On Wed, 8 Sep 2004, David Cantrell wrote:
You forget, SPF doesn't just tell you who is authorised to speak on behalf of foobar.com, it also tells you who is *not* authorised.
That is sort of implied, yes.
If you get mail coming in from - eg - randomgibberish.comcast.net claiming to be from foobar.com, then you know that it's dodgy unless foobar.com's SPF record says that that cable modem address is authorised.
Except that, SPF records are as easy to setup for a spammer, as for you and I. If the above is a spammer, then SPF for foobar.com will list randomgibberish.comcast.net as an authorised sender. SPF will absolutely not have any effect on spam. And I say this merely as a disciple of Vixie - he thought of a form of SPF /years/ ago, and he knew /years/ ago it wouldnt do anything for Spam. The only difference between Vixie's MAIL-FROM MX records and SPF is the snake-oil: Vixie was honest in his claims for what it could do, the hype around SPF is not. regards, -- Paul Jakma paul@clubi.ie paul@jakma.org Key ID: 64A2FF6A Fortune: Reformatting Page. Wait...
On Wed, Sep 08, 2004 at 11:54:32AM +0100, Paul Jakma wrote:
Except that, SPF records are as easy to setup for a spammer, as for you and I. If the above is a spammer, then SPF for foobar.com will list randomgibberish.comcast.net as an authorised sender.
SPF will absolutely not have any effect on spam.
But if instead of foobar.com, it is vix.com or citibank.com, then their SPF records will not point at randomgibberish.comcast.net as an authorized sender. That means that if I do get a mail purporting to be from citi from randomgibberish, I can junk it without hesitation. /vijay
On Wed, 8 Sep 2004, vijay gill wrote:
But if instead of foobar.com, it is vix.com or citibank.com, then their SPF records will not point at randomgibberish.comcast.net as an authorized sender. That means that if I do get a mail purporting to be from citi from randomgibberish, I can junk it without hesitation.
Yes, all we need for SPF to work is for spammers to play along and cooperate, and we'll be able to filter out the spam they send. Earth calling... ;)
/vijay
regards, -- Paul Jakma paul@clubi.ie paul@jakma.org Key ID: 64A2FF6A Fortune: The Constitution may not be perfect, but it's a lot better than what we've got!
On Wed, Sep 08, 2004 at 12:14:54PM +0100, Paul Jakma wrote:
On Wed, 8 Sep 2004, vijay gill wrote:
But if instead of foobar.com, it is vix.com or citibank.com, then their SPF records will not point at randomgibberish.comcast.net as an authorized sender. That means that if I do get a mail purporting to be from citi from randomgibberish, I can junk it without hesitation.
Yes, all we need for SPF to work is for spammers to play along and cooperate, and we'll be able to filter out the spam they send.
Earth calling... ;)
I'm probably going into an argument with a net.kook but just to be sure, let me clarify this: How do you think spammers will be able to subvert citibank.com to have random.cablemodem.net as a permitted sender? I've never believed spf was the ultimate solution, just that it allows me to better filter some of the joe-bobs. /vijay - falling yet again into another argument which is probably more annoying than a thorned thong.
On Wed, 8 Sep 2004, Paul Jakma wrote:
Yes, all we need for SPF to work is for spammers to play along and cooperate, and we'll be able to filter out the spam they send.
doesnt matter if they do, the point is this provides a type of whitelisting for major domains that are being abused eg phishing, and scales down so you can even flag up fakes for minor domains just another weapon in the arsenal and what i like is that its very low overhead unlike some techniques, and is also managed by the domain admin Steve
On Wed, 8 Sep 2004, vijay gill wrote: And randomgibberish.comcast.net will still be in all the dynamic blacklists. I'm subscribed to both the SpamAssassin list, and this one. This is getting seriously off-topic. If you like SPF, embrace it. If not, don't. This may very well be one of the things that time will tell on, much like open relays, which were considered harmless, or things like telnet, which used to be a complete standard, and now, my *remote reboot* units come SSH capable. Spamassassin and other spam control technologies are choosing to. It's ONE PIECE of a very large solution. It's a solution to domain forging, not to spam. (nothing in this paragraph is anything new to this list in the past week). Can we please get on with our lives? Thanks -Dan Mahoney
On Wed, Sep 08, 2004 at 11:54:32AM +0100, Paul Jakma wrote:
Except that, SPF records are as easy to setup for a spammer, as for you and I. If the above is a spammer, then SPF for foobar.com will list randomgibberish.comcast.net as an authorised sender.
SPF will absolutely not have any effect on spam.
But if instead of foobar.com, it is vix.com or citibank.com, then their SPF records will not point at randomgibberish.comcast.net as an authorized sender. That means that if I do get a mail purporting to be from citi from randomgibberish, I can junk it without hesitation.
/vijay
-- "It's three o'clock in the morning. It's too late for 'oops'. After Locate Updates, don't even go there." -Paul Baecker January 3, 2k Indeed, sometime after 3AM --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
Dan: SPF, SpamAssassin, and other measures are all steps in the right direction in making spam less of a problem than it is today. I applaud you for taking part in their respective forums. What you fail to realize is that spam is a problem best stopped within your domain of control. According to Google, it appears as though you have a problem with terminating spamming customers, in accordiance with your own AUP: http://groups.google.com/groups?q=ezzi+spam&hl=en&lr=&ie=UTF-8&sa=N&scoring=d What I found more alarming were this the double standards set forth by this post: http://groups.google.com/groups?q=&hl=en&lr=&ie=UTF-8&selm=5a29bb5.0202260613.3addb4ce%40posting.google.com&rnum=2 I'm sorry, but you aren't entitled to anything. If you'd like to be removed from the DNSBL's, you need to remove your offending customers. You can't just say "these customers are spammers, block them, don't block anyone else" and keep collecting a check from them at the end of the month. "A los tontos no les dura el dinero." ---Ricardo On Wed, 8 Sep 2004 07:46:30 -0400 (EDT), Dan Mahoney, System Admin <danm@prime.gushi.org> wrote:
On Wed, 8 Sep 2004, vijay gill wrote:
And randomgibberish.comcast.net will still be in all the dynamic blacklists.
I'm subscribed to both the SpamAssassin list, and this one.
This is getting seriously off-topic.
If you like SPF, embrace it. If not, don't.
This may very well be one of the things that time will tell on, much like open relays, which were considered harmless, or things like telnet, which used to be a complete standard, and now, my *remote reboot* units come SSH capable. Spamassassin and other spam control technologies are choosing to. It's ONE PIECE of a very large solution. It's a solution to domain forging, not to spam. (nothing in this paragraph is anything new to this list in the past week).
Can we please get on with our lives?
Thanks
-Dan Mahoney
On Wed, Sep 08, 2004 at 11:54:32AM +0100, Paul Jakma wrote:
Except that, SPF records are as easy to setup for a spammer, as for you and I. If the above is a spammer, then SPF for foobar.com will list randomgibberish.comcast.net as an authorised sender.
SPF will absolutely not have any effect on spam.
But if instead of foobar.com, it is vix.com or citibank.com, then their SPF records will not point at randomgibberish.comcast.net as an authorized sender. That means that if I do get a mail purporting to be from citi from randomgibberish, I can junk it without hesitation.
/vijay
--
"It's three o'clock in the morning. It's too late for 'oops'. After Locate Updates, don't even go there."
-Paul Baecker January 3, 2k Indeed, sometime after 3AM
--------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
On Wed, 8 Sep 2004, Ricardo "Rick" Gonzalez wrote: Ricardo, I *do* stop spam within my domain of control. I terminate spammers as I find them. In the event a customer appears spammish in his entirety, I kill them. In the event spam originates from a single ip, or a single customer-hosted domain name, I give the customer the chance to clean up the mess and get it off our network. Bonus points are of course added if the customer is willing to prove their innocence by pointing the domain somewhere bad (like 127.0.0.1), instead of moving it off to be a landing site elsewhere. There *are* of course instances where machines are compromised, or clueless people install old versions of formmail (which is continually compromised in new ways), and I get those abuse reports as well, and tend to them as well. On occasion it's taken longer than necessary to kill spammers for a couple of interesting legal reasons I'm not at liberty to discuss in this forum, but I keep us clean enough that we're not on any of the major blacklists. All this, however, is secondary to my real reason for even replying to your mail at all. I'd like to applaud you personally for taking a list that I'm posting to with my personal email address, and dragging my job into it (there's a separation, there). It shows a level of maturity I'd reserve for the frag-server customers we host. This topic is still getting older, further off topic, and further and further away from the spirit of the list. -Dan Mahoney
Dan:
SPF, SpamAssassin, and other measures are all steps in the right direction in making spam less of a problem than it is today. I applaud you for taking part in their respective forums.
What you fail to realize is that spam is a problem best stopped within your domain of control. According to Google, it appears as though you have a problem with terminating spamming customers, in accordiance with your own AUP:
http://groups.google.com/groups?q=ezzi+spam&hl=en&lr=&ie=UTF-8&sa=N&scoring=d
What I found more alarming were this the double standards set forth by this post:
I'm sorry, but you aren't entitled to anything. If you'd like to be removed from the DNSBL's, you need to remove your offending customers. You can't just say "these customers are spammers, block them, don't block anyone else" and keep collecting a check from them at the end of the month.
"A los tontos no les dura el dinero."
---Ricardo
On Wed, 8 Sep 2004 07:46:30 -0400 (EDT), Dan Mahoney, System Admin <danm@prime.gushi.org> wrote:
On Wed, 8 Sep 2004, vijay gill wrote:
And randomgibberish.comcast.net will still be in all the dynamic blacklists.
I'm subscribed to both the SpamAssassin list, and this one.
This is getting seriously off-topic.
If you like SPF, embrace it. If not, don't.
This may very well be one of the things that time will tell on, much like open relays, which were considered harmless, or things like telnet, which used to be a complete standard, and now, my *remote reboot* units come SSH capable. Spamassassin and other spam control technologies are choosing to. It's ONE PIECE of a very large solution. It's a solution to domain forging, not to spam. (nothing in this paragraph is anything new to this list in the past week).
Can we please get on with our lives?
Thanks
-Dan Mahoney
On Wed, Sep 08, 2004 at 11:54:32AM +0100, Paul Jakma wrote:
Except that, SPF records are as easy to setup for a spammer, as for you and I. If the above is a spammer, then SPF for foobar.com will list randomgibberish.comcast.net as an authorised sender.
SPF will absolutely not have any effect on spam.
But if instead of foobar.com, it is vix.com or citibank.com, then their SPF records will not point at randomgibberish.comcast.net as an authorized sender. That means that if I do get a mail purporting to be from citi from randomgibberish, I can junk it without hesitation.
/vijay
--
"It's three o'clock in the morning. It's too late for 'oops'. After Locate Updates, don't even go there."
-Paul Baecker January 3, 2k Indeed, sometime after 3AM
--------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
-- "...Somebody fed you sugar. Shit!" --Tracy, after noticing Gatorade on my desk. Ezzi Computers, October 18th 2003 Approx 11PM --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------
Folks, let's stop this thread. We've veered away from the operational towards ... well, it's hard to define. Anti-social?
vgill@vijaygill.com (vijay gill) writes:
... That means that if I do get a mail purporting to be from citi from randomgibberish, I can junk it without hesitation.
agreed, that is what it means. however, and this is the important part so everybody please pay attention, if you can junk something "without hesitation," then spammers will stop sending that kind of "something." they make their money on clickthroughs, final sales, and referrals, which translates to one thing and one thing only: "volume." if the way to keep their volume up means "put SPF metadata in for the domains they use" or even just "stop forging mail from domains that have SPF metadata" then that is exactly what they will do. guaranteed. there's a bet here. you could bet that by closing off this avenue, SPF will force spammers to use other methods that are more easily detected/filtered, and that if you play this cat&mouse game long enough, it will drive the cost of spam so high (or drive the volume benefit so low) that it'll just die out. i lost that bet during my MAPS years. your mileage may vary, but to me, SPF is just a way to rearrange the deck chairs on the Titanic. we won't have decent interpersonal batch digital communications again before whitelists; everything we do in the mean time is just a way to prove that to the public so they'll be willing to live with the high cost of fully distributing trust. -- Paul Vixie
On Wed, 2004-09-08 at 09:59, Paul Vixie wrote:
vgill@vijaygill.com (vijay gill) writes:
... That means that if I do get a mail purporting to be from citi from randomgibberish, I can junk it without hesitation.
agreed, that is what it means.
however, and this is the important part so everybody please pay attention, if you can junk something "without hesitation," then spammers will stop sending that kind of "something." they make their money on clickthroughs, final sales, and referrals, which translates to one thing and one thing only: "volume." if the way to keep their volume up means "put SPF metadata in for the domains they use" or even just "stop forging mail from domains that have SPF metadata" then that is exactly what they will do. guaranteed.
there's a bet here. you could bet that by closing off this avenue, SPF will force spammers to use other methods that are more easily detected/filtered, and that if you play this cat&mouse game long enough, it will drive the cost of spam so high (or drive the volume benefit so low) that it'll just die out.
i lost that bet during my MAPS years. your mileage may vary, but to me, SPF is just a way to rearrange the deck chairs on the Titanic. we won't have decent interpersonal batch digital communications again before whitelists; everything we do in the mean time is just a way to prove that to the public so they'll be willing to live with the high cost of fully distributing trust.
The first step along this path is to ensure a means of obtaining a name that can be used to establish a history of use. Neither SPF or Sender-ID provides a domain name without making unverifiable assumptions of the mail channel integrity. The CSV proposal, now in the MARID group, provides a means of obtaining both an authenticated and authorized name useful for establishing a history without the high overhead associated with tracking addresses. SPF and Sender-ID expect the recipient to expend perhaps hundreds of DNS queries and execute complex macros that are seemingly designed to hide the scope of the outbound SMTP addresses, where a single wildcard record and random sub-domains will devour the recipient's resolver. Neither Sender-ID nor SPF stop the citibank.com spoofing, as the last header checked is the RFC2822 From. Spoofers only need to employ a few simple tricks, and the phishing continues, but now with a receiving MTA burning more than twice the network and iron. Sender-ID seems to be a means of injecting Microsoft IPR and to place a foot in the door to allow never-ending feature creep and DNS bloat. -Doug
Paul Vixie <vixie@vix.com> wrote: [...]
however, and this is the important part so everybody please pay attention, if you can junk something "without hesitation," then spammers will stop sending that kind of "something." they make their money on clickthroughs, final sales, and referrals, which translates to one thing and one thing only: "volume." if the way to keep their volume up means "put SPF metadata in for the domains they use" or even just "stop forging mail from domains that have SPF metadata" then that is exactly what they will do. guaranteed.
Cool, fewer double-bounces implicating me as the source of spam. I'll take that, ta. [...]
i lost that bet during my MAPS years. your mileage may vary, but to me, SPF is just a way to rearrange the deck chairs on the Titanic.
Well, I for one would really really like to thank you for the MAPS RBL. It may not have been a permanent solution, but it made the difference while it still worked. If ever you have the misfortune to find yourself in this arse end of Britain, please do claim a pint ;)
we won't have decent interpersonal batch digital communications again before whitelists; everything we do in the mean time is just a way to prove that to the public so they'll be willing to live with the high cost of fully distributing trust.
As a poor bastard who seems to be BOFHing for an ISP "fixing" mail, I can only hope that the future comes up with good ideas in the future that will help with the tsunami. Given the 400% increase in spam that we've seen hitting our "spam solution" in the last 3 months, anything that can make the difference is welcome. For the long term, I really don't know what to do. Becoming a Knuthian email hermit is tempting given I'm getting awfully close to the 15 years myself... -- PGP key ID E85DC776 - finger abuse@mooli.org.uk for full key
On Wed, Sep 08, 2004 at 04:59:51PM +0000, Paul Vixie <vixie@vix.com> wrote a message of 27 lines which said:
you could bet that by closing off this avenue, SPF will force spammers to use other methods that are more easily detected/filtered, and that if you play this cat&mouse game long enough, it will drive the cost of spam so high (or drive the volume benefit so low) that it'll just die out.
Good summary. This is the right strategy.
but to me, SPF is just a way to rearrange the deck chairs on the Titanic.
I can swim but I believe that the water under the Titanic was quite too cold to stay. Any advice to the people on the NANOG mailing list before the boat goes down?
participants (10)
-
abuse@cabal.org.uk
-
Dan Mahoney, System Admin
-
Douglas Otis
-
Paul Jakma
-
Paul Vixie
-
Ricardo "Rick" Gonzalez
-
Stephane Bortzmeyer
-
Stephen J. Wilcox
-
Susan Harris
-
vijay gill