[Dshield] Are you using spf records?

Tom dshield at oitc.com
Fri Jan 6 01:56:58 GMT 2006


So explain to me how your user who forwards email to someplace else 
can show sender reputation? It can't without rewriting headers which 
is a violation of ALL current RFCs concerning mail. You want sender 
reputation, sign all documents with PGP but this will not give it to 
you.

Martin, if it would really work the big boys in mail like outblaze 
(among others) would not pull support for SPF: 
http://www.merlesworld.com/webbbs/webbbs_config.pl?noframes;read=341

And its worse if you're a little guy with a mailserver on BIGISP who 
closes your outbound port 25 and makes you use his mailservers for 
outbound "to protect from miss use" (true stories) because his public 
outbound servers/IPs are are not documented! Try to find list of 
verizon, sbc, bellsouth, etc outbounds let alone bt, hkcable, etc.

What it all comes down to is that to deal with forwarding issues and 
use of unknown outbounds (and other issues as well) SPF just 1) 
doesn't hack it and 2) would force major changes in RFCs with little 
return on the necessary massive worldwide investment.

Tom

At 11:48 AM +1300 1/6/06, Martin Forest wrote:
>I'm also a fan of SPF.
>The more domains that start using SPF the better it will be.
>With SPF, you will know if the email is from an "authentic" server. Sure, 
>the domain may be a spam domain but this is where sender reputation comes 
>in.
>For example
>1) If the email is from a non valid server i.e. SPF=fail (or possible even 
>softfail), drop it.
>1.b) If the email (SPF) is softfail, tag as spam.
>2) If the email is from a white listed domain and SPF=pass, deliver. 
>(White listing can be either a local white list with your customers etc 
>and/or an external organization that list "well behaving domains" similar 
>to rbl lists.)
>3) If SPF is pass or none proceed with normal spam checking.
>
>SMTP it a mess. Bad design, bad standards etc. Until we have an 
>alternative mail protocol, we must use add on systems. In my opinion, we 
>have hit the point where traditional spam tagging/filtering is no longer 
>enough. With SPF and sender reputation (i.e. list good behaving domains) 
>we can start look for/filter out the good email and tag the rest.
>And yes, it will only work when everyone is using -All. But I don't see 
>any problem with using ~All during a transition phase.
>
>Cheers
>Martin Forest
>
>
>
>On Fri, 06 Jan 2006 08:57:54 +1300, Stasiniewicz, Adam <stasinia at msoe.edu> 
>wrote:
>
>>  FUD ALARM!!
>>
>>  Do you even have the slightest idea of how SPF works?  Actually read
>>  about it before saying something: http://www.openspf.org/howworks.html.
>>  I am not going to defend the technology; I just want to make ensure that
>>  people don't get the wrong idea for a couple of open ended, unsupported
>>  comments.
>>
>>  1. SPF has nothing to do with reporting spam.  It does not send any
>>  reports to anyone, nor does it rely on the need for an ISP to
>>  "investigate" any claims.
>>  2. A lot of spam uses forged headers, so unless you carefully check the
>>  header, you can't be sure that it came from a real hotmail server.
>>  3. SPF does one think, it stops email from originating from a source
>>  other than that authentic outgoing email server for a domain.  It knows
>>  which server are authentic outgoing email servers by using a DNS query
>>  for the specific SPF record (encapsulated in a TXT record).
>>
>>  Now SPF is not without flaws.
>>
>>  1. If a domain does not publish SPF records, email from that domain can
>>  be forged.
>>  2. If a domain uses a different "all" operator other than "-all" many
>>  filters will not do any filtering on the email.
>>  3. There is nothing stopping a spammer from sending email from say
>>  "someone at abay.com" (note the first letter of domain).
>>  4. Many organizations don't use SPF, so it will be ineffective for many
>>  emails.  But it can always be used with great success internally.
>>  5. If a malicious user can gain relay to a server which SPF thinks is
>>  legit, then SPF won't help.
>>  6. If a malicious user has his own domain, he can add SPF records for
>  > his spamming server, or simply not use SPF at all.
>>  7. SPF is not an end all solution for fighting spam, it is just another
>>  method that can be used as part of an overall strategy in fighting spam.
>>
>>  Please actually research what you are talking about before saying
>>  something.
>>
>>  Regards,
>>  Adam Stasiniewicz
>>  Computer and Communication Services Department
>>  Milwaukee School of Engineering
>>  MSCE: Messaging & Security 2003
>>
>>  -----Original Message-----
>>  From: list-bounces at lists.dshield.org
>>  [mailto:list-bounces at lists.dshield.org] On Behalf Of Abuse
>>  Sent: Thursday, January 05, 2006 12:19 PM
>>  To: General DShield Discussion List
>>  Subject: Re: [Dshield] Are you using spf records?
>>
>>  ** Reply to message from Martin Forest <martin at forest.gen.nz> on Thu, 05
>>  Jan
>>  2006 19:40:57 +1300
>>
>>>  I have done some minor research with SPF records. It is nice to see
>>  that
>>>  several of the big domains such as hotmail, msn, aol etc have started
>>  to
>>>  use SPF records.
>>
>>  A lot of good that will do.  I report spam to hotmail and almost all
>>  replies
>>  say it did not originate with us.  Well it originated with one of their
>>  users
>>  and was sent through one of hotmail's servers.  With an attitude like
>>  that we
>>  will never get rid of spam.
>>
>>
>>>  Especially as they are often used in forged emails. With
>>>  them posting spf, it is now possible to block the spam  bots that use
>>
>>>  their "from addresses".
>>
>>  Any program that uses the FROM address to filter spam (or anything for
>>  that
>>  matter) should be deleted from your system.  It does not work, it can
>>  never
>>  work, so why use it?
>>  _________________________________________
>>  Learn about Intrusion Detection in Depth from the comfort of your own
>>  couch:
>>  https://www.sans.org/athome/details.php?id=1341&d=1
>>
>>  _______________________________________________
>>  send all posts to list at lists.dshield.org
>>  To change your subscription options (or unsubscribe), see:
>>  http://www.dshield.org/mailman/listinfo/list
>>
>>  _________________________________________
>>  Learn about Intrusion Detection in Depth from the comfort of your own 
>>  couch:
>>  https://www.sans.org/athome/details.php?id=1341&d=1
>>
>>  _______________________________________________
>>  send all posts to list at lists.dshield.org
>>  To change your subscription options (or unsubscribe), see: 
>>  http://www.dshield.org/mailman/listinfo/list
>
>
>
>--
>If you take copy protection too far, the only customers you will have are 
>the ones that intend to sell illegal copies of your work. By: Martin Forest
>Warning: DRM/BMG protected CD's are likely to infect you with a Rootkit.
>
>_________________________________________
>Learn about Intrusion Detection in Depth from the comfort of your own couch:
>https://www.sans.org/athome/details.php?id=1341&d=1
>
>_______________________________________________
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list


-- 

Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
http://www.oitc.com/Antarctica/

PGP Public Keys available at:
<A HREF="ldap://keyserver.pgp.com/">PGP's Key Server</A>
<A HREF="http://www.oitc.com/OITC/PGPKeys.html">OITC's Public Key List</A>
14A7 A308 266A 3646 FBA8  9A86 E139 F108 B1BE 37BD


More information about the list mailing list