[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SPF

Philip Miller <millenix@zemos.net> wrote in message news:<2mp6K-3uk-9@gated-at.bofh.it>...
> Erik Aronesty wrote:
> > Isaac To <iketo2@netscape.net> wrote in message news:<2lxJ5-8oQ-17@gated-at.bofh.it>...
> > 
> >> Erik Aronesty <erik@zoneedit.com> writes:
> >>
> >>> I was thinking that a spammer could creates an envelope
> >>> address with
> >>> "SRS0+hash=timestamp=aol.com=bob@throwawaydomain.com" and a
> >>> From: bob@aol.com with valid SPF info in
> >>> throwawaydomain.com.
> >>> 
> >>> They, obviously, could do this.  Someone who sees that spam
> >>> will, likely, blame aol.com and not "throwawaydomain.com".
> >>> Just like spammers use throwawar IP's to send mail, they
> >>> will use throwaway domains to masquerate as forwarding
> >>> agents - just like they use throwaway IP's now.
> >>
> >>BTW, forwarding is normally set up manually, e.g., you might want your
> >>university to forward all mails to you home ISP account.  So you know
> >>exactly who are your valid forwarders (here, your university only).
> >>Your case would then be trivially blocked in the client side.
> > 
> > It cannot be stopped by the client.
> > 
> > If someone from AOL sends email to my university account and I forward
> > that to my roadrunner account without using SRS, Roadrunner could use
> > the SPF record on the original aol.com envelope header to see that my
> > university account is not a valid mail agent for AOL.com. and block my
> > forwarded files.
> > 
> > The only people involved in the blocking of my valid, forwarded mail
> > here would be AOL and Roadrunner... not me.
> > 
> > Remember, millions of people forward mail like this in many, varied
> > ways.
> > 
> > Every single one of them will need to modify their .forward scripts
> > and patch their MTA's, etc. to use SRS.
> > 
> > This solution is an enormous amount of work for everyone on the
> > Internet.
> 
> Stop arguing for a second and think about these three questions:
> 1. How many common Internet users forward mail from one address to another?
> 2. When a standard for domain forgery protection in MAIL FROM is ratified, 
> are consumer ISPs likely to ignore the needs of their customers and start 
> rejecting mail?
> 3. Are major forwarders mostly going to sit back and ignore the coming change?
> 
>  From my own experience and following the proceedings of the various groups 
> involved in these standards, here are my answers:
> 1. Only a very small percentage of email users have one address that 
> forwards to another. There are only a limited number of ways this is 

Yes, like 1 percent.  Which would be 2 million people.  

> provided to users. The only one that poses problems in terms of upgrading 
> software to automatically apply SRS or similar transformations is a .forward 
> that pipes to some program. The microscopic percentage of Internet users who 

Many, many people don't use unix, and are (like I was 4 years ago)
using shareware or small-business email programs like VisNetic or
Pegasus Mail or Kerio, etc.  You may live in a world where everyone is
either an end-user or a knowledgable corporate/college systems
administrator.  I don't.  SMall business users are probably a much
larger percentage of the internet than you think.

> 2. Consumer ISPs tend not to want to drive away customers, and it's fairly 
> easy to detect address-forwarded mail coming into a system. It's easy enough 
> for these ISPs to send a simple form email to such customers asking them to 
> enter the forwarding address into a web form, or even simply confirm the 
> forwarding address detected.
> In any case, it it very unlikely that any consumer ISP will be so unfriendly 
> to their customers that they will suddenly start rejecting mail without 
> warning.

AOL and Roadrunner auto-block mail like crazy.  It's gotten to the
point where I'll say to someone, "Did you get my mail" and they'll say
"No, but maybe <ISP> blocked it".   SPF gives ISP's just one more bad
excuse to block mail.  Yahoo blocked all mail coming from our servers
and from dozens of others for two days last week because their new
systems administrator didn't understand what mail forwarding *was* -
and thought that forwarded mail was coming through an open relay with
fake To: address headers.  We had to teach him how to look up the MX
records of the recipient and compare them to the Received: lines.

SPF adds layers of complexity beyond comprehension for most junior
systems admins.

> 3. Most major forwarding services are already watching the proceedings of 
> the standards groups, to see what, if anything, they need to do. 

Like me.  I'll be dropping SRS on my boxes as soon as some ISP starts
blocking mail from my servers with a "550 SPF mismatch" - OR as soon
as the postfix uses all agree that the SRS patch should come built-in.
 That might happen in 5 years or so.


> Debian is 
> likely one of the few in which users of the forwarding service actively 
> oppose making the service compliant with potential standards.

Hardly!  SPF is a hack, and smary people are wary of it.  


http://www.irbs.net/internet/postfix/0401/1020.html

It might stop forgery of domains in mail envelopes.  But it won't stop
spam.  And the fact that it bills itself as antispam is essentially
lying, since IP's are harder to obtain than domains.
Reply to: