Re: spf record

To: debian-isp@lists.debian.org
Subject: Re: spf record
From: Juha-Matti Tapio <jmtapio@verkkotelakka.net>
Date: Sat, 21 Jan 2006 01:40:30 +0200
Message-id: <[🔎] 20060120234030.GE549@verkkotelakka.net>
In-reply-to: <[🔎] 43D14814.5010207@emenaker.com>
References: <[🔎] 43D0F355.5050503@rcrcomputing.com> <[🔎] 6640D448BFB97BD51DB8591A@dhcp-2-206.wgops.com> <[🔎] 43D10A66.3020502@goirand.fr> <[🔎] 20060120200106.GD549@verkkotelakka.net> <[🔎] 43D14814.5010207@emenaker.com>

On Fri, Jan 20, 2006 at 12:29:08PM -0800, Joe Emenaker wrote:
> Juha-Matti Tapio wrote:
> >SPF works only as long as spammers actually start to use it massively
> >themselves (and I think I have read somewhere that many have already 
> >started
> >to use it). If most servers start checking SPF, eventually all spammers 
> >will
> >start to use valid SPF-configured envelope addresses. After that SPF does
> >not help at all...
> .. except for the fact that it *dramatically* increases the 
> effectiveness of your RBL's. At present, if a spammer's domain gets 
> blacklisted, they'll just spoof someone else's. SPF will prevent that.

Actually I am not sure about the effectiveness either. I grepped a bit
around my personal mail server's spamassassin-rejected mails and here are my
figures:

Permanent rejects: 5069  (12+ points)
  - SPF ok:          68
  - SPF failed:      38

Temporary rejects: 2105  (7+ points)
  - SPF ok:          58
  - SPF failed:       5

Though my mail load is propably not at all demographic and these figures
should be taken with a grain of salt. But at least in my example more spam
passes SPF-test than fails it and failures start to correlate with
spamminess only when it is otherwise obvious that the message is spam.

> In essence, SPF would give the spammer "no place to run" when they get 
> found out. I'm honestly curious to see what they do to counter it. My 
> only guess is that they'll have to register a bunch of "throw-away" 
> domains with names like "slk2l2jhldwfhsad9123jn.com", which they use to 
> send out spam for a day and then abandon it.

In a couple minutes I can think of at least the following ways to go around
that:

a) Use any domain that either does not have SPF records or allows any
sources. For example I would be really surprised to ever see actually
effective SPF-records on debian.org.

b) Use the domain of the ISP of the zombie-machines.

c) Actually do register a throw-away-domain for a single spam-run. Domains
are fairly cheap and it is possible to send very very much spam before
blacklisting takes effect. In fact spammers already use throw-away-domains
for the websites that they need to operate to sell stuff.

I myself am not going to put SPF-records on my DNS because limiting my mail
sending options would be a major inconvenience and I do not wan't to let
spammers inconvenience me. That feels like almost giving up. For a single
person the inconveniance is often acceptable, but limiting all the customers
of an ISP to sending through a small set of servers sounds to me like a
customer service nightmare.

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: spf record
  - From: Joe Emenaker <joe@emenaker.com>

References:
- spf record
  - From: Rodney Richison <rodney@rcrcomputing.com>
- Re: spf record
  - From: Michael Loftis <mloftis@modwest.com>
- Re: spf record
  - From: Thomas Goirand <thomas@goirand.fr>
- Re: spf record
  - From: Juha-Matti Tapio <jmtapio@verkkotelakka.net>
- Re: spf record
  - From: Joe Emenaker <joe@emenaker.com>

Prev by Date: Re: spf record
Next by Date: Re: spf record
Previous by thread: Re: spf record
Next by thread: Re: spf record
Index(es):
- Date
- Thread