[ILUG] Reminder: Please Respond to S.'s Invitation

[Rick Moen]

Quoting paul at clubi.ie (paul at clubi.ie):

> Why do you think spammers are unable to setup valid SPF records? 

This is a Frequently Answered Question.

The answer is:  Good.  Since the aim of SPF is to enable reputable
domains to prevent people from fraudulently forging _their_ mail and
being credible at doing so, by making sure that it's possible to know
that the originating IP is _not_ an authorised MX for that domain, it
doesn't hurt at all for spammers to say "These IPs and these IPs alone
should be considered authorised sources of mail from
scumware-domain-of-the-week.com."  In fact, even _if_ you make the
elementary mistake of thinking SPF is intended to "block spam", it's
_still_ a step forward, because now each scumware-domain-of-the-week.com 
has its own reputation, making reputation-ranking schmes more workable.

(For example, I might set up a heuristic in my MTA where mail claimed to
be from domains my MTA hasn't heard of before get more-skeptical
scrutiny than those with track records.)



> Spammers were the leading *ADOPTERS* of SPF (note that this article 
> is from 2004):
> 
> 	http://www.techworld.com/security/news/index.cfm?newsid=2154

Correct but irrelevant.  As a commentator on that completely clueless
article (and underlying CipherTrust study) said at the time:

   Spammers are early-adopters. Who knew?

   Well, only anybody who has ever observed how quickly spammers latch on
   to any new technology designed to ease delivery of email. It's no
   secret.

   CipherTrust then went on to say that this demonstrates that sender
   authentication such as SPF will do nothing to stop spam.

   No kidding!

   It was never intended to stop spam. Nobody ever said that it would
   stop spam.

   The purpose of SPF and Sender I.D., and Domain Keys, and on and on, is
   to be able to demonstrate that the domain from which the email is
   purportedly being sent is not being spoofed. That it's really who it
   says it is. SPF et al say nothing about what sort of email it is. Never
   has, never will.

   And, Aunty would suggest that the fact that it's showing up in spam
   means, in fact, that it's working. How handy to be able to track a
   spam back to its true IP address and domain of origin!

Quoted from
http://www.theinternetpatrol.com/who-are-the-earliest-adopters-of-spf-survey-says-spammers

> I'm just amazed there are *still* people touting SPF as being an 
> effective anti-spam solution...

I'm just amazed that some people keep raising the irrelevant objection
of SPF not being "an effective anti-spam solution", when that's simply
not what it's for.

> It might have some amount of value as an attestation device 

Which is the sum total of what it aspires to, and what it does.


> but that still doesn't seem very useful

A real-life instance of how this works:  I own linuxmafia.com,
unixmercenary.net, and some other domains that originate mail.  Prior to
DKIM and SPF, third parties were able to believably forge my domains'
mail.  Now, they cannot -- and any MTA or other mail-handling software
in the world has an easy means to detect and reject (or discard)
arriving forgeries of my domain's mail, e.g., mail autogenerated by
malware and spam that forges headers.

All I had to do, to gain that benefit, was insert one TXT record into
each such domain's DNS, increment the zonefile S/N, and reload the zone.

Seems pretty damned useful, to me -- or to any other domain owner who's
tired of joe-jobs impersonating his/her domain.


> If that kind of thing matters, one really ought to be encouraging 
> digital signatures (preferably based on a PKI where certification is 
> in the hands of the people, like PGP), rather than SPF.

Those are not mutually exclusive.  Moreover, the beneficial effect of
the two is complementary.

It is illogical to argue that one being desirable suggests the other
isn't.