Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spammers Are Early Adopters of SPF Standard

Posted by michael on from the doh dept.

nazarijo writes "In an article entitled Spammers using sender authentication too, study says, Infoworld reports that a study by CipherTrust shows that SPF and Sender ID (SID) aren't nearly as effective as we expected them to be when combatting spam. The reason? Spammers are able to publish their own records, too. 'Spammers are now better than companies at reporting the source of their e-mail,' says Paul Judge, noted spam researcher and CipherTrust CTO. Combined with low adoption rates of either SID or SPF (31 of the Fortune 1000 according to CipherTrust), this means that the common dream of SPF or SID clearing up the spam problem wont be coming true. Wong, one of the original authors of SPF and a co-author of SID, says that it was never intended to combat all spam. Weng, another researcher in the space, says that this is just one of the many pieces of the puzzle needed to combat spam. Various SID implementations exist, including a new one from Sendmail.net based on their milter API, making it easy for you to adopt SID and try this for yourself."

29 of 249 comments (clear)

  1. We can still use it as a spam prevention tool by hchaos · · Score: 5, Funny

    All we need to do is block emails from anyone using SPF or SID.

  2. The point of SPF by pikine · · Score: 5, Insightful

    ... is not to block spam, but to identify the source of an e-mail. Spammers can definitely identify themselves if they so choose. I think it is still a welcoming trend.

    --
    I once had a signature.
    1. Re:The point of SPF by forevermore · · Score: 3, Insightful
      The point of SPF is ... to identify the source of an e-mail

      This point needs to be emphasized. The whole point of SPF is to prevent spammers from falsifying return addresses. If they want to publish their own legitimate SPF records, then by all means let them. Then we can just block them by their domain names without any fear of blocking legitimate email.

      --
      Do you really need reason for beer? Wingman Brewers
  3. even spammers by Anonymous Coward · · Score: 4, Funny

    need sun protection

  4. Article Poster Doesn't Understand SPF by Anonymous Coward · · Score: 5, Informative

    Idiot. The point of Sender ID systems is to make it easy to track down spammers and enforce spam laws. Sender ID isn't meant to stop spam like spam filters or sender payment schemes but make laws enforcable.

  5. Isn't this what we want? by Carnildo · · Score: 5, Insightful

    Isn't putting up SPF records exactly what we want spammers to do? If they've got SPF records, running an RBL against spam domains should be easier and more accurate.

    --
    "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
    1. Re:Isn't this what we want? by YankeeInExile · · Score: 3, Insightful

      Well, a quick off-the-cuff idea is thus: Expand SPF or its moral equivalent to offer a web-of-trust style interface. That is: Each piece of email comes with a pointer that says, in effect, This piece of email is from mydomain.com ... people who think that mydomain.com is cool are yourisp.com otherisp.com white-hat-geeks.net

      So, I suppose what I'm proposing is a distributed whitelist.

      --
      How does the Slashdot Effect happen given that no slashdotters ever RTFA?
    2. Re:Isn't this what we want? by Carnildo · · Score: 3, Insightful

      Assumed it takes an hour to add a domain to an automated blacklist. I think it could be done in five minutes or so, but let's be generous:

      24 domains/day * 365 days/year * $12/domain = $105,120

      That's a hundred thousand dollars they didn't used to need to spend each year. Automated blacklisting in five minutes boosts the costs to well over a million dollars a year.

      --
      "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
    3. Re:Isn't this what we want? by AtOMiCNebula · · Score: 4, Insightful

      But now, spammers have to invest money in what they're doing. It doesn't matter if it's much or not, but it is something. It's more than what they were paying before, so unless they don't mind cutting into their profit margins, they're going to be affected by this.

      Compare what it used to be with how it is now. It used to be that spammers could use any domain they want. Now they can only use domains they own (assuming they're using SPF), and as soon as one domain is RBL'd, they're going to need another domain. More work for the spammers. And more cost too.

      What I'm trying to say is that, yes, domains are cheap. But now they're paying for domains that they didn't have to before.

    4. Re:Isn't this what we want? by Prong · · Score: 3, Insightful
      You are partially correct. It does marginally increase the cost of doing business for spammers, but remember that the major spam houses have the capital to lease major bandwidth, and have for some time. Having to madly swap domains to get is only going to swamp smaller spammers with enough extra cost to kill them. The big boys are going to keep chugging along, and the big boys are the biggest source of spam (obviously).

      What I like about SPF is that as larger ISPs adopt it, I can stop worrying about accidently filtering their domains just because of the domain name on the From: header. I'm fully aware I'm still going to have to filter, but it's nice to know that "tightvagina@yahoo.com" actually came from an authorized Yahoo mail server. Combine that with any number of of rational filtering schemes, and you have a much lower false positive rate, with the bonus being that you didn't have to take the whole message from a sender who fails the SPF check.

  6. Weng and Wong are the same person. by Anonymous Coward · · Score: 4, Informative

    The principal author of SPF is Meng Weng Wong. Just one person. Doofus.

  7. Understanding SPF by grasshoppa · · Score: 4, Informative

    Understanding SPF as I do, I can't see how any one expected this "end the spam problem".

    It'll cut down on problems where forged senders are the main symptom, dramatically. That both includes viruses ( virii ) and some spammers.

    But, as is stated, it's completely possible for spammers to keep their dns records updated too.

    Now, if only we could get the whois accurate. ;)

    --
    Mod me down with all of your hatred and your journey towards the dark side will be complete!
    1. Re:Understanding SPF by aardvarkjoe · · Score: 3, Informative

      You know, spammers don't just forge the sender for fun. It's an integral part of their methods of staying a step ahead of being shut down. If you can prevent them from doing it, then you make it that much more difficult to spam. (Of course, we haven't reached that point yet.)

      --

      How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
    2. Re:Understanding SPF by moreati · · Score: 3, Interesting
      It'll cut down on problems where forged senders are the main symptom, dramatically. That both includes viruses ( virii ) and some spammers


      And there in lies the wonderful synergy of SPF and blacklists. Without From address forging it becomes much to perform the follow sequence:
      1. I received a Spam message from domainx.com, either:
      (a) sender was a verified user of domainx.com, spf records check out
      (b) no spf, sender likely forged
      In case (a) inform the ISP of domainx.com, if further verified Spam messages are received from domainx.com, blacklist it.
      In case (b) if SPF is in widespread use for ligitimate mail then the soam message is easier to mark as such (less need to resort to expensive statistics on the body). If SPF is not widespread there is less benefit.

      Regards

      Alex
  8. No one claimed it would end spam by Anonymous Coward · · Score: 3, Insightful

    What it does end is domain spoofing (joe jobs), and it adds a level of accountability. If spammers are using their real domains, great. We go to their registrars, most of which have anti-spammer policies, and we get it yanked. If it costs the spammers money, it's a good thing.

  9. But that's not the point of SPF by hypnagogue · · Score: 5, Insightful

    The point of SPF was not to eliminate spam, but to eliminate spoofing. If successful, this is enables effective and cheap spam filtering by forcing spammers to use domains that can easily be blacklisted.

    In other words, SPF is working correctly, brighter tomorrow expected, move along, nothing to see here.

    --
    Liberty you never use is liberty you lose.
  10. Re:A Change Needs to be made by pikine · · Score: 3, Interesting

    A more reasonable change would be SMTP-TLS, employing a policy of using authorized certificates like the secure websites. This protocol is already there, but it's the wide adoption that is the problem.

    --
    I once had a signature.
  11. SenderID != Spam Solution by Manip · · Score: 3, Insightful

    SenderID is not designed to combat spam (although many uninformed individuals think it is), it was designed to fix a fundamental problem with the E-Mail system.

    You can not guarantee that an E-Mail originated from the source it said it did.

    Which effectively makes black-lists useless.

    With SenderIDs you are able to build effective Black-Lists/White-Lists because you can guarantee that an E-Mail came from the location it said it did. And thus decrease the amount of spam.

    I'm not sure who wrote this 'study' but the fact that I know more than them says a lot.

  12. You need the support of your DNS provider by smartin · · Score: 3, Informative

    I actually tried to set up SPF for my site this morning after reading another /. article. Turns out my DNS provider does not support TXT records and gave no indication of a willingness to do so. If it turns out that SPF and some other combination of technologies will prevent me from getting spam as well as prevent my email adress from being spoofed as the From: address on spam sent to others, i guess register.com is about to lose a customer.

    --
    The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
  13. Appearantly, some people missed the point... by Otto · · Score: 4, Insightful

    If spammers are now forced to identify themselves in their emails, by means of having a domain and publishing SPF records for that domain, then good.

    That was the entire point.

    In combination with anti-spam laws, now we have the ability to actually identify the spammers flooding our inboxes and take legal action against them for doing so.

    There is no technological means that will allow random people to email you and yet prevent them from emailing you spam. Technology is simply not capable of distinguishing spam from non-spam with a 100% success rate. We can get really close, but there will always be false-positives and false-negatives in any system. And any system is vulnerable to clever hacking around the filter. You can make it terribly difficult to do so, but you can't make it impossible.

    The goal of SPF never was to stop spam, it was to force somebody who sends you email to be accountable for doing so, by providing a method to track down who they are. At least, it's a good start for this sort of thing.

    --
    - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
  14. In other news by Dirtside · · Score: 4, Funny
    Wong, one of the original authors of SPF and a co-author of SID, says that it was never intended to combat all spam. Weng, another researcher in the space, says that this is just one of the many pieces of the puzzle needed to combat spam.
    Wung, on the other hand, claims that a variation of SPF will eventually win the day, while Wing, yet another researcher, believes that any acronym that can be confused with sunscreen will inevitably fail. And someone named "Wang" would like you to know that you can increase your penis size by 20% in just 2 hours!
    --
    "Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
  15. SPF is an anti-forgery tool, not an anti-spam tool by cas2000 · · Score: 5, Interesting


    SPF doesn't and can't block spam.

    it has a different purpose. it prevents some email address forgeries. its main use is to allow a domain owner (e.g. an individual or an organisation or a corporation such as a bank) to specify exactly which hosts are allowed to send mail claiming to be from that domain.

    in other words, it can be used to block forgeries such as phishing spams and viruses, but it is not a general purpose spam blocker.

    it does that job reasonably well (or, it will when it is implemented by enough mail servers). to complain that it doesn't do a job it was never designed to do is just absurd.

  16. Re:A Change Needs to be made by ZorbaTHut · · Score: 3, Insightful

    How would you change it?

    Why can't these changes be integrated into SMTP-as-we-know-it?

    It's all very nice to say "it needs to change", but until you explain why changing it is the best solution - or even vaguely useful - it's not going to happen.

    --
    Breaking Into the Industry - A development log about starting a game studio.
  17. Important notice: please update your USBank info! by coyote-san · · Score: 4, Insightful
    There are four separate "spam" problems:
    • Unsolicited but legal mail from a legitimate mail server
    • Unsolicited mail (legal or not) from hijacked systems, open mail relays, etc.
    • Viruses
    • Fradulent mail

    SPF can be circumvented in the ways we're already seeing for the first category, but it should knock out the second two (and probably related) problems.

    As for the final one... law enforcement may still not take phishing seriously. But I bet Citibank, US Bank, et al do. They're probably losing millions of dollars cleaning up the mess left by phishers, and that money would go a long way towards making phisher's lives miserable and cautionary tales for others. These organizations are large enough that phishers can't even hide behind international borders - piss of Citibank by protecting phishers and that bank may decide that it's not worth doing any business in your country.

    --
    For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
  18. Re:This surprises anyone? by chill · · Score: 4, Informative

    So it'll be just like the RBLs we have now, only you won't be able to send work email from home?

    SMTP AUTH over SSL/TLS to your work's mail server and you can send all the work e-mail from home you want.

    Charles

    --
    Learning HOW to think is more important than learning WHAT to think.
  19. I won't pay $300/year to send mail by Wesley+Felter · · Score: 3, Insightful

    'nuff said.

  20. Re:A Change Needs to be made by T-Ranger · · Score: 3, Interesting
    If you are talking about using TLS to ensure authenticity of a source, then SPF does that (somewhat). If a message claims to be from domain X, and domain X uses SPF and already only allows messages from their servers, then that message is from domain X. TLS, as far as authenticity goes would add nothing. The only difference is that spammers would now also have to buy a TLS cert.

    About the only attacks that TLS would pervent would be IP spoofing. These days, that is very, very hard.

    What would TLS add?

  21. SPF ignorance is rampant by drwho · · Score: 4, Informative

    The number of idiotic posts here is just another example of the declining clue of slashdot users. SPF is an attempt to prevent email forgery. Lots of spam is forged, in an attempt to get by filters. More serious trouble is caused by various 'fishing' schemes, trying to get your bank account/credit card numbers by appearing to be from paypal ,etc. SPF will address the forgery of host &domain names. It does not address the problem of forged user IDs (though this is less of a problem than you may think, if the domain is legit). It does not address the idea of unwanted mail.

    Anyone with clue can see this is another tool in the toolbox. Each piece of incoming mail is ranked with a score indicating its probability of being spam. SPF, whitelists, bayesian filters, being in html, coming from china, etc affect the score. There's no magic bullet to stop spam.

    Anyone who has spent time as a systems admin of a mail server, should know this.

  22. Want to know what works? Look at who Spammers hate by humankind · · Score: 3, Interesting

    If you want to know what method works, look at what Spammers are doing. Look at which systems (i.e. osirisoft, spamcop, spamhaus) the spammers are attacking. They are almost exclusively launching attacks at the relay blacklists. This is because this is the one method by which they are SHUT DOWN. Forget legislation. Forget all the other efforts. RBLs work. The next generation is to go from relay blacklisting, to relay-whitelisting.