a "phishing" spam allegedly from CitiBank, and when I tried to send it on to spoof@, abuse@, and postmaster@, I got three very curt, very automated replies informing me that "an email you sent to us was blocked from being delivered because it appeared to be spam". Well, no shit, you geniuses. At that point I decided that I'll simply delete any further CitiBank "phishing" scams I get, and CitiBank can go pound sand. Good thing I'm not (and won't ever be) a customer of theirs.

all about the porn

[dirvish]

Porn is always at the cutting edge of every media. Quite a bit of the spam is for porn so it is no suprise to see spammers adopt a standard before most everyone else.

Re:Ironic Internet-user ID

Posted as AC! I love it.

Re:SPF is an anti-forgery tool, not an anti-spam t

[ahodgson]

That's up to the DNS admins of msstate.edu. Their domain, their sender policy. SPF merely allows them to express it in a way that remote MTA's can parse and check.

Misunderstood Reasoning

[Akai]

The power of SPF is not in it's ability to authenticate senders, but in a domain owner's ability to specify who is allowed to send mail from their domain.

If you accept without question mail from SPF verified senders, you're just asking for trouble. There's not and has never been anything in the SPF standard the recommends this practice.

However, If you reject mail based of the SPF records of the sending domain, you can make a difference. If ticketmaster.com does not want mail sent from anything but their mail servers, then by rejecting all ticketmaster mail from other servers, you are reducing spam with forged headers.

It is not possible for a spammer using a domain owned by somebody else to "fake" the SPF records, since they are contained in the zone file for the domain itself.

Re:Misunderstood Reasoning

Be careful. I think you've missed one of the important (albeit subtle) aspects of SPF. SPF attempts to make a domain take ownership for the email it generates. This does not imply that an email message which has a 'from' address domain that is different from the sender's domain is somehow "forged".

There are many cases where one may choose to use a server from another domain to relay messages from a particular email address (think mailing lists, forwarders, etc.) Hence the differentiation between the sender, resender (used by SPF) and from (displayed historically by MUA's) roles in the various proposals.

If SPF is adopted by the majority of domains, it's greatest power lies in the ability to make reliable blacklists.

SPF ignorance is rampant

[drwho]

The number of idiotic posts here is just another example of the declining clue of slashdot users. SPF is an attempt to prevent email forgery. Lots of spam is forged, in an attempt to get by filters. More serious trouble is caused by various 'fishing' schemes, trying to get your bank account/credit card numbers by appearing to be from paypal ,etc. SPF will address the forgery of host &domain names. It does not address the problem of forged user IDs (though this is less of a problem than you may think, if the domain is legit). It does not address the idea of unwanted mail.

Anyone with clue can see this is another tool in the toolbox. Each piece of incoming mail is ranked with a score indicating its probability of being spam. SPF, whitelists, bayesian filters, being in html, coming from china, etc affect the score. There's no magic bullet to stop spam.

Anyone who has spent time as a systems admin of a mail server, should know this.

Re:SPF ignorance is rampant

[WuphonsReach]

The number of idiotic posts here is just another example of the declining clue of slashdot users.

Preach on (because I've given up).

The *only* reason I care about SPF is that it allows me to publish a single piece of information that says, "all mail from our domain comes from A.B.C.D IP addresses". Which keeps me from having to register my mail servers with every large ISP who uses a whitelist.

Unfortunately, the folks at SPF seem determined to sell this as an anti-spam tool or try to extend it to include user authentication or "sender reputation schemes". It's anti-domain forgery, nothing more, nothing less.

Now we have SenderID, which is the bastard child of SPF+Microsoft, patent encumbered, FoSS-hostile, etc.

(Worse, RMX-type systems have been under discussion for 12-18 months now... and we barely have working implementations.)

Re:SPF is an anti-forgery tool, not an anti-spam t

[wmshub]

There's a solution (which I use for my domain): msstate.edu's mail servers need to turn on authentication (hopefully with SSL), and allow your mail to be relayed if it is authenticated.

Then tell your mail client to route all mail through smtp.msstate.edu (or whatever their SMTP server is running on), and presto! The outside world will see mail come from an SPF-authorized msstate.edu mail relay, with an @msstate.edu sender.

Now, if msstate.edu turns on SPF and *doesn't* turn on something like this, then right, you're screwed. But in that case, it's because SPF isn't being set up properly, it's not because SPF is inherently broken.

You won't stop it!

[dustinbarbour]

Spam is here to stay. You cannot stop it. I've been an avid user of email and the Internet for years now and ya' know how much spam I get in my mailbox? 4 or 5 messages per day. And these only blink in my inbox as Thunderbird (or Outlook with SpamBayes) quickly relegate my spam to my junk folder. Every email that ends up in my inbox is legitimate email that I want to receive. And even if it's not, one click and it's gone and my filter just got smarter.

Yes, this doesn't cut down on the congestion on the internet, but as a free and public network, you cannot hope to contain it.

Also, be sure to practice smart internet usage. Have throw-away email accounts, only supply your email when it is absolutely necessary to do so.. Don't be willy-nilly about it all and you'll be just fine!

damnit!

[mefus]

already taken.

Good grief.

Please read about SPF and then get back to us. It has nothing to do with corporate america.

Agreed

[Darkman,+Walkin+Dude]

But on the whole, technical solutions are just treating the symptoms. There is only one, and one only way to remove spam, and that is to make it illegal. Its a DDOS on an essential communication medium; so put the Patriot act to some good use and have it labelled "terrorism", the very same as if some group hijacked a TV station.

Having done that, follow the money trail, which should lead directly to the spammers and their (often unsuspecting) clients. They have to store the money in a bank account somewhere. If that bank wants to keep doing business with or in the USA or Europe, they will freeze and seize, and spam goes from a relatively low effort marketing scheme to a very unprofitable criminal act.

Yes there will still be spam, but the nature of the web means that everything can be tracked. Email especially. And please forget whitelists and blacklists, I'm not answering to some self appointed body as to the validity of my emails.

SPF

[burtonator]

Spammer Promoted First :)

SPF is step one (we knew this already)

[DreadSpoon]

SPF is only the first step. It's purpose is to authenticate that the sender is who they claim to be. Nothing more.

This primarily helps in two ways: first, it helps fight off certain kinds of social attacks. E-Mail can't claim to be from your bank; if it does, the MUA would display a big warning box stating the mail appears to be forged.

Second, it guarantees that people can't spam or send viruses using your domain name. The spammers have to (just as the article says) identify who they are; they can't claim to be someone else.

So no, obviously, that doesn't stop spam. It might block certain kinds of (soon to be obsolete) spam. You no longer have to blacklist all of aol.com, for example, since only real AOL users could send mail from @aol.com if we all used SPF.

This does, however, make it possible to do *MUCH* more accurate RTBL (Real Time Block Lists). The spammers have to identify themselves; once you have their identity, block all their mail. You got spam from @spammer.com? Block spammer.com. The guy at spammer.com can't pretend to be anyone else, so you've got him successfully blocked. Sure, he can register multiple domains, but with a good RTBL that isn't too much of a problem. Good RTBL already block most of the registered spammers - SPF makes their job easier since all spammers will be identifiable.

Mix SPF with a RTBL service and you *will* see a massive drop in spam. Over 80% of all incoming connections to my mail server are now blocked; most of the stuff that does get through is legit (lots of large mailing lists and traffic).

private postage

[Doc+Ruby]

We need a micropayment scheme for email. Friends in your contacts list (whitelist) send for free, unknowns get autocharged a minimum (like $0.01), blacklisted spammers get charged more (like $5.00). Putting the payment into the authentication transaction between servers will let us continue to use the same client software, with upgrades only to servers run by admins.

That system will discourage spammers, who get us to pay for their abuse, but would have to pay more than their low-yield spams are worth, across thousands of targets. And it will also establish an infrastructure for simple ecommerce. We can turn the debacle of spam into a triumph of distributed postage.

Re:private postage

Sounds great. What central authority is going to administer the micropayment system?

Re:private postage

[Doc+Ruby]

Many micropayment protocols don't require a central authority - that's why I said "distributed postage" in my post. While I don't have a spec to paste into this little Slashdot textarea, I'd recommend that ISPs accumulate microcharges at their mailservers, and transact them all at once, periodically, amortizing the transaction fee across all the charges. Just handling the money could amount to a nice business in interest, plus the subscription fee. That would all scale nicely, and if accounted against other ISP charges, would lower the frequency and size of transactions, as payments cancel charges before they even leave the ISP accounting system. That model sets the payment system to be scaled, redundant, and distributed, reflecting the email system to which it's attached.

Re:private postage

[pe1chl]

Micropayments do not need to involve money.
That avoids a lot of complications and legal stuff.

Solutions have been proposed to create stamps that require some computer power to make, but are easy to verify. Someone wanting to send a mail message can easily spend 10-60 seconds of CPU power on that (e.g. while it is being typed) but a spammer will not be able to afford that.

Re:private postage

[Doc+Ruby]

Spammer virus worms now routinely take over millions of computers across the Internet for a parallel mail relay network. Why shouldn't their lucrative, unethical trade move to massively parallel processing on that network to generate these "expensive" messages at our expense, rather than theirs? "My" solution plugs into the existing economy, and even integrates the equivalent of legal "fines" into spamming, if they want to pay to play.

Spammers are picking a societal lock. There is no way to really lock them out - it's an NP-complete problem, like any arms race. We're faced with the choice of evolving, or wallowing in the muck we've got now. I'd rather march along a path of progress, usefully harnessing the spam pressure to select a new Internet messaging platform that's both better email, and better commerce, while leaving the viruses, worms and spam behind. That sound a lot better than throwing a lot of extra computing cycles out the window, especially when they're mine.

Re:private postage

[pe1chl]

>Why shouldn't their lucrative, unethical trade move to massively parallel processing on that network to generate these "expensive" messages at our expense, rather than theirs?

What do you mean 'our' expense? I do not count the virus infected PCs of clueless users as 'my' expense, and I would rather like to see that the individual home user gets heavily punished by having a spam relay on their machine (by performance problems). A system with micropayments would probably have the same problem, but it would cost those users real money. Is that your better alternative?

>We're faced with the choice of evolving, or wallowing in the muck we've got now.

It has been like that for nearly a decade, and the Internet mail community has hardly made any moves towards a new mailsystem. I mean a really new mailsystem, not some blocklist or sender ID add-on to the existing broken system.

My real fear is that Microsoft will come up with such a system, will take 99% of the users with it like they did with Internet Explorer, and then lockout all opensource, free software, competing OS manufacturers etc from the world's e-mail system.

Re:private postage

[Doc+Ruby]

Spammer viruses running on my machine are at my expense. Crypto tokens taking CPU on my machine, as a limit to spammer scale, are at my expense. So is a white/grey/blacklist, but it's minimal, and offers a distributed eCommerce platform. I'm no different from anyone else; we're all looking at some higher expense to adapt to the untrustworthy environment of the mass Internet.

I'd like to turn the same tables as European banks in the Middle Ages. When unsafe travel to Jerusalem became popular for appreciable numbers of pilgrims , the Knights Templar invented travellers checks, grafted onto their nascent postal service. The European economy scaled up on that innovation, and the other supporting infrastructure that followed its success. We're just arriving at that stage of sophistication on the global Internet.

I'd rather we go for a distributed, flexible system than wait for the equivalent of armored cars. An open protocol extension optionally extemsing ESMTP will grow the familiar scalable system, adding security and payment, without requiring a risky, expensive upgrade. If composed by integrating existing apps and protolols, it will survive not just spam, but also Microsoft..

SID is supposed to be the caller ID of email?

[Guspaz]

If SID is supposed to be the Caller ID of email, then isn't spammers adopting it a GOOD thing? Doesn't that mean that somebody can create a list of the SIDs of spammers, providing a super-effective spam filter for a mail server that only accepts SID identified mail?

Not so surprising

[Introspective]

Thats no so surprising really. At best, SPF and other technical solutions can buy us some time while the spammers catch up, but they aren't the silver-bullet that their designers make them out to be. Even the RBLs and bayesian filters only go so far to cure the problem. Such systems only buy us time - in this case maybe 6months or up to a year, as the spammers catch up to the technology and find ways to avoid it. Bear in mind that these people are very well-funded and therefore highly motivated.

With the abundance of "always-on" network connections, and the insecurity of those systems always connected its still easy to generate and send huge quantities of spam.

Re:Not so surprising

SPF specifically helps with unsecured always-on home machines, since trusted mail servers (which the spammers must forward thru or the messages will be ignored) are likely to be a lot more secure!

Almost agree with ya...

Second, it guarantees that people can't spam or send viruses using your domain name. The spammers have to (just as the article says) identify who they are; they can't claim to be someone else.

To pick nits: actually they can claim to be someone else--they just can't claim to be you. :)

Patent encumbered

[cheros]

Yes, I agree tat something must be done. No, I don't agree that should be an argument to allow submarine patents to become a fundamental part of the core Net infrastructure - that will go a big step to creating the exact have/have not divide we've been trying to prevent. The same problem exists with payments - how are you going to make sure such a payment does not encumber nations with low GDP from sending normal messages?

And no, I don't have any answers either other than RBL + greylisting seems to be a start, together with Vipul's Razor concepts.

BTW, I've seen some people proclaim that spam is not a problem because they only receive a few a day. I have to suffer some extreme cluelessness in the IS department in my company who send back a message "Potential spam" - nicely confirming an address is live. And believe me, that's helping. The spammers, that is: since the idea my spam count has gone up from 95 to a good 150 or so. Sigh. Belive me, at that rate it most certainly is a problem, especially on a Windows platform with Outlook and Exchange, even with SpamBayes installed and well trained.

Re:SPF is an anti-forgery tool, not an anti-spam t

to complain that it doesn't do a job it was never designed to do is just absurd.

It is not absurd to complain as a "we told you so" to the pro-SPF faction that would go on and on here about how fucking great SPF was. Every single time there was a discussion of spam on /. the pro-SPF people were doing the "just" thing:
If everyone would just adopt SPF the world would sparkle like a shiny new dime and spammer will be a thing of the past.
The anti-SPF people (I believe 0x0d0a had some eloquent anti-SPF tracts here) were the ones in the past who would point out that SPF wasn't designed to stop spam, not the pro-SPF people - so they can't have it both ways.

I say we ban the "just [do simple thing X to solve massive non-trivial problem Y]" form from all discussions and ban SPF from any anti-spam discussions in the future.
That would solve the problem for both sides - the pro-SPF forces couldn't yabber on about SPF when everyone is trying to find real solutions and the anti-SPF forces woudln't be accused of saying bad untrue things about what SPF doesn't do that it wasn't supposed to do.

Not surprised

[Anders+Andersson]

Who could have imagined, spammers actually adapting their methods to what recent developments in technology allows them to do? Wasn't the idea that every legit user should upgrade their e-mail software to something new, leaving spammers to pound sand..?

I'm not at all impressed by statements that SPF or whatever is just one of many changes needed before we will get rid of junk e-mail. Give us the whole plan at once and let us scrutinize it in detail before deciding whether to employ it; don't hint at a potentially infinite number of steps, disclosed one by one, that need to be taken (each step at substantial cost to the Internet community) before we will eventually reach non-spam nirvana.

Sender Permitted From: It breaks forwarding, we can work around that by rewriting sender addresses at each MTA, but regular users can still send e-mail, and so can the spammers.

Accept only digitally signed messages: We make it really easy to send signed mail, so that not even your grandmother will be left out. Don't worry about the spammers getting a free ride off your labour by using the same tools; they have learned to sign their ads before you start filtering out unsigned messages.

Replace SMTP: Sure, but with what; CMTP (Complex Mail Transfer Protocol)? Will it allow the transmission of mail? Then it will allow the transmission of junk mail, too.

Have the sender pay CPU time for each message: Granted, this probably will cut down on the amount of mail you get, in particular from the vast majority of poor senders out there. Those who have a business incentive to invest in computing power, or won't hesitate to steal CPU time from others, won't suffer as much, but they constitute a minority, just like the spammers do. Remember, it's just one small step towards... something.

Require that no mail must contain the word "viagra" (or any other word in an arbitrarily defined dictionary): Care to put that in an RFC, so that we can have also the MUA refuse to send a message with banned content? I guess spammers will be happy to use precisely those banned words, in order not to have their mail delivered to anybody.

In short, you can add as many components to your junk mail prevention system as you like, but it's not going to get you one bit closer to your goal, unless you focus on what really distinguishes unwanted mail from wanted mail, and invent a mechanism for automatically telling the two apart. Any other step will be a pointless distraction, as it merely begs to be circumvented.

Re:Not surprised

[mengwong]

I don't know about what other people think, but my take (as of this week, at least) on what the future of email might look like can be found at http://spf.pobox.com/aspen/email-future-1.pdf

cheers
meng

Re:Not surprised

[Anders+Andersson]

Nice chart, but it's not very specific. In particular, I'm concerned about "an abuse reporting standard". Deploying any sort of standard in this area requires ISP cooperation, and I haven't seen much of that. As a complainant, I expect useful feedback from the ISP (Was it one of your users? What was done about it?) on every complaint, or I won't send any complaints at all. Why should I spend my time watching over someone else's customers, when I'm not even told whether my reports are read?

They ought to pay their own watchdogs, and leave me out of it (and sending me an autoreply with detailed instructions for how to send a complaint to their abuse desk, in response to me having just sent a complaint to their abuse desk, is plain rude).

And, sending a complaint to the ISP controlling the offending IP address in no way requires the envelope sender address to be authenticated by SPF or any other means. Authentication is nice, but botching forwarding in the process isn't a good compromise to me.

It does reduce spam.

[FooAtWFU]

SPF does reduce spam. So long as one message with a fake From: address is blocked, it has reduced spam. I can attest that I've gotten a significant reduction in spam from my three-person, two-letter domain name since I put up a simple SPF filter. Furthermore, there is no possible way that you could construe implementing SPF as increasing spam, unless you have a rather incompetent mail setup.

SPF does not, however, eliminate spam. Sorry.

This is well-known

[suwain_2]

The reason? Spammers are able to publish their own records, too.

From the moment SPF was implemented, people knew that this could happen. SPF doesn't aim to stop spam outright, it aims to HELP stop spam.

First off, if SPF is used, it cuts out 'joe jobs.' I can't send you mail purporting to be from Yahoo through a mass mailer on my desktop, because SPF will catch it.

I see two issues with spam:
a.) Annoying commerical advertisements
b.) The above, sent fraudulently

SPF helps to cut out the second. If spammers send me spam, but do it from their own domain, it's still not hard to block them.

No one (that knew what they were talking about) ever claimed that SPF was a cure-all for spam. All it aimed to do was make spammers stop forging their addresses. And it sounds like it's succeeding.

You don't even know what a joe-job is...

Do you even know what a joe-job is? Look it up, SPF prevents joe-jobs because a joe-job is where you spoof the domain. Spoofing a domain that looks like another domain is not, by defintion, a joe-job, you fucking idiot. If my domain is lastname.com and spammers start sending email with a spoofed evelope that says "lastname.com" anybody who is SPF aware will just discard the message.

http://www.joes.com/

Re:You don't even know what a joe-job is...

Do you even know what effective is?

There are so many scenarios for email it is mind boggling and using the simplest case to "prove" your system works and then saying "don't do that" or "just have [person you have no authority over] change this and that to make it work the SPF way]" is what got SPF so polarized in the first place -

People who think about the complex cases are the ones who don't like SPF, the executive summary is lots of work for very little gain and break a bunch of stuff that ran well in the process.

Re:SPF is an anti-forgery tool, not an anti-spam t

[uid8472]

Or you can have your SMTP envelope sender be whatever@my-ip-provider.net, but set the From: header to me@somewhere.edu; or, failing that, there's still the Reply-To: header.

And not all "spam" really is spam

I guarantee you that a lot of the emails being identified as "spam" by the filter is marketing content that quite possibly is of interest to the intended recipient.

A lot of companies send email that looks something like spam but which probably isn't. Looking like spam while not being so is easy - just send solicited marketing email. (Spam filters identify spam by the fact that it looks like someone is trying to sell you something.) If you're in that position, then being identifiable is good - it helps people create working blacklists or whitelists, and you think that you'll be on the whitelists.

In fact this early in the adoption curve I'd suspect that virtually all of this "5% of spam" comes from at least somewhat legitimate companies trying to get whitelisted. After all anyone who doesn't see themselves as legitimate has no reason to try to identify themselves. Why make yourself an easy blacklisting target? By contrast people who see themselves as sending clearly legitimate marketing email have every reason to take any steps which help Yahoo etc whitelist you.

In fact legitimate emailers actively want everyone to be identifiable. The easier it is for you to filter out obvious garbage, then the more likely it is that you won't filter overly aggressively and drop stuff that you asked for and presumably want. Things like your Amazon.com invoices. Balance statements at PayPal. The product review newsletter that you signed up for.

Disclaimer: I work for a company that is in exactly this position. Here is a summary of the business. People sign up with us to search for apartments. (We do not buy or sell email addresses. In fact doing so would be business suicide because we would immediately be identified as spammers and rightly get blocked. In addition the programmers would all quit.) If you find one through us, then the landlord owes us a finder's fee, and we owe you $100. Both of us want you to find an apartment. To help you, we'll send you emails with lists of properties based on searches that you did on our site in the hope that you'll find a home.

We know from experience that those targeted emails find a lot of people places to live. Therefore we want them to get through. Judging from the feedback that we get, the people who sign up generally do as well. Unfortunately the spam filters in the way can't tell whether the email is wanted - all that they can see is that there are phrases which look like marketing and therefore it looks like spam. But if we make ourselves identifiable and work with ISPs, the feedback that they get from their customers tells them that we're really not spam after all. And then we can get through those filters.

"just block domain names"?!

[cbreaker]

There's... ohh, you know. An unlimited amount of domain names you can have. Spammer sends out a few spam "campaigns" and simply changes domain names, SPF and all.

It won't help anything. Many of them will use stolen credit cards, or register under other false information, register 300 domains, and use them until they are blocked. Then move on.

So the problem of scanning each and every e-mail for spammishness will still prevail.

Re:"just block domain names"?!

[BasilBrush]

Number of domains spammer can use with proper SPF record Number of domains spammer is spoofing now. Therefore, learning anti-spam techniques benefit from more redundancy in spam.

Re:"just block domain names"?!

[JuggleGeek]

Spammers who want to keep registering new domains, set up SPF records, and spam using those until they end up on blocklists, then repeat, at least have more out of pocket costs. That's a good thing.

Spammers who stop forging other peoples domains is a good thing.

I added SPF records for my domain recently. Before that, I had been receiving 30-40 bounces every day due to spammers forging my domain name. Within a few days of publishing the SPF records, those bounces stopped coming in. Since then, I've gotten a few (no more than 2 or 3) a day on some days, and none on others. Compared to the 30-40 a day average before, that looks like an improvement. My guess is that some of the spammers have software that checks for SPF records. They don't want to forge my domain and have an SPF check (which several of the larger ISP's use) block the mail due to their obvious forgery.

SPF isn't going to stop spam cold. It wasn't designed to do so, and the people who designed and promoted it never claimed that it would.

That doesn't mean that, as you say, it won't help anything.

Re:"just block domain names"?!

[cbreaker]

I didn't say SPF wouldn't help anything - in the context of the threat I thought it was pretty clear that I meant "Blocking domains" wouldn't help anything.

Sure, it would be nice if everyone used SPF - and it seems to be the trend so that's good - so spammers stop spoofing the sender's domain name. But really, that's just about the only good thing to come out of SPF.

Maybe it will cost spammers a few extra bucks but they could easily pass the $20 domain registration fee onto the people buying into these spam "campaigns."

Thin the herd out.

[khasim]

"Having to madly swap domains to get is only going to swamp smaller spammers with enough extra cost to kill them."

Great! Fewer spammers is a Good Thing (TM).

There isn't any single solution to spam. But different solutions will whittle the big problem down, bit by bit.

web form + graphical authentication

[bootedcat]

That is what I think the already very good approach. I don't think antispam research very useful or needed (those NLP/statistical shit).

How many zombies to kill a T-1?

[khasim]

Your method is too brittle.

Suppose you work at a company. YOU might be perfect, but SOMEONE is going to make a mistake. And over time, more people make mistakes. They end up on spammer's lists.

I don't care about how efficient your client filters are. The messages STILL need to arrive and they STILL take up bandwidth.

Given enough spammers, the T-1 my company has will be flooded. This will become a DDoS via eMail.

You're looking at the problem for your single-user perspective. I'm looking at the problem from the network administrator's perspective. I see the bandwidth lost from spam. I see the disk space consumed. I have to put in additional hardware just to handle it.

Spam will be around as long as it is profitable enough for the low-lifes.

SPF is the first step in reducing the profit from spam.

It will not stop spam, but it will kill some of their practices.

You don't understand SPF

It's not a replacement for RBLs, lusr. RTFM!

No, It's not

[DreadSpoon]

SPF is not patent encumbered. Sender-ID is, but you'll notice I wasn't referring to SID. I highly dislike Sender-ID for quite a few reasons, not the least of which is the patent issue.

Re:No, It's not

WTF? Have they not officially become the same thing?
Have not pobox.communists been assimilated?

Pattern recognition.

[khasim]

"The spammers have to identify themselves; once you have their identity, block all their mail. You got spam from @spammer.com? Block spammer.com. The guy at spammer.com can't pretend to be anyone else, so you've got him successfully blocked. Sure, he can register multiple domains, but with a good RTBL that isn't too much of a problem."

The next step would be to match those domains with IP addresses.

You'll see the pattern emerge of which ISP's are "spam friendly".

The only way to stop spam is so simple

[humankind]

We need SMTP whitelisting. It is the ONLY way. The SPF scheme kinda-sorta-maybe promised this idea in a mellow way that didn't seem invasive, but like all the other ineffective anti-spam measures, it has proven to be useless.

We need a responsible central authority to maintain an authoized SMTP relay whitelist - "outbound mail server licenses" per se.

This is the ONLY way. Mark my words. No other solution will EVER work. Anything that comes close is basically a veiled attempt at SMTP whitelisting.

If you want to send e-mail on the Internet, you need to be "licensed". A central authority determines the standards by which you are allowed to be "whitelisted" - other systems on the net can choose to use or not use the RBL/RWL. I for one, would use such a system if it were responsibly maintained.

This is so easy to set up. Take all the DUL IP space and instantly blacklist it, then blacklist based on reports, and then start to require "relay licensing" before you can be whitelisted. It WILL HAPPEN eventually. The question is, how bad do things have to get before this is adopted. It's not a question of "if" but "when". There is NO OTHER WAY. Not a single method has proven more reliable than using relay blacklists. Right now, 95% of spam can be reliably blocked without wasting bandwidth by using RBLs. A whitelist would be even more efficient. I challenge anyone to show me any better way to control spam. There is none.

For those of you reading this that don't understand the mail system, you need to understand one important thing. The spam problem could have been solved years ago. There is a very simple technical/organizational solution. Lobby your ISPs to adopt relay whitelisting and this problem will be gone. The only other method involves getting law enforcement to enforce the laws that spammers break, but I think it's easier for the industry to implement whitelisting than to try to get politicians to enforce the laws.

Re:The only way to stop spam is so simple

We need a responsible central authority to...

I hear from some people that came by my house that Christ is coming back soon, so maybe he can do it. But other than him, who would you suggest?

As a matter of fact is there a "responsible central authority" for anything from anywhere? (Other than SkyNet (tm, and we mean tm or you're terminated) and/or the Matrix?

All central authorities are made up of monkeys, monkeys can be bribed or have a bad day or want to throw feces at someone because they looked at them wrong - to control and audit that group of monkeys you need an infinite chain of imperfect groups of monkeys.

Re:The only way to stop spam is so simple

[mengwong]

Folks should look into http://rating.cloudmark.com/ as one example of the kind of reputation service discussed at http://spf.pobox.com/aspen.html

cheers
meng

It will help large ISPs

Quarantine emails from domains that you've had little email from for more detailed analysis.

It makes getting a new domain started harder, but kills the problem of "drive by domains" if you have a large sample of emails to start with. There are other ways to organize whitelists for smaller domains to use.

But the principle remains. Even thinking about this is useless until people use SPF or the equivalent.

Re:It will help large ISPs

[cbreaker]

That would be a lot more work - I work for a company that recieves about 80,000 spam a day or more. And since we're a company that serves many, many thousands of businesses across the world and work with many thousands more, we can't just quarantine messages from domains we don't recieve many from.

Sure, if your spam scanner has a scoring system like Spamassassin, you could simply score "untrusted" domains a little higher- but tools like Spamassass already have an auto-whitelist that should take care of that automatically.

Want to know what works? Look at who Spammers hate

[humankind]

If you want to know what method works, look at what Spammers are doing. Look at which systems (i.e. osirisoft, spamcop, spamhaus) the spammers are attacking. They are almost exclusively launching attacks at the relay blacklists. This is because this is the one method by which they are SHUT DOWN. Forget legislation. Forget all the other efforts. RBLs work. The next generation is to go from relay blacklisting, to relay-whitelisting.

SPF is redundant and unneeded. Use IP and DNS.

[iamcf13]

If everybody on the internet stopped running 'hidden' SMTP mailservers and logged them properly with the DNS system, spam would effectively disappear from the internet. By only talking with fellow DNS-verified SMTP servers, you eliminate the bulk of email spam and malware that is spewed by (ususally) 'compromised Windows boxen' and the 'chickenboner' blasting out spam from a stolen/throwaway dialup account.

After that, to block, tag, and/or delete the remaing spam would require a comprehensive, multifaceted approach such as the one I came up with.

I am 'eating my own dog food' and using my own software to filter out the junk sent to me at iamcf13@hotpop.com Recently, I got a reminder notice from a website I did business with quite a while back. I got the email because it contained no 'spammy' content. You see, spammers need 'spammy content' to hawk their wares--by filtering with that criteria in mind, it becomes (almost) impossible for spammers to communicate (and computer crackers to spread their malware). The ease of use and the connectivity of the internet via email is taken away from spammers. They can still spam but it will be effectively pointless as it is too inconvenient to 'decode' URLs and email addresses and type them into webbrowsers and email clients for further use--the ultimate aim of email spam laden with HTML, quoted printable content, %s, $s, numbers, URLs, and email addresses. As an added bonus, the computer crackers are silenced by filtering all malware out that come in the form of email attachments, or hostile HTML presented to HTML-aware email clients. By doing this, the spread of malware by email is minimized.

Since this post could be ultimately construed as spam, I offer these closing words:

Good ideas are not adopted automatically. They must be driven into practice with courageous patience.
-- Admiral Hyman G. Rickover

Perhaps the greatest compliment paid to Admiral Rickover is the U. S. Navy submarine that bears his name

Impersonating trusted sources and big mail servers

[billstewart]

Joe jobs are one problem SPF helps with, but it's not just to prevent spammers from impersonating people they want to annoy. One of the biggest markets for it is big free and cheap mail services like aol and yahoo mail wanting to block forged mail from pretending to be from their site, so they can reduce complaints and reduce the extent to which people discard mail from their real customers.

It's also to prevent them from impersonating well-known senders who might be whitelisted (e.g. Dave Farber's list, Declan McCullagh, Dogbert's New Ruling Class, other popular email newsletters), and to make it hard for phishers to send scam mail pretending to be your bank, etc. Whitelisting is a fairly necessary component of any spam filtering system, and if spammers can forge popularly whitelisted addresses, they'll get more mail through to potential suckers.

Big spammers have higher profit margins

[billstewart]

Some spam comes from little spammers who buy spamware kits thinking they'll M4K3 M0N3Y F4$$T! and it doesn't matter if they make a profit or not - the extra $6 setup cost isn't going to deter most of them, though maybe a few, and if the $6 lower profit discourages one of them, well there's another sucker born every minute. Most spam comes from big spammers who are making higher profit margins. Either way, it's much less than the sales price of one bottle of Herbal Fake Vi@gra.

Somebody else pointed out that spammers are already buying lots of domain names - this just means that the services that are serving the domain herbalfakeviagra1324234.com need to add another couple of records to the DNS record, which is zero effort for the big spammers.

Re:Big spammers have higher profit margins

[BasilBrush]

Define "lots". 1 per day? 10 per day? 100 per day? 1000 per day? They are sending hundreds of thousands or millions of spams per day, each with a potentially unique spoofed address. They cannot use as many different SPFed domain names as they can use spoofed domain names. If they did, they'd be paying $6 per email, and be volume limited by the DNS registration process rather than by bandwidth.

Re:Big spammers have higher profit margins

[JuggleGeek]

If everyone listened to you, nobody would bother to try and fight spam. You seem to believe that since we can't perfectly stop it, we shouldn't try. You are, however, an idiot, so I doubt that many people will listen to you.

Re:Big spammers have higher profit margins

[billstewart]

Different spammers have different techniques. Using nonexistent domain names is really easy to detect, and anybody who's checking SPF is probably also checking this one. (You just look them up in DNS, and if DNS says they don't exist, reject them - one of the many big problems with Verisign's Sitefinder hijack was that it broke this spam rejection technique.) At the very least, anybody who's not even checking if domain names exist is almost certainly not checking if the domain name has SPF records attached to it.

You've got it backwards - it's non-impersonation

[billstewart]

SPF never pretended that it would make spammers identify themselves, much less include their True Name, Driver's License Number, Cell Phone, Credit History, or up-to-date ICBM address. You've apparently missed the point, and haven't RTFFAQs.

What SPF does is let real people identify themselves in a way that makes it harder for the spammer to impersonate them. You can make sure that anybody who gets mail claiming to be from Otto@Ottosdomain.com can tell that it really came from you, not from some spammer impersonating you, which reduces the amount of complaints you'd get about the million-email spam run that went out with your name on it and reduces the number of people who received that message because you're in their whitelist.

If SPF or some Son-of-SPF becomes sufficiently widespread that lots of people start rejecting mail from non-SPF-advertising domains, then lots of spammers will start using it - but lots of spammers already get domain names, and just because mail appears to have legitimately originated from herbal-fake-viagra-21343214.biz doesn't make it any easier to track down, unless the spammer is stupider than usual.

The main way it makes it easier to track down spammers is that spammers who use free email services like yahoo and hotmail or cheap dial services like AOL will have to start using those services' mail-sending capabilities, which makes it easier for the services to throttle the amount of spam that goes out with their name on it, and easier to shut down abusers of free accounts quickly. But there are plenty of cheap email providers in China who aren't bothered if foreigners get annoyed as long as the spammers pay in advance, and lots of people with virus-infected PCs who could find the spam going out with _their_ names on it and their SPF verifying that it really came from their IP address.

Youve got it wrong

SPF itself was *NEVER* intended to stop spam.

SPF was intended to allow a mailserver to validate that the domain a mail was coming from was coming from a server under the control of, or authorized by the domain owner.

If a mail claims to be 'from' hotmail.com, *ISNT* coming from a server that hotmail.com says is legit for such mail to be coming from, you can safely reject it.

SPF's usefulness in combating spam comes from forcing spammers to use their own domains, and to make blocking a specific domain from sending you mail useful again.

Its not a magic bullet. Its just one tool. Yes, spammers can just register more domains. More that costs them money, which reduces the profitabilty of their spam, if only by a small amount.

Meng Weng Wong's pobox.com does this.

[billstewart]

Meng is one of the proprietors of pobox.com, a mail service that lets you have an email address that forwards to whatever your current email address is (whether that's a dial ISP, or cable, or work, or school, or freenet, or freebie email, or whatever.) The business started a decade or so ago in a dorm room, and it's let me keep the same email address in spite of changing ISPs a few times. They also offer POP/IMAP mailboxes now, and they do a lot of spam filtering.

If you have a pobox.com account, and want to send mail as username@pobox.com, you can connect to their SMTP server using SASL or other secure login mechanism, and it'll go out from there. I don't think they're currently using SPF to _prevent_ you from sending pobox.com mail from other IP addresses (or if they are, nobody's checking it, or nobody's sending me bouncegrams.) I have my current version of Eudora configured to be able to send mail out through pobox.com, but I also sometimes send it from my work email servers if I'm VPNed into work, or sometimes through another ISP I use for another email address.

It's possible to configure Eudora, and maybe other email clients, to use a different SMTP server based on which username you send mail from, so if I'm sending mail from joe.example@pobox.com, it'll use pobox's server, and if I'm sending mail from joe.example@my-dsl-provider.net , it'll send mail from my DSL provider's SMTP server (though I almost never use that email address except for mail to the DSL provider themselves, or for test messages.)

The "War On Spam"

[tepples]

There is only one, and one only way to remove spam, and that is to make it illegal.

"There is only one, and one only way to remove drug abuse, and that is to make it illegal." Is the United States government winning the war on some drugs yet?

Re:The "War On Spam"

[Darkman,+Walkin+Dude]

Right, well done. I'll tell you what, when you can move 50lbs of crack via a P2P network, I'll be sure and give you a call. In the meantime, try to read more than just the first line of my post, ha?

You've got your cases wrong

[billstewart]

Let's hit these in reverse order, since your most important point was about phishing, where you were pretty close to correct.

It can help a bit with the phishing case, because your bank can SPF-protect the domain example-bank.com and let you know that they'll always send email from that domain. That doesn't stop phishers from sending email from example-bank.biz or examp1e-bank.com (notice the number 1 in the name) unless Example Bank also bought that name, but it helps. And it doesn't stop them from sending mail from disposable-domain-1e3w243e2e.biz or BankFraudStoppers.com with a big GIF that points back to somewhere other than your real bank unless the recipient pays attention to the sender's domain name, but it helps. Digital signatures could also help a lot, if anybody used them.

It won't help much with viruses - if you get mail from your-coworker@your-company.com, SPF will show that it really came from them, even though they sent the REALLY COOL SCREENSAVER by clicking on the attachment rather than typing it in themselves. It may cut down a bit on mail pretending to be from Microsoft Security with an URGENT SECURITY UPDATE - CLICK HERE RIGHT NOW!!! but not so much.

SPF can prevent you from accepting mail from hijacked machines that fraudulently claims to be from an interesting domain, such as Example-Bank.com or Microsoft.com, or from a freemail system like Yahoo.com. It won't prevent you from accepting mail from hijacked machines that correctly claims to be from a non-interesting domain, like herbal-fake-viagra-2343243214.biz or M1cr0s0ft.com. It also won't prevent you from receiving mail that claims to be from the hijacked system's owner's domain, like spam from one of your coworkers or spam from "(Microsoft Security Update) port-132342134.cable-modem-company.net".

Re:Want to know what works? Look at who Spammers h

No kidding. Using the following 5 DNSBLs absolutely ELIMATES spam:

sbl-xbl.spamhaus.org
bl.spamcop.net
dnsbl.sorb s.net
korea.blackholes.us
list.dsbl.org

I used to just use spamhaus and dsbl, but recently they started missing a few so I added korea and sorbs. I've had ONE SPAM get through after this, and after looking into it, it would have been caught by spamcop if I was using it. Without the DNSBLs I'd be getting hundreds of spams every day.

Combine the server-side DNSBLs with a server-side antivirus filter (ClamAV is excellent) and you can forget about needing a statistical filter on the client, because you will get ZERO spams, ZERO viruses. Freaking amazing... Makes me forget that we even have a spam problem until I see some poor sap with 500+ junk mails to sort through every day.

I can't believe that DNSBLs haven't gotten waaaay more attention. Seems like most of the focus is on bayesian and other statistical filters, which IMO is an ugly, error-prone waste of time.

Did I mention that there have been zero false positives with the DNSBLs? Granted, a few people who have been running insecure mail servers or who actually share an IP address with a spammer have been blocked, but as soon as they realize that it's *their* fault they're getting blocked, they're usually pretty quick to fix things on their end.

Fixing SMTP is like Fixing Weather

[billstewart]

Lots of people rant about how "somebody" ought to redesign SMTP so it's "better", but it's mostly just talk from people who don't have sufficiently clearheaded ideas about how a mail system should be designed to actually do anything useful. Meanwhile, changes like SMTP-over-SSL are getting introduced and fit into SMTP just fine. And SPF seems to be a useful bandaid that fits nicely alongside, because SMTP and DNS were designed by tool-builders rather than monolith-builders like MSMail/Exchange/Outlook.

The biggest things I've seen that "somebody" needs to fix about SMTP and DNS are 8-bit cleanness, and unfortunately Verisigh's trying to add international domain names by radically breaking DNS for web-only use, and Unicode complicates the details of any character set support issues (not that that's a bad thing, it's just exposing the fact that the job is harder than it looks.)

When spammers publish, we win

[jgardn]

Now that spammers are publishing SPF, it is going to be so much easier to track them down. At the very least, we will be able to deny accepting their email from the start.

Now that more and more email is being authenticated, we can start to say, "Ah, this domain claims responsibility for this email." Now that we can attach a responsible party to each email, we can hold them accountable. At the very least, their reputation as a spammer will be well-known. At the very best, their illegal spams will be detected by law enforcement, and the owner of the domain name will be caught. Oh, they don't have accurate records? Well then the registrar is going to be held accountable. Oh, did they use a stolen credit card to buy the domain? Oh, they bought hundreds or even thousands of domains? When they get caught, which they will, they will never see the outside world again.

This article is pure FUD, and is all wrong. When spammers publish SPF, we have won.

Fine by me

[Sycraft-fu]

Because it can be automated. SPAM filtering software would work as such: If a sufficient amount of messages with valid SPF data from a given domain are marked as SPAM, block the domain from further sending.

True, this doesn't stop those inital messages, but it gets all the rest and cuts down on the number. One needs not eliminate SPAM enitrely, just reduce it to a level where it's unprofitable. If software becomes good to the point that only 1 in 100,000 SPAM messages reach a person, that'll severely cut profits, making it much less attractive.

Also if the spammers start breaking more laws like using stolen credit cards, it just increases their chances of getting busted. Every time you break the law, it's another chance you get caught. Do it all the time, it becomes almost a sure thing.

SPAM prosecution is still new and those responsible for prosecuting it still have problems understanding how to go about that really. Credit card fraud is old hat and they are pros. Plenty of people get put away for credit card fraud. Also, usually when you get nailed for something in relation to another crime, they stack everything they can on you.

It's not a panacea, but SPF sounds like another useful tool.

Re:Fine by me

[darkmeridian]

This automation, if conducted by large ISPs, will really make spam less profitable. Google compares mail from all of its members to figure out which is spam: if it is not a mailing list, and sends the roughly the same message to many people, then it is considered spam. And then you get spam reports from your users. So if ISPs did the same thing and shared blacklists, then spammers would have to register a whole bunch of domainnames.

Re:Fine by me

[dodobh]

If the number of successful spam deliveries goes down by a factor of 10, the number of attempted spams sent out goes up by a factor of 10 or more usually 20 to 50.

Definitely not fine.

Re:Fine by me

[cbreaker]

It's true - the only method of "kill spam by blocking it" that would be effective is one that is 100% effective. Not 99.9%.

Each year there's better spam protection, and each year there's been huge increases in spam. Doesn't anyone else see a pattern here?

Espically if people collaberate

[Sycraft-fu]

I mean lets say that the netadmins from major universities get together and decide enough is enough. Spammers are using SPF, and we just have to keep blocking domains. Ok, so we setup a database between all the I2 instutions that tracks SPAM, and distributes a RBL. Because we are research instutions, many public, we publish it too.

Well, now you SPAM any university using an address that has a valid SPF, your domain is gone isntantly from all the others, and anyone else that listens to us. That would be more like a domain every 30 seconds you'd need.

Re:Espically if people collaberate

[Technonotice_Dom]

Yep - take a look at http://it.slashdot.org/comments.pl?sid=120537&cid= 10153847

Registrars?

[hta]

Dream on.
Verisign will sell a domain name to ANYONE. You can't get it yanked for anything connected to behaviour - unless it's selling the domain name to the trademark owner.
ISPs are the ones with antispam policies.

Some ideas

[eVollution]

There are many people thinking how to block o avoid to receive spam ... I'm using a antivirus/antispam solution in-a-box called Astaro Security Linux (ASL - www.astaro.com) This solution has a good verification system that everyone should improve ... When an email arrives to the ASL, it can make a lookup for the domain name ... is the domain name exists, it can ask to the domain for the mailbox existence .. However, this technology needs the null-address capabilities turned on in the sender's domain .. It's a good idea too .. ---- I think that SPF and SID are good technologies too ... Another one solution could be the a small dialog between the sender and the destination email server .. When an email arrives to the destination email server, it's send a confirmation message, so, the sender must confirm this message ... The problem here, is the bandwith wasted and the increment of hardware resources uses ... ----- See ya in the Cyberspace ...

Re:Important notice: please update your USBank inf

[dodobh]

Wrong. The only spam problem is Unsolicited Bulk Email.
There is no such thing as illegitimate email. Any such thing would at most be a syntax error.

Spam is about consent, not content.

Re:SPF is an anti-forgery tool, not an anti-spam t

I have a university e-mail address that ends with @msstate.edu. But I don't live on campus, I live in the surrounding town and so am not on the msstate.edu domain. My SMTP host is nctv.com.

Right now, you're allowed to use the @msstate.edu domain as a favor. The fact that you're able to use that address, sending from any IP on the net is a favor. If @msstate.edu gets tired of all of the craptastic bounce e-mails they get because spammers forge their domain onto e-mails, @msstate.edu may decide to force you to go through their official SMTP servers by publishing an SPF record.

*Entirely* up to the domain *owner*. If you're just a user of the domain, you need to address all complaints to the domain owner, or buy your own domain. The easiest solution for a domain admin is to setup secure SMTP on port 587 or something where the user has to authenticate using an encrypted session before being allowed to send mail.

SPF records are just a way to enforce the outbound mail rules that an admin chooses for their domain.

Sender ID looks dead to me

[KjetilK]

Despite being told on /. that MS license is perfectly reasonable and OK, Sender ID looks really dead to me. ASF has rejected it openly allready, and today, Debian followed suit. Courier and Exim folks have also been very clear about it, and while I haven't seen Sendmail folks being that explicit, I wonder if the mentioned implementation is going anywhere.

People have been trying very hard to get MS to understand the issues, but they doesn't seem to get it, and if they don't turn around soon, Sender ID can be buried.

And THAT is a benefit to spamassassin

Sure, if your spam scanner has a scoring system like Spamassassin, you could simply score "untrusted" domains a little higher- but tools like Spamassass already have an auto-whitelist that should take care of that automatically.

Features like "auto-whitelist" have only marginal value when anyone in the world can forge email from that domain. As you make forging harder, it makes the value of that feature go up.

Which is what SPF does. And I'd expect to see tools like Spamassassin shortly add in knowledge of that fact, and autowhitelist (or autoblacklist) more aggressively for domains with SPF turned on.

The bottom line is that a large amount of the time you can make decisions based on who is sending you email. SPF helps with any attempt to filter that, either positively or negatively. SPF also lets you trivially filter out a fraction of attempted forgeries. Both of these are good things.

Complete solution? No. Useful step? Yes.

A New Hope

[hostyle]

Theres something wrong with all the replies to this /. article. Everyone seems to know exactly what SPF is and isn't. Has everyone suddenly started to RTFA? Is this the start of something? SlashDot: A New Hope!

Show me the money!

[jerunamuck]

SID or SPF or SMTP are not designed to eliminate spam. Nor should they be!! When I lived in Washington State I had access to a state law that allowed me to bill spammers for up to $300 per incident for unsolicited email. When I took the time to bill the company being advertised (regardless of who sent the email) I stoped getting spam! True, I never collected a dime but then I really didn't want the money. I was amazed how fast the spam stopped. Within two weeks my daily count of unsolicited email went form >250 to <10. Within a month it was 0 and stayed there until almost a year after I moved to Massechusetts.

What if you could collect $5.00 from your ISP for every message you flagged as SPAM because they billed the advertiser $10.00? "Honey, we got the check from AOL... they're only sending us $45.00 this month!"

On the other hand, if you really want to block email based on the SID then just flag all messages with valid SIDs as spam.

Troll.

[billstewart]

RTFA, eh?

All the virii are going to have SPF

[sanjay_arora]

Many of the virii look up smtp settings in the mail, when they look-up the addressbokk for possible friends to visit ;-)

So all we are going to see is the virii inheriting the user SPF record. All we are going to achieve is being able to bust ass of the lamers if we take legal recourse. Just imagining the cost and the uselessness is a nightmare.

so .. would that IM2000 system work? (better?)

followed through from someone's link to http://spf.pobox.com/objections.htm,
I read about the IM2000 stuff @ http://homepages.tesco.net./~J.deBoynePollard/Prop osals/IM2000/

sounds tres sexy? I wonder if it would work?
somebody wanna rip it to shreds for our amusement (and further learning of course)...