[Dshield] SPF

Roger A. Grimes roger at banneretcs.com
Thu Nov 3 00:56:53 GMT 2005


Mark's articles are always great.

Here's my half cent:

Overall, it will change the nature of spam, but will not reduce it. Case
in point, the biggest adopters of SPF are the spammers. Nuff said [hey,
shout out to Stan Lee]. But spammers who try to forge origination domain
names while sending from another location will be stopped. As many other
great writers have said before me, SPF and other domain protection
schemes are more about protecting domain holder's rights than anything
else. With SPF, origination domains can't be faked (without additional
DNS compromises), so people won't falsely accuse the wrong domain of
sending spam.

But if you consider that 50% of spam, and this figure is rising, is
coming from spam bots, all spammers need to do is change it so that spam
bots use the user's local SMTP server (instead of using their own SMTP
engines as they do now). Then email will be sent from the user's
validated SMTP server and bypass the SPF protections. Basically, to stop
this, server must stop spam bot from creating and sending emails from
client to server (ex. Outlook/Exchange combinations are mostly protected
against this type of attack because they use authenticated RPC instead
of SMTP). But if spambots learn to communicate between the client and
the SPF validated SMTP server successfully, then SPF won't matter much.

Of course, I'm ignoring the whole SPF vs. Microsoft Sender ID fight.
Whatever comes out of it, the solution is almost the same (i.e. it's
IP-based domain authentication).

The other most popular proposals, like DomainKeys, use asymmetric crypto
to protect and authenticate sender/message integrity end-to-end.
Ultimately, this will be the winning anti-spam solution (to prevent
forgery), but even these solutions will only work if the scale well and
easily, and if the user's private signing keys are protected. 

For either overall solution (i.e. IP-based domain protection vs. message
digital signatures) to work, the implementation must be widely deployed
across a high percentage of email servers. The continuing fight of
different parties is making fractured standards that benefit no one.
While the leaders argue, we suffer.

My belief is that anti-spam defense and offense wars will continue to
escalate for the next few years (i.e. there won't be less spam), but the
combination of arresting spammer scumbuckets, SPF, and improvements in
many other anti-spam technologies, will minimize spam. But unless laws
are passed that prevent unsolicited emails from bulk providers (i.e.
opt-in only), spam will continue. Without the laws to protect us, the
technology is just an escalating hurdle that will be jumped. 

Roger

************************************************************************
***
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), TICSA, CEH, CHFI
*email: roger_grimes at infoworld.com or roger at banneretcs.com
*Author of Honeypots for Windows (Apress)
*http://www.apress.com/book/bookDisplay.html?bID=281
************************************************************************
****

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Paul Marsh
Sent: Wednesday, November 02, 2005 5:15 PM
To: General DShield Discussion List
Subject: [Dshield] SPF


I was reading Mark Minasi's monthly newsletter
http://www.minasi.com/thismonth.htm, always a good read.  This month he
covers the topic of SPF Sender Protection Framework as it relates to
reducing spam.  To be honest I've never heard of it but it looks like it
could help reduce spam for the time being?  I also noticed some key
domains are already using SPF.  What's the general consensus regarding
SPF?

Thanx, Paul



The information in this transmittal (including attachments, if any) is
privileged and confidential and is intended only for the recipient(s)
listed above. Any review, use, disclosure, distribution or copying of
this transmittal is prohibited except by or on behalf of the intended
recipient. If you have received this transmittal in error, please notify
me immediately by reply email and destroy all copies of the transmittal.
Thank you.

_________________________________________
Using .Net? Need to know more about .Net Security?
http://isc.sans.org/banner_count.php?dest=dotnet

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription
options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list