[Dshield] Are you using spf records?

Tom dshield at oitc.com
Thu Jan 5 23:31:51 GMT 2006


Further, SPF breaks RFC 2821/2822 compliant mail when the mail is 
forwarded from MTA to MTA

We put in the records but we don't think it does much of anything for 
many of the reasons below

Tom

At 1:57 PM -0600 1/5/06, Stasiniewicz, Adam wrote:
>FUD ALARM!!
>
>Do you even have the slightest idea of how SPF works?  Actually read
>about it before saying something: http://www.openspf.org/howworks.html.
>I am not going to defend the technology; I just want to make ensure that
>people don't get the wrong idea for a couple of open ended, unsupported
>comments.
>
>1. SPF has nothing to do with reporting spam.  It does not send any
>reports to anyone, nor does it rely on the need for an ISP to
>"investigate" any claims.
>2. A lot of spam uses forged headers, so unless you carefully check the
>header, you can't be sure that it came from a real hotmail server.
>3. SPF does one think, it stops email from originating from a source
>other than that authentic outgoing email server for a domain.  It knows
>which server are authentic outgoing email servers by using a DNS query
>for the specific SPF record (encapsulated in a TXT record).
>
>Now SPF is not without flaws.
>
>1. If a domain does not publish SPF records, email from that domain can
>be forged.
>2. If a domain uses a different "all" operator other than "-all" many
>filters will not do any filtering on the email.
>3. There is nothing stopping a spammer from sending email from say
>"someone at abay.com" (note the first letter of domain).
>4. Many organizations don't use SPF, so it will be ineffective for many
>emails.  But it can always be used with great success internally.
>5. If a malicious user can gain relay to a server which SPF thinks is
>legit, then SPF won't help.
>6. If a malicious user has his own domain, he can add SPF records for
>his spamming server, or simply not use SPF at all.
>7. SPF is not an end all solution for fighting spam, it is just another
>method that can be used as part of an overall strategy in fighting spam.
>
>Please actually research what you are talking about before saying
>something.
>
>Regards,
>Adam Stasiniewicz
>Computer and Communication Services Department
>Milwaukee School of Engineering
>MSCE: Messaging & Security 2003
>
>-----Original Message-----
>From: list-bounces at lists.dshield.org
>[mailto:list-bounces at lists.dshield.org] On Behalf Of Abuse
>Sent: Thursday, January 05, 2006 12:19 PM
>To: General DShield Discussion List
>Subject: Re: [Dshield] Are you using spf records?
>
>** Reply to message from Martin Forest <martin at forest.gen.nz> on Thu, 05
>Jan
>2006 19:40:57 +1300
>
>>  I have done some minor research with SPF records. It is nice to see
>that 
>>  several of the big domains such as hotmail, msn, aol etc have started
>to 
>>  use SPF records.
>
>A lot of good that will do.  I report spam to hotmail and almost all
>replies
>say it did not originate with us.  Well it originated with one of their
>users
>and was sent through one of hotmail's servers.  With an attitude like
>that we
>will never get rid of spam.
>
>
>>  Especially as they are often used in forged emails. With 
>>  them posting spf, it is now possible to block the spam  bots that use
>
>>  their "from addresses".
>
>Any program that uses the FROM address to filter spam (or anything for
>that
>matter) should be deleted from your system.  It does not work, it can
>never
>work, so why use it?
>_________________________________________
>Learn about Intrusion Detection in Depth from the comfort of your own
>couch:
>https://www.sans.org/athome/details.php?id=1341&d=1
>
>_______________________________________________
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see:
>http://www.dshield.org/mailman/listinfo/list
>
>_________________________________________
>Learn about Intrusion Detection in Depth from the comfort of your own couch:
>https://www.sans.org/athome/details.php?id=1341&d=1
>
>_______________________________________________
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list


-- 

Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
http://www.oitc.com/Antarctica/

PGP Public Keys available at:
<A HREF="ldap://keyserver.pgp.com/">PGP's Key Server</A>
<A HREF="http://www.oitc.com/OITC/PGPKeys.html">OITC's Public Key List</A>
14A7 A308 266A 3646 FBA8  9A86 E139 F108 B1BE 37BD


More information about the list mailing list