Re: Breaking up the Bot army - we need a plan

Wed, 13 Dec 2006 08:11:24 -0800 

JamesDR wrote:

Phil Barnett wrote:

On Tuesday 12 December 2006 07:28, JamesDR wrote:

There is nothing in SPF to keep a spammer with a botnet from putting
0.0.0.0/0 as their approved domain limit.

Sounds like a good spam sign to me. Let the spammers put 0.0.0.0/0 in
their spf records, I'll pop in 3 points for good measure.



But, you are making some assumptions at this point and that is the 
crux of why SPF can't work very well.



Say you give points for that one. So, where do you draw the line. Do 
you give points for (for example) 123.0.0.0/8? What if that is 
someone's legitimate domain space?



Bot masters can easily set up SPF addresses that will encompass giant 
subnets of bots. You'll never know where to draw the line.





Even better. If they give me a giant subnet of SPF records, I know 
exactly what IP's I don't want connecting to my mail server. If a 
spammer sends a spam from a subnet, passes SPF. I will and have gone, 
looked at their record and blocked what they say is 'allowed' to send me 
spam. In a way, they've done me a huge favor by block their entire bot 
net at the router. Quite effective at stopping spam indeed. This does 
have a huge issue with collateral damage, however what I would also do 
is contact the ISP and point them to the SPF record "see, your network 
is owned by a spammer." Also makes it very handy for RBL lists to know 
where future spam will come from.



I welcome spammers creating SPF records. Makes my job quite easy in 
stopping the bot army.





What would stop a spammer from entering any IP they chose? That I know 
of there is no one auditing SPF records. So if I spammed a domain using 
a hole in your server, simply adding ip4:65.113.179.82 would allow the 
messages to pass SPF correct?



I don't see how pointing to that SPF record would enable me to call you 
and say "see, your network is owned by a spammer." If anything I would 
think you could engineer a way to make a mailserver DOS itself using SPF.



My father always used to say about small locks, "they keep honest people 
honest, but they never stopped a thief". SPF seems a lot like that to me.


DAve

--
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?

Maybe they forgot who made that choice possible.






















					Reply via email to