Slashdot Mirror
Spammers Are Early Adopters of SPF Standard
nazarijo writes "In an article entitled Spammers using sender authentication too, study says, Infoworld reports that a study by CipherTrust shows that SPF and Sender ID (SID) aren't nearly as effective as we expected them to be when combatting spam. The reason? Spammers are able to publish their own records, too. 'Spammers are now better than companies at reporting the source of their e-mail,' says Paul Judge, noted spam researcher and CipherTrust CTO. Combined with low adoption rates of either SID or SPF (31 of the Fortune 1000 according to CipherTrust), this means that the common dream of SPF or SID clearing up the spam problem wont be coming true. Wong, one of the original authors of SPF and a co-author of SID, says that it was never intended to combat all spam. Weng, another researcher in the space, says that this is just one of the many pieces of the puzzle needed to combat spam. Various SID implementations exist, including a new one from Sendmail.net based on their milter API, making it easy for you to adopt SID and try this for yourself."
All we need to do is block emails from anyone using SPF or SID.
I once had a signature.
need sun protection
Idiot. The point of Sender ID systems is to make it easy to track down spammers and enforce spam laws. Sender ID isn't meant to stop spam like spam filters or sender payment schemes but make laws enforcable.
Isn't putting up SPF records exactly what we want spammers to do? If they've got SPF records, running an RBL against spam domains should be easier and more accurate.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
The principal author of SPF is Meng Weng Wong. Just one person. Doofus.
Spammers are like viruses, they adapt amazingly fast. You thought that this new technology would hinder their 'business', but they turn it to their advantage! Oh look, a valid sender ID... i'll just open this mail, it can't be spam, right? Right?
Oh well, at least filters are getting VERY good at catching 99% of it.
Eureka Science News - automatically updated
Understanding SPF as I do, I can't see how any one expected this "end the spam problem".
;)
It'll cut down on problems where forged senders are the main symptom, dramatically. That both includes viruses ( virii ) and some spammers.
But, as is stated, it's completely possible for spammers to keep their dns records updated too.
Now, if only we could get the whois accurate.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
What it does end is domain spoofing (joe jobs), and it adds a level of accountability. If spammers are using their real domains, great. We go to their registrars, most of which have anti-spammer policies, and we get it yanked. If it costs the spammers money, it's a good thing.
The point of SPF was not to eliminate spam, but to eliminate spoofing. If successful, this is enables effective and cheap spam filtering by forcing spammers to use domains that can easily be blacklisted.
In other words, SPF is working correctly, brighter tomorrow expected, move along, nothing to see here.
Liberty you never use is liberty you lose.
A more reasonable change would be SMTP-TLS, employing a policy of using authorized certificates like the secure websites. This protocol is already there, but it's the wide adoption that is the problem.
I once had a signature.
SenderID is not designed to combat spam (although many uninformed individuals think it is), it was designed to fix a fundamental problem with the E-Mail system.
You can not guarantee that an E-Mail originated from the source it said it did.
Which effectively makes black-lists useless.
With SenderIDs you are able to build effective Black-Lists/White-Lists because you can guarantee that an E-Mail came from the location it said it did. And thus decrease the amount of spam.
I'm not sure who wrote this 'study' but the fact that I know more than them says a lot.
I have found SURBL - Spam URI Realtime Blocklists to be pretty effective the last while. While everything else is forged and loaded with junk text the actual links back to spammer web pages have to be at least partially valid.
... to declare open season on spammers.
.. have no balls... .. fucker"
"What good is Viagra if you
Norman Cook's Ode to Sl
I actually tried to set up SPF for my site this morning after reading another /. article. Turns out my DNS provider does not support TXT records and gave no indication of a willingness to do so. If it turns out that SPF and some other combination of technologies will prevent me from getting spam as well as prevent my email adress from being spoofed as the From: address on spam sent to others, i guess register.com is about to lose a customer.
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
If spammers are now forced to identify themselves in their emails, by means of having a domain and publishing SPF records for that domain, then good.
That was the entire point.
In combination with anti-spam laws, now we have the ability to actually identify the spammers flooding our inboxes and take legal action against them for doing so.
There is no technological means that will allow random people to email you and yet prevent them from emailing you spam. Technology is simply not capable of distinguishing spam from non-spam with a 100% success rate. We can get really close, but there will always be false-positives and false-negatives in any system. And any system is vulnerable to clever hacking around the filter. You can make it terribly difficult to do so, but you can't make it impossible.
The goal of SPF never was to stop spam, it was to force somebody who sends you email to be accountable for doing so, by providing a method to track down who they are. At least, it's a good start for this sort of thing.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
SPF doesn't and can't block spam.
it has a different purpose. it prevents some email address forgeries. its main use is to allow a domain owner (e.g. an individual or an organisation or a corporation such as a bank) to specify exactly which hosts are allowed to send mail claiming to be from that domain.
in other words, it can be used to block forgeries such as phishing spams and viruses, but it is not a general purpose spam blocker.
it does that job reasonably well (or, it will when it is implemented by enough mail servers). to complain that it doesn't do a job it was never designed to do is just absurd.
How would you change it?
Why can't these changes be integrated into SMTP-as-we-know-it?
It's all very nice to say "it needs to change", but until you explain why changing it is the best solution - or even vaguely useful - it's not going to happen.
Breaking Into the Industry - A development log about starting a game studio.
SPF can be circumvented in the ways we're already seeing for the first category, but it should knock out the second two (and probably related) problems.
As for the final one... law enforcement may still not take phishing seriously. But I bet Citibank, US Bank, et al do. They're probably losing millions of dollars cleaning up the mess left by phishers, and that money would go a long way towards making phisher's lives miserable and cautionary tales for others. These organizations are large enough that phishers can't even hide behind international borders - piss of Citibank by protecting phishers and that bank may decide that it's not worth doing any business in your country.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
So it'll be just like the RBLs we have now, only you won't be able to send work email from home?
SMTP AUTH over SSL/TLS to your work's mail server and you can send all the work e-mail from home you want.
Charles
Learning HOW to think is more important than learning WHAT to think.
Two of my domains are used in the from address of spams, to the point that I often get thousands of bounces per day. This is the "reward" for years of turning spammers in and getting them tossed from their ISP's.
These sender id schemes won't stop spam at all. It's easy for a spammer to modify his dns to show the correct records and allow him to send.
But, here's the thing: HE DOES IT TO HIS OWN DOMAIN. We can then blacklist his domains and force him to keep coming up with new ones. Whack-a-mole, yes, but at least the "moles" aren't at legitimate domains.
You can complain all you want about how this isn't going to stop spam. Maybe it won't for you, but it will cut down the worthless junk hitting my mail server.
Do you have ESP?
'nuff said.
However, once SPF is adopted it allows several things:
I fully expect the anti-spam vendors to eventually come up with reliable whitelists based upon SPF eventually.
Sounded more like:
"The laws of Newton and Kepler don't explain the orbit of Mercury. This whole 'science' stuff needs to change. It was created a long time ago, and it's time to throw it all out and start with something new."
Maybe that's not flamebait, but it is silly. Changing theories to match new data metaphorically maps very well to adding SPF to SMTP -- not to throwing the whole thing away.
About the only attacks that TLS would pervent would be IP spoofing. These days, that is very, very hard.
What would TLS add?
Basically you end up only accepting mail from known trusted domains. If you are just starting a domain then your mail may be held up or even bounced by some users. Just as new car drivers get higher insurance so can new email domains have to pay in boun
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
The number of idiotic posts here is just another example of the declining clue of slashdot users. SPF is an attempt to prevent email forgery. Lots of spam is forged, in an attempt to get by filters. More serious trouble is caused by various 'fishing' schemes, trying to get your bank account/credit card numbers by appearing to be from paypal ,etc. SPF will address the forgery of host &domain names. It does not address the problem of forged user IDs (though this is less of a problem than you may think, if the domain is legit). It does not address the idea of unwanted mail.
Anyone with clue can see this is another tool in the toolbox. Each piece of incoming mail is ranked with a score indicating its probability of being spam. SPF, whitelists, bayesian filters, being in html, coming from china, etc affect the score. There's no magic bullet to stop spam.
Anyone who has spent time as a systems admin of a mail server, should know this.
SPF is only the first step. It's purpose is to authenticate that the sender is who they claim to be. Nothing more.
This primarily helps in two ways: first, it helps fight off certain kinds of social attacks. E-Mail can't claim to be from your bank; if it does, the MUA would display a big warning box stating the mail appears to be forged.
Second, it guarantees that people can't spam or send viruses using your domain name. The spammers have to (just as the article says) identify who they are; they can't claim to be someone else.
So no, obviously, that doesn't stop spam. It might block certain kinds of (soon to be obsolete) spam. You no longer have to blacklist all of aol.com, for example, since only real AOL users could send mail from @aol.com if we all used SPF.
This does, however, make it possible to do *MUCH* more accurate RTBL (Real Time Block Lists). The spammers have to identify themselves; once you have their identity, block all their mail. You got spam from @spammer.com? Block spammer.com. The guy at spammer.com can't pretend to be anyone else, so you've got him successfully blocked. Sure, he can register multiple domains, but with a good RTBL that isn't too much of a problem. Good RTBL already block most of the registered spammers - SPF makes their job easier since all spammers will be identifiable.
Mix SPF with a RTBL service and you *will* see a massive drop in spam. Over 80% of all incoming connections to my mail server are now blocked; most of the stuff that does get through is legit (lots of large mailing lists and traffic).
The reason? Spammers are able to publish their own records, too.
From the moment SPF was implemented, people knew that this could happen. SPF doesn't aim to stop spam outright, it aims to HELP stop spam.
First off, if SPF is used, it cuts out 'joe jobs.' I can't send you mail purporting to be from Yahoo through a mass mailer on my desktop, because SPF will catch it.
I see two issues with spam:
a.) Annoying commerical advertisements
b.) The above, sent fraudulently
SPF helps to cut out the second. If spammers send me spam, but do it from their own domain, it's still not hard to block them.
No one (that knew what they were talking about) ever claimed that SPF was a cure-all for spam. All it aimed to do was make spammers stop forging their addresses. And it sounds like it's succeeding.
________________________________________________
suwain_2
There's... ohh, you know. An unlimited amount of domain names you can have. Spammer sends out a few spam "campaigns" and simply changes domain names, SPF and all.
It won't help anything. Many of them will use stolen credit cards, or register under other false information, register 300 domains, and use them until they are blocked. Then move on.
So the problem of scanning each and every e-mail for spammishness will still prevail.
- It's not the Macs I hate. It's Digg users. -
If you want to know what method works, look at what Spammers are doing. Look at which systems (i.e. osirisoft, spamcop, spamhaus) the spammers are attacking. They are almost exclusively launching attacks at the relay blacklists. This is because this is the one method by which they are SHUT DOWN. Forget legislation. Forget all the other efforts. RBLs work. The next generation is to go from relay blacklisting, to relay-whitelisting.
The biggest things I've seen that "somebody" needs to fix about SMTP and DNS are 8-bit cleanness, and unfortunately Verisigh's trying to add international domain names by radically breaking DNS for web-only use, and Unicode complicates the details of any character set support issues (not that that's a bad thing, it's just exposing the fact that the job is harder than it looks.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Because it can be automated. SPAM filtering software would work as such: If a sufficient amount of messages with valid SPF data from a given domain are marked as SPAM, block the domain from further sending.
True, this doesn't stop those inital messages, but it gets all the rest and cuts down on the number. One needs not eliminate SPAM enitrely, just reduce it to a level where it's unprofitable. If software becomes good to the point that only 1 in 100,000 SPAM messages reach a person, that'll severely cut profits, making it much less attractive.
Also if the spammers start breaking more laws like using stolen credit cards, it just increases their chances of getting busted. Every time you break the law, it's another chance you get caught. Do it all the time, it becomes almost a sure thing.
SPAM prosecution is still new and those responsible for prosecuting it still have problems understanding how to go about that really. Credit card fraud is old hat and they are pros. Plenty of people get put away for credit card fraud. Also, usually when you get nailed for something in relation to another crime, they stack everything they can on you.
It's not a panacea, but SPF sounds like another useful tool.