SV: [DShield] SPF is fundamentally flawed

Erik van Straten emvs.dsh.3FB4CC72 at
Thu Feb 19 21:33:36 GMT 2004


On Thu, 19 Feb 2004 09:32:42 +0100 Johan Strand wrote:
> > include spam. *SPF* will not block those spams if the AOL PC says:
> > 	MAIL FROM: <irrelevant at>
> > or perhaps:
> > 	MAIL FROM: <AnyExistingAOLCustomer at>
> > to, and proxy says the same to the final recipient MTA.
> No, of course not! SPF only stops any other sender from claiming to
> be an AOL sender and circumventing my domain filter.

Correct! That is, the sender claiming in envelope MAIL FROM to be an
AOL sender (mostly invisible); the message header From: field (shown
to most recipients) can be *any* address (like yours).

> SPF does not stop a domain from sending spam, but makes it easier
> to filter by domain since it is harder to forge the sending domain.

That was exactly my point. Spammers and viruswriters will adapt, so
this is not a valid reason for using or advocating SPF.

> How could that be a flaw in SPF? It does exactly what it was designed
> to do.

The SPF inventor claims on that SPF:

  "makes it easier to identify spams, worms, and viruses"

Eventually it will not. This leaves two possible advantages:

  "SPF fights email address forgery"

Which is of *very* limited use, as it applies *only* to the domain
part of the envelope MAIL FROM address; usernames can still be
spoofed. Furthermore, this address can be <>; and most MUA's only
show the message-From address, so recipients can still be tricked.

  "SPF was originally designed to prevent joe-jobs"

YES! The only thing SPF really does, is prevent sites like mine from
receiving 160000 spambounces per month, as a result of spams being
sent from compromised PC's all over the world.

Finally, the disadvantage that SPF kills forwarding is mostly ignored,
or useless solutions are being suggested.

SPF will not stop spam and malware emails - that's why it is flawed.
IMO we must fight those emails where they originate: either by taking
care of the authors, or the PC's they "own", or both. Most of these
PC's are fast home computers connected via high speed DSL connections.
Apart from spam and viruses, these *huge* networks of compromised PC's
have everything to do with security as they pose a threat to the
Internet as a whole. Let's not waste time on SPF.

Erik van Straten

More information about the list mailing list