[Mimedefang] OT but interesting hopefully - Spammers embrace email authentication

Jeff Rife mimedefang at nabs.net
Wed Sep 8 18:56:51 EDT 2004


On 7 Sep 2004 at 17:38, Kelson wrote:

> Jeff Rife wrote:
> > In the future, 
> > though, it'll get worse as more and more servers think a good SPF 
> > record but no listing on a blacklist means "OK".  As that happens, 
> > expect even faster turnaround on domain names.
> 
> Please read the article I linked to, then address this point again.
> 
> Anyone who thinks "SPF Pass" is supposed to mean "Not Spam" hasn't been 
> paying attention.

I don't see what you mean.  I said that if the SPF matches but the 
domain isn't on a blacklist, then you have to do *exactly* the same 
content scanning you do now...SpamAssassin, etc.  So, why bother with 
SPF at all, since spammers will eventually *always* send from domains 
not on blacklists but with accurate SPF info?

> Suppose that you get a message claiming to be from speed.net.  Suppose 
> it's actually been sent using Outlook, or Eudora, or something that 
> imitates it well enough that all the headers are typical of "real" mail. 
> Now, how can you tell whether it's really from speed.net or not?

I don't really care, and most other people don't, either, if the 
content says "this is SPAM".

If it *isn't* SPAM, then SPF isn't really enough to give somebody 
confidence in saying "yes, this is authentic" or "no, it isn't", for 
several reasons:

- The envelope return address (and *everything* but the "From:"
  content) can be forged to be "@speed.net", and accurate SPF data used
  for the "From:" address.
- The "From:" address can be close enough to "@speed.net" to be used in
  phishing e-mail.
- Knowing if an e-mail is "From: yyy at speed.net" doesn't help to
  determine if it SHOULD BE "From: yyy at speed.net".

SPF doesn't do enough to give any real security...PGP (or similar) 
signatures are the only real way to do this.


--
Jeff Rife        |  
SPAM bait:       | 
http://www.nabs.net/Cartoons/Dilbert/LostNetworkPassword.gif 
AskDOJ at usdoj.gov |  
spam at ftc.gov     |  




More information about the MIMEDefang mailing list