[Mimedefang] Deadline for SPF records *long w/morbid horoscope*

[Kevin A. McGrail]

Re: SPF Solving Invalid Bounces

I thought about the statement below a lot because it seemed correct at first
that pushing valid emails to all the gateways would solve the issue.
However, the more I thought about it, invalid bounces are a big problems and
SPF is a reasonable solution to start cutting down on them.  Large batches
of outbound false emails that don't match SPF or get repeated bounces should
trigger a shutdown of a clients outbound mailing ability especially as
worms/virii that forge headers become the norm.

Further, there was a time, not to long ago, when accepting all emails was
the "correct" thing to do for the security conscience and I think that time
will come back especially if things such as silent discards become more
accepted.  In other words, having a valid list of users is not always
feasible, secure, or allow for queuing during outages/netsplits.

I also predict that the minute systems that turn away bad emails at the
gateway become ubiquitous, attacks to harvest and obtain those lists will
become common place again and dictionary attacks will become less common.
SPF is very good in one respect that it is only based on text records.
There is no hidden tactics and no harvesting issues that I can see.  If
implemented in a scoring manner (which is the only method I promote), it has
a lot of benefits with very little downfalls. OK, one downfall...

<doomsday prediction>
For my two cents, the biggest problem which I have witnessed on a very small
scale and which has the potential to de-rail virtually any of this email
"systems" is a Distributed AND Coordinated System that literally sends a
miniscule # of spams (say ONE spam message per day per infected system).  I
call them DACs and let's say they are sent from a legit users email box,
through the correct server, with SPF records, with a valid escrow account
(if that system ever wins), no multiple recipients, with a valid MTA, all to
valid accounts, etc.

Now multiply that by say 45 million infected boxes sending 1 email per day
instead of 1 box sending 45 million emails per day.

Now consider doing the same thing to harvest good email addresses by looking
for one bad or good email per day.

Now include address books which are compromised on the same systems and
search mail (slowly) on the system and detect all outgoing email addresses
for the last 6 months.

Now add the ability to remotely control the zombie system so it sends
outbound and inbound data (perhaps over port 80 or something 99.9% of the
people won't catch.  And remember, we only trickle a little out at a time.
Maybe 80-bytes a day.

Now remember that SPAM (unlike viruses, we hope) = Money = Business = People
for Hire.

In short, if a virus/worm can get control, moderate the actions, spice up
the differences they have, etc. they have a much greater potential to come
under the radar for a lot longer.  The last major worm/virii brought down an
uber-distributed system like google.  Imagine if they had actually planned
to do that and did it only after reaching a much larger critical mass.

Oh wait, I forgot SP2 will save us :-P
</doomsday prediction>

Regards,
KAM

> I agree that invalid bounces from forged addresses aren't really a blip
> on the scale of email problems.  Also they can easily be solved using
> existing technology - just have every organization push their "valid
> user" list to the mail servers on their network boundary.  Then the mail
> will be rejected at RCPT TO time, with no undeliverable message
> generated.  (The ratware and spamware won't generate an undeliverable
> message when faced with a 550 No such user.)