A few responses off the top of my head...
At 06:58 PM 6/30/2004, Lucas Albers wrote:
Under the SPF architecture, it is assumed that all email goes directly: A->B.
SPF is changing significantly with the Caller-ID merger. Neal should check out the SPF mailing lists for more current info.
Making matters worse, mobile users will be blocked by SPF. Consider this:
A department at IBM decides to hold an off-site meeting.
They all leave the comfort of IBM and take their laptops.
They go to send email from their laptop.
- Their IP address does not match IBM.com's SPF entry. Email is blocked.
IBM sets up an SMTP-AUTH server, problem solved.
SPF does not stop the email from being generated, traversing the network, or being received by the recipient mail server. It only limits the email that can be placed in the file repository.
1) The recipient can often reject the message before DATA.
2) If there are intermediate servers (say A->forwarder->B, or A->secondary MX->B), then those servers can implement their own SPF checks
- Compromised hosts. We are seeing a trend where hosts are targeted for
being compromised, and not just compromised randomly.
If any host in the "citibank.com" domain gets compromised, then it
could be very lucrative for a phisher.
If a host in citibank.com is compromised, phishers are the least of our worries.
- Spelling errors. A spammer can configure "c1t1bank.com". How many
ways can you spell "citibank"?
That are indistinguishable from the correct spelling? One. That look like L337-speak? Lots. This is going to vary depending on what letters are in each name - paypai.com (with a capital I) was a classic example.
- "If I can't, nobody can." Spammers have waged month long DoS attacks
against blacklist providers. They could simply cause a DoS attack
such that a service provider (e.g., ebay.com) would be forced to route
traffic via a secondary route. At that point, the provider has three
choices:
(1) don't use SPF, (2) open SPF to all hosts, or (3) not be able to
email their customers.
Or (4) change their SPF record to cover the new route. (Gee, that was easy.)
SPF is not a solution -- it is a hack and a bandaid. It addresses the symptom without addressing the problem. Until the problem is addressed, spammers will always win.
What does Neal think the problem is? He doesn't actually say.
SPF isn't designed to stop spam, it's designed to stop email forgery. A lot of people assume it's the former and decide it's useless on that basis - which is like complaining that a coffee pot is useless for making breakfast because it won't help you fry an egg.
Really, he needs to take a look at the SPF mailing lists - the website is way out of date.
Kelson Vibber
SpeedGate Communications <www.speed.net>
