Spammers Are Early Adopters of SPF Standard
nazarijo writes "In an article entitled Spammers using sender authentication too, study says, Infoworld reports that a study by CipherTrust shows that SPF and Sender ID (SID) aren't nearly as effective as we expected them to be when combatting spam. The reason? Spammers are able to publish their own records, too. 'Spammers are now better than companies at reporting the source of their e-mail,' says Paul Judge, noted spam researcher and CipherTrust CTO. Combined with low adoption rates of either SID or SPF (31 of the Fortune 1000 according to CipherTrust), this means that the common dream of SPF or SID clearing up the spam problem wont be coming true. Wong, one of the original authors of SPF and a co-author of SID, says that it was never intended to combat all spam. Weng, another researcher in the space, says that this is just one of the many pieces of the puzzle needed to combat spam. Various SID implementations exist, including a new one from Sendmail.net based on their milter API, making it easy for you to adopt SID and try this for yourself."
I once had a signature.
Isn't putting up SPF records exactly what we want spammers to do? If they've got SPF records, running an RBL against spam domains should be easier and more accurate.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
What it does end is domain spoofing (joe jobs), and it adds a level of accountability. If spammers are using their real domains, great. We go to their registrars, most of which have anti-spammer policies, and we get it yanked. If it costs the spammers money, it's a good thing.
The point of SPF was not to eliminate spam, but to eliminate spoofing. If successful, this is enables effective and cheap spam filtering by forcing spammers to use domains that can easily be blacklisted.
In other words, SPF is working correctly, brighter tomorrow expected, move along, nothing to see here.
Liberty you never use is liberty you lose.
SenderID is not designed to combat spam (although many uninformed individuals think it is), it was designed to fix a fundamental problem with the E-Mail system.
You can not guarantee that an E-Mail originated from the source it said it did.
Which effectively makes black-lists useless.
With SenderIDs you are able to build effective Black-Lists/White-Lists because you can guarantee that an E-Mail came from the location it said it did. And thus decrease the amount of spam.
I'm not sure who wrote this 'study' but the fact that I know more than them says a lot.
If spammers are now forced to identify themselves in their emails, by means of having a domain and publishing SPF records for that domain, then good.
That was the entire point.
In combination with anti-spam laws, now we have the ability to actually identify the spammers flooding our inboxes and take legal action against them for doing so.
There is no technological means that will allow random people to email you and yet prevent them from emailing you spam. Technology is simply not capable of distinguishing spam from non-spam with a 100% success rate. We can get really close, but there will always be false-positives and false-negatives in any system. And any system is vulnerable to clever hacking around the filter. You can make it terribly difficult to do so, but you can't make it impossible.
The goal of SPF never was to stop spam, it was to force somebody who sends you email to be accountable for doing so, by providing a method to track down who they are. At least, it's a good start for this sort of thing.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
How would you change it?
Why can't these changes be integrated into SMTP-as-we-know-it?
It's all very nice to say "it needs to change", but until you explain why changing it is the best solution - or even vaguely useful - it's not going to happen.
Breaking Into the Industry - A development log about starting a game studio.
SPF can be circumvented in the ways we're already seeing for the first category, but it should knock out the second two (and probably related) problems.
As for the final one... law enforcement may still not take phishing seriously. But I bet Citibank, US Bank, et al do. They're probably losing millions of dollars cleaning up the mess left by phishers, and that money would go a long way towards making phisher's lives miserable and cautionary tales for others. These organizations are large enough that phishers can't even hide behind international borders - piss of Citibank by protecting phishers and that bank may decide that it's not worth doing any business in your country.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
'nuff said.