×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Spammers Are Early Adopters of SPF Standard

michael posted more than 9 years ago | from the doh dept.

Spam 249

nazarijo writes "In an article entitled Spammers using sender authentication too, study says, Infoworld reports that a study by CipherTrust shows that SPF and Sender ID (SID) aren't nearly as effective as we expected them to be when combatting spam. The reason? Spammers are able to publish their own records, too. 'Spammers are now better than companies at reporting the source of their e-mail,' says Paul Judge, noted spam researcher and CipherTrust CTO. Combined with low adoption rates of either SID or SPF (31 of the Fortune 1000 according to CipherTrust), this means that the common dream of SPF or SID clearing up the spam problem wont be coming true. Wong, one of the original authors of SPF and a co-author of SID, says that it was never intended to combat all spam. Weng, another researcher in the space, says that this is just one of the many pieces of the puzzle needed to combat spam. Various SID implementations exist, including a new one from Sendmail.net based on their milter API, making it easy for you to adopt SID and try this for yourself."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

249 comments

A Change Needs to be made (1, Insightful)

CypherXero (798440) | more than 9 years ago | (#10153624)

OK, We need to change SMTP completely. It was created back when the internet was somewhat new, and spam e-mail was unheard of. The protocol itself needs a change.

Re:A Change Needs to be made (3, Interesting)

pikine (771084) | more than 9 years ago | (#10153664)

A more reasonable change would be SMTP-TLS, employing a policy of using authorized certificates like the secure websites. This protocol is already there, but it's the wide adoption that is the problem.

Re:A Change Needs to be made (3, Interesting)

T-Ranger (10520) | more than 9 years ago | (#10154003)

If you are talking about using TLS to ensure authenticity of a source, then SPF does that (somewhat). If a message claims to be from domain X, and domain X uses SPF and already only allows messages from their servers, then that message is from domain X. TLS, as far as authenticity goes would add nothing. The only difference is that spammers would now also have to buy a TLS cert.

About the only attacks that TLS would pervent would be IP spoofing. These days, that is very, very hard.

What would TLS add?

Unique Internet-user ID (0)

Anonymous Coward | more than 9 years ago | (#10153665)

Why not?

License it from your government like a passport.

It would allow the officials to track down paedophiles, drug-dealers and spammers. No drawbacks, except that if you're living in China you might run into trouble for sending certain kind of e-mails but that's China's internal business (and don't you dare to give me that "let freedom ring"-crap).

Re:A Change Needs to be made (1)

rokzy (687636) | more than 9 years ago | (#10153783)

who marked this flamebait?

some time ago...
-"the laws of Newton and Kepler don't explain the orbit of Mercury. The theory itself needs a change."
-"oh teh no3s U R teh fl4meba!tz0rrrzzzzz!!!!!one"

Sometimes something new is needed. This is called progress and is strongly associated with the concept of learning from your mistakes.

Re:A Change Needs to be made (2, Insightful)

mattdm (1931) | more than 9 years ago | (#10153999)

Sounded more like:

"The laws of Newton and Kepler don't explain the orbit of Mercury. This whole 'science' stuff needs to change. It was created a long time ago, and it's time to throw it all out and start with something new."

Maybe that's not flamebait, but it is silly. Changing theories to match new data metaphorically maps very well to adding SPF to SMTP -- not to throwing the whole thing away.

Re:A Change Needs to be made (3, Insightful)

ZorbaTHut (126196) | more than 9 years ago | (#10153793)

How would you change it?

Why can't these changes be integrated into SMTP-as-we-know-it?

It's all very nice to say "it needs to change", but until you explain why changing it is the best solution - or even vaguely useful - it's not going to happen.

Re:A Change Needs to be made (0)

Anonymous Coward | more than 9 years ago | (#10153841)

This is silly. SMTP is a valuable protocal and email over SMTP is a valuable service.

If you want other mail protocols, they exist - I think exchange servers can exchange email without them - and uucp can as well - but the reason SMTP survives is because of its benefits.

If you have a spam problem, quit using your email address to signing up for stuff from questionable organizations.

Re:A Change Needs to be made (0)

Anonymous Coward | more than 9 years ago | (#10153856)

If you have a spam problem, quit using your email address to signing up for stuff from questionable organizations.

Agreed totally. We solved 90% of the spam problem here by giving employees 2-email accounts each - one for work & reputable partners and one for other signups, etc.

I had used the same approach in the past when I ran an affiliate program that invovled many questionable sites (pron sites); and while the junkmail account got trashed quickly, the official work one stayed clean for all the many years I was there. Don't give your email to spammers, and you won't get spam.

We can still use it as a spam prevention tool (5, Funny)

hchaos (683337) | more than 9 years ago | (#10153625)

All we need to do is block emails from anyone using SPF or SID.

Re:We can still use it as a spam prevention tool (2, Funny)

sploo22 (748838) | more than 9 years ago | (#10153650)

Well, there goes all mail from aol.com. Such a tragedy.

Oh wait...

Re:We can still use it as a spam prevention tool (0)

Anonymous Coward | more than 9 years ago | (#10153695)

Anyone remember that stupid Habeas anti-spam header? Once spammers started spoofing it, I switched off the positive scoring in SpamAssassin to keep them from slipping pass my filters. So much for "making sure your message is heard".

Re:We can still use it as a spam prevention tool (0)

Anonymous Coward | more than 9 years ago | (#10153889)

Yeah, it's just like the immense value of finding a stock analyst who's wrong 90% of the time.

spam spam (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10153630)

penis penis nigeria tenn porno

The point of SPF (5, Insightful)

pikine (771084) | more than 9 years ago | (#10153631)

... is not to block spam, but to identify the source of an e-mail. Spammers can definitely identify themselves if they so choose. I think it is still a welcoming trend.

Re:The point of SPF (3, Insightful)

forevermore (582201) | more than 9 years ago | (#10153954)

The point of SPF is ... to identify the source of an e-mail

This point needs to be emphasized. The whole point of SPF is to prevent spammers from falsifying return addresses. If they want to publish their own legitimate SPF records, then by all means let them. Then we can just block them by their domain names without any fear of blocking legitimate email.

Re:The point of SPF (2, Insightful)

CodeMaster (28069) | more than 9 years ago | (#10153985)

Exactly the point. I'd love to see that the spam I get is tagged with SPF - will make scripting and filtering the spam even easier with a way to actually track down precisely where the spam is coming from.

get a free ipod! [freeipods.com] This really works... [iamit.org] 2 more gmail invites left!

Security? (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10153633)

Wong, one of the original authors of SPF and a co-author of SID, says that it was never intended to combat all spam.

Most likely it was designed for "national security".

Big brother democrats would like to keep an eye on gun-loving individuals, so that their girlie-man interests would not be endangered.

Is pro-wrestling for real? (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10153720)

Tell me, do you also believe that pro-wrestling is for real?

Article Poster Doesn't Understand SPF (5, Informative)

Anonymous Coward | more than 9 years ago | (#10153636)

Idiot. The point of Sender ID systems is to make it easy to track down spammers and enforce spam laws. Sender ID isn't meant to stop spam like spam filters or sender payment schemes but make laws enforcable.

Re:Article Poster Doesn't Understand SPF (0)

Anonymous Coward | more than 9 years ago | (#10153765)

Trying to fix the technical ineptitude of slashbots with informative posts is like trying to kill dolphins by getting drunk and pissing in the ocean: an admirable cause, but flawed execution.

Re:Article Poster Doesn't Understand SPF (2)

kfg (145172) | more than 9 years ago | (#10153851)

. . . like trying to kill dolphins by getting drunk and pissing in the ocean. . .

Hey, if dolphins don't want piss in the ocean they should just hold it until they find a restroom like the rest of us are supposed to.

KFG

Isn't this what we want? (5, Insightful)

Carnildo (712617) | more than 9 years ago | (#10153641)

Isn't putting up SPF records exactly what we want spammers to do? If they've got SPF records, running an RBL against spam domains should be easier and more accurate.

Re:Isn't this what we want? (2, Informative)

jmorris42 (1458) | more than 9 years ago | (#10153737)

You do realize how cheap it is to register a domain, right? Unless you can RBL one in under an hour it probably won't raise their cost of doing business all that much.

Re:Isn't this what we want? (3, Insightful)

YankeeInExile (577704) | more than 9 years ago | (#10153847)

Well, a quick off-the-cuff idea is thus: Expand SPF or its moral equivalent to offer a web-of-trust style interface. That is: Each piece of email comes with a pointer that says, in effect, This piece of email is from mydomain.com ... people who think that mydomain.com is cool are yourisp.com otherisp.com white-hat-geeks.net

So, I suppose what I'm proposing is a distributed whitelist.

Re:Isn't this what we want? (3, Insightful)

Carnildo (712617) | more than 9 years ago | (#10153866)

Assumed it takes an hour to add a domain to an automated blacklist. I think it could be done in five minutes or so, but let's be generous:

24 domains/day * 365 days/year * $12/domain = $105,120

That's a hundred thousand dollars they didn't used to need to spend each year. Automated blacklisting in five minutes boosts the costs to well over a million dollars a year.

Re:Isn't this what we want? (4, Insightful)

AtOMiCNebula (660055) | more than 9 years ago | (#10153884)

But now, spammers have to invest money in what they're doing. It doesn't matter if it's much or not, but it is something. It's more than what they were paying before, so unless they don't mind cutting into their profit margins, they're going to be affected by this.

Compare what it used to be with how it is now. It used to be that spammers could use any domain they want. Now they can only use domains they own (assuming they're using SPF), and as soon as one domain is RBL'd, they're going to need another domain. More work for the spammers. And more cost too.

What I'm trying to say is that, yes, domains are cheap. But now they're paying for domains that they didn't have to before.

The SPF faq on Throwaway domains. (2, Interesting)

nlinecomputers (602059) | more than 9 years ago | (#10154004)

From the SPF objections page at http://spf.pobox.com/objections.html


Throwaway Domains

(From John Levine:) Or spammers can register throwaway domains of their own, since burning an $8 domain for a 10 million message spam run isn't much of a deterrent.

Throwaway domains can be listed in sender blacklists which respond in real time to automated discovery methods.

SPF needs to work in hand with reputation schemes.

There are many possibilities. The reputation scheme most familiar to people is the DNSBL, which blacklists IP addresses. RHSBLs are the analogue for domain names. A number of them are listed at the bottom of Blacklists Compared.

% dnsip yahoo.com.spamdomains.blackholes.easynet.nl

% dnsip amazingoffersdirect.net.spamdomains.blackholes.eas ynet.nl
127.0.0.2
%

Greylisting is another approach. It is elegantly simple, but it has three disadvantages.

1. People don't like to have to wait for real mail. After a while your users will say, "why is mail from my mom always getting delayed by an hour?" and you'll have to whitelist all your users' moms.
2. You need to do custom whitelisting for entire domains, because Yahoo Groups does not respect transient failure errors --- it treats them as permanent.
3. It is trivial for spammers to get around greylisting, because spammers don't actually queue messages; everything's just an entry in a database. Spammers aren't stupid. They can just repeat the run. Until they figure this out, greylisting will work.

Some suggest that reputation schemes would eventually be a lot like credit rating agencies: they don't say "yes, approve this loan"; instead they tell you what an individual's credit risk is, and it's up to the bank to decide.

Similarly a reputation service would provide a spam vs total ratio: (numbers are made up)

domain: yahoo.com
born: 199501
total: 4.3E12 messages
spam: 1.2E3 messages
ratio: 2.8E-10

domain: superspammer.net
born: 200303
total: 6.3E7 messages
spam: 3.4E7 messages
ratio: 0.53

Of course those numbers would have to be based on SPF-verified domains. There would be three types of domains--- SPF, "best-guess-match", and non-SPF publishers. "Best-guess-match" means the domain would have passed SPF tests if it had declared "a mx ptr" mechanisms. But that's a small detail.

Any major ISP could track these stats pretty easily and build their own reputation system. Or non-ISP organizations like Cloudmark could too. I expect The Internet will come up with a good, free one that's built right into MTAs like Postfix and Sendmail.

The algo would work something like this:

If the sender domain is known to the reputation system, we can make the decision based on local policy. (Local to the domain, or even to the individual user.)

If we don't have a lot of data on the sender domain, (eg. maybe the domain hasn't been around very long) we can do greylisting for the first pass; if our reputation service has good response times, we can expect it to have an answer ready the second time the sender tries. Or we can accept the mail but content-filter it, then report the results to a reputation system.

Obviously we need to introduce expiry and all that other stuff, but that's the basic idea.

And it would become an accepted social standard that if your domain hasn't been on the Internet very long, you wouldn't expect your mail to get through to people right away.

There's lots of research going on in the reputation systems space. It doesn't seem to be a fundamentally hard problem.


Basically you end up only accepting mail from known trusted domains. If you are just starting a domain then your mail may be held up or even bounced by some users. Just as new car drivers get higher insurance so can new email domains have to pay in bounce messages to have mail go out. Once you prove your self your ability to send mail will become easier.

Re:Isn't this what we want? (1)

taustin (171655) | more than 9 years ago | (#10153957)

Most spam comes from spammers who are already registering domains faster than you can possibly add them to a block list.

Weng and Wong are the same person. (4, Informative)

Anonymous Coward | more than 9 years ago | (#10153644)

The principal author of SPF is Meng Weng Wong. Just one person. Doofus.

Re:Weng and Wong are the same person. (0)

Anonymous Coward | more than 9 years ago | (#10153698)

Yes, look at Mong Weng Wang [impressive.net] in his full splendour!

Re:Weng and Wong are the same person. (0)

Anonymous Coward | more than 9 years ago | (#10153710)

The principal author of SPF is Meng Weng Wong. Just one person. Doofus.

Solly.

Wow (2, Insightful)

FiReaNGeL (312636) | more than 9 years ago | (#10153646)

Spammers are like viruses, they adapt amazingly fast. You thought that this new technology would hinder their 'business', but they turn it to their advantage! Oh look, a valid sender ID... i'll just open this mail, it can't be spam, right? Right?

Oh well, at least filters are getting VERY good at catching 99% of it.

Re:Wow (1)

erick99 (743982) | more than 9 years ago | (#10153735)

Yes, filters are getting very good. Gmail has excellent filters and a "report spam" button for anything that makes it through. I still get 200+ spam a day but they go into a spam folder. My confidence level in the spam folder, after several months of "training" is very high. As a result, I rarely look at it. I just dump it every few days. The folks who truly do not want spam will use filters. The spammers can trump any other technology thrown at them.

Cheers,

Erick

Re:Wow (1)

haruchai (17472) | more than 9 years ago | (#10153846)

of course, what I consider to be the biggest problem
with spam still remains: the sheer number of message s which must be accepted and filtered.
Does anyone have any idea what the real cost of spam
is in terms of dollars, bandwidth and time?

Re:Wow (1)

Doctor Crumb (737936) | more than 9 years ago | (#10153777)

The point of SPF is not to whitelist servers that have it. Instead, the purpose is to not trust (and possibly blacklist) servers that don't.

Re:Wow (2, Informative)

Desert Raven (52125) | more than 9 years ago | (#10153881)

Actually, that's not the point either.

The point is to not trust mail from domains having SPF records, where the sending server is not listed.

Whether or not AOL *has* an SPF record is not relevant. What is relevant is that *if* AOL has an SPF record, any mail with an AOL envelope sender should come from a server covered by that SPF listing.

Understanding SPF (4, Informative)

grasshoppa (657393) | more than 9 years ago | (#10153647)

Understanding SPF as I do, I can't see how any one expected this "end the spam problem".

It'll cut down on problems where forged senders are the main symptom, dramatically. That both includes viruses ( virii ) and some spammers.

But, as is stated, it's completely possible for spammers to keep their dns records updated too.

Now, if only we could get the whois accurate. ;)

Re:Understanding SPF (3, Informative)

aardvarkjoe (156801) | more than 9 years ago | (#10153699)

You know, spammers don't just forge the sender for fun. It's an integral part of their methods of staying a step ahead of being shut down. If you can prevent them from doing it, then you make it that much more difficult to spam. (Of course, we haven't reached that point yet.)

Re:Understanding SPF (3, Interesting)

moreati (119629) | more than 9 years ago | (#10153754)

It'll cut down on problems where forged senders are the main symptom, dramatically. That both includes viruses ( virii ) and some spammers


And there in lies the wonderful synergy of SPF and blacklists. Without From address forging it becomes much to perform the follow sequence:
1. I received a Spam message from domainx.com, either:
(a) sender was a verified user of domainx.com, spf records check out
(b) no spf, sender likely forged
In case (a) inform the ISP of domainx.com, if further verified Spam messages are received from domainx.com, blacklist it.
In case (b) if SPF is in widespread use for ligitimate mail then the soam message is easier to mark as such (less need to resort to expensive statistics on the body). If SPF is not widespread there is less benefit.

Regards

Alex

Re:Understanding SPF (2, Interesting)

Jane_Dozey (759010) | more than 9 years ago | (#10153900)

But then the main symptom is probably going to change rather than go away.
Blocking one form of attack will most likely mean an increase in another, or a new one entirely.
I doubt very much that SPF will be an end to spam, even if it is widespread.
People need to be taking away the incentive for spammers to bother. Would _you_ send out millions of emails if you weren't going to make any money?
This is a social problem, not a technical one.

Re:Understanding SPF (1)

Flower (31351) | more than 9 years ago | (#10153922)

My personal opinion is the spammers are using SPF as a legal tactic. They can try to disavow liability if someone accuses them of sending unwanted spam. "Did it have our SPF data? No? It wasn't us." It makes them seem reasonable and staying on the straight and narrow.

As to whether that is the actual case....

Did anyone expect this would reduce spam? (1)

knighten (615311) | more than 9 years ago | (#10153653)

This is certainly what was expected by everyone I've discussed this with!

No one claimed it would end spam (3, Insightful)

Anonymous Coward | more than 9 years ago | (#10153656)

What it does end is domain spoofing (joe jobs), and it adds a level of accountability. If spammers are using their real domains, great. We go to their registrars, most of which have anti-spammer policies, and we get it yanked. If it costs the spammers money, it's a good thing.

Real world vs. fanboy fantasies (-1, Troll)

Mike Bourna (748040) | more than 9 years ago | (#10153659)

I suppose this will have the GNOO/LinuxOS fanboys frothing at the mouth, SPF being yet another consumer protection invention by Microsoft and all.

I am what most people would consider a highly trained technical professional. Unlike most people who spout off at this site, I have the certificates to prove this, and furthermore they're issued by the biggest software company in existence.

I know how to tell facts from marketing fluff. Now, here are the facts as they're found by SEVERAL INDEPENDENT RESEARCH INSTITUTES:

Expenses for file-server workloads under Windows, compared to LinuxOS:
  • Staffing expenses were 33.5% better.
  • Training costs were 32.3% better.


They compared Microsofts IIS to the Linux 7.0 webserver. For Windows, the cost was only:
  • $40.25 per megabit of throughput per second.
  • $1.79 per peak request per second.


Application development and support costs for Windows compared to an opensores solution like J2EE:
  • 28.2% less for large enterprises.
  • 25.0% less for medium organizations.


A full Windows installation, compared to installing Linux, on an Enterprise Server boxen:
  • Is nearly three hours faster.
  • Requires 77% fewer steps.


Compared to the best known opensores webserver "Red Hat", Microsoft IIS:
  • Has 276% better peak performance for static transactions.
  • Has 63% better peak performance for dynamic content.


These are hard numbers and 100% FACTS! There are several more where these came from.

Who do you think we professionals trust more?
Reliable companies with tried and tested products, or that bedroom coder Thorwaldes who publicly admits that he is in fact A HACKER???

--
Copyright (c) 2004 Mike Bouma, MCSE, MCDST, MS Office Specialist, widely respected Amigan

Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
Texts. A copy of the license is included in the section entitled "GNU
Free Documentation License".

But that's not the point of SPF (5, Insightful)

hypnagogue (700024) | more than 9 years ago | (#10153661)

The point of SPF was not to eliminate spam, but to eliminate spoofing. If successful, this is enables effective and cheap spam filtering by forcing spammers to use domains that can easily be blacklisted.

In other words, SPF is working correctly, brighter tomorrow expected, move along, nothing to see here.

Re:But that's not the point of SPF (1, Insightful)

Anonymous Coward | more than 9 years ago | (#10153760)

this is enables effective and cheap spam filtering by forcing spammers to use domains that can easily be blacklisted

And we all know how effective blacklists are, right?

The problem with SPF is that it breaks one of the features of SMTP that makes it useful - the ability to send mail from a different location without having to change your email address. If my employer implemented SPF, I wouldn't be able to send work email from home.

If blacklists are the ultimate answer, RBLs are much more effective at stopping spam, and they don't break any features of SMTP.

Insecure? 'nuff said. (0)

nerd256 (794968) | more than 9 years ago | (#10153677)

despite backing from software giant Microsoft Corp
---
I give all products an objective and just comparison (based on their names)

This surprises anyone? (0)

Anonymous Coward | more than 9 years ago | (#10153680)

*sigh*

In theory, when all spammers are forced to publish SPF records, along with all legitimate e-mail senders, it will be easy for legitimate companies to develop e-mail reputations for Internet domains that do and do not send spam, he said.

So it'll be just like the RBLs we have now, only you won't be able to send work email from home?

Re:This surprises anyone? (1)

beakburke (550627) | more than 9 years ago | (#10153826)

You will be able to send "work email from home" if your company uses SMTP AUTH like it should (or webmail or SMTPS) if your ISP blocks outbound port 25.

Re:This surprises anyone? (4, Informative)

chill (34294) | more than 9 years ago | (#10153836)

So it'll be just like the RBLs we have now, only you won't be able to send work email from home?

SMTP AUTH over SSL/TLS to your work's mail server and you can send all the work e-mail from home you want.

Charles

SenderID != Spam Solution (3, Insightful)

Manip (656104) | more than 9 years ago | (#10153681)

SenderID is not designed to combat spam (although many uninformed individuals think it is), it was designed to fix a fundamental problem with the E-Mail system.

You can not guarantee that an E-Mail originated from the source it said it did.

Which effectively makes black-lists useless.

With SenderIDs you are able to build effective Black-Lists/White-Lists because you can guarantee that an E-Mail came from the location it said it did. And thus decrease the amount of spam.

I'm not sure who wrote this 'study' but the fact that I know more than them says a lot.

SURBL SPF (2, Informative)

DBA_01123 (770195) | more than 9 years ago | (#10153683)

I have found SURBL - Spam URI Realtime Blocklists to be pretty effective the last while. While everything else is forged and loaded with junk text the actual links back to spammer web pages have to be at least partially valid.

All the more reason... (2, Funny)

Mateito (746185) | more than 9 years ago | (#10153686)

... to declare open season on spammers.

"What good is Viagra if you .. have no balls... .. fucker"

Re:All the more reason... (1)

Zocalo (252965) | more than 9 years ago | (#10153761)

"What good is Viagra if you .. have no balls... .. fucker"

If you've castrated the spammer properly, shouldn't that have been "fuckee" and not "fucker"? ;)

Re:All the more reason... (1)

geminidomino (614729) | more than 9 years ago | (#10153901)

If you've castrated the spammer properly, shouldn't that have been "fuckee" and not "fucker"? ;)

No. Would YOU fuck a spammer, castrated or not? Neither would anyone else. ;)

Re:All the more reason... (0)

Anonymous Coward | more than 9 years ago | (#10153780)

"What good is Viagra if you .. have no balls... .. fucker"

No, no. It's five syllables, then seven, then five. 7-3-2 is completely unharmonious.

Re:All the more reason... (2, Funny)

Mateito (746185) | more than 9 years ago | (#10153834)

> No, no. It's five syllables, then seven, then
> five. 7-3-2 is completely unharmonious.

These adds you spam me
To enhance my sex prowess
Wont help you, fucker.

You need the support of your DNS provider (3, Informative)

smartin (942) | more than 9 years ago | (#10153687)

I actually tried to set up SPF for my site this morning after reading another /. article. Turns out my DNS provider does not support TXT records and gave no indication of a willingness to do so. If it turns out that SPF and some other combination of technologies will prevent me from getting spam as well as prevent my email adress from being spoofed as the From: address on spam sent to others, i guess register.com is about to lose a customer.

Re:You need the support of your DNS provider (1)

Sylver Dragon (445237) | more than 9 years ago | (#10153819)

Send them a question on it, via the website. If enough of their customers do this, maybe they will make a change. (I a register.com customer as well, and just sent off a question on it.)

Re:You need the support of your DNS provider (1)

// (81289) | more than 9 years ago | (#10153820)

Hmm. Sounds more like your "DNS Provider" doesn't support a way for you to put TXT records in place. The actual DNS software itself WILL support TXT records unless it is the worlds most bizarre DNS software :-)

Move your DNS to someone like www.xname.org who support the whole lot, and the service is free (supported by donations)

This doesn't mean you have to change your REGISTRAR, just where the DNS is delegated to for your domain.

Re:You need the support of your DNS provider (0)

Anonymous Coward | more than 9 years ago | (#10153824)

A list of SPF-enabled DNS providers and registrars is available here : http://www.spf.idimo.com/ [idimo.com]

Re:You need the support of your DNS provider (0)

Anonymous Coward | more than 9 years ago | (#10153898)

There is a list of DNS providers who support TXT records here: spf.idimo.com [idimo.com]

Re:You need the support of your DNS provider (0)

taustin (171655) | more than 9 years ago | (#10153924)

Why on earth are you not running your own DNS server? It's not rocket science. Hell, even spammers can (and do) figure it out.

switch DNS providers (1)

mattdm (1931) | more than 9 years ago | (#10153967)

I had my couple of domains at register.com which increasingly sucked. This was the last straw, and I finally switched over to pairnic [pairnic.net] and I've been much happier. Although I haven't gotten around to setting up SPF yet, they *do* let you set arbitrary TXT records.

Appearantly, some people missed the point... (4, Insightful)

Otto (17870) | more than 9 years ago | (#10153700)

If spammers are now forced to identify themselves in their emails, by means of having a domain and publishing SPF records for that domain, then good.

That was the entire point.

In combination with anti-spam laws, now we have the ability to actually identify the spammers flooding our inboxes and take legal action against them for doing so.

There is no technological means that will allow random people to email you and yet prevent them from emailing you spam. Technology is simply not capable of distinguishing spam from non-spam with a 100% success rate. We can get really close, but there will always be false-positives and false-negatives in any system. And any system is vulnerable to clever hacking around the filter. You can make it terribly difficult to do so, but you can't make it impossible.

The goal of SPF never was to stop spam, it was to force somebody who sends you email to be accountable for doing so, by providing a method to track down who they are. At least, it's a good start for this sort of thing.

Re:Appearantly, some people missed the point... (1)

realdpk (116490) | more than 9 years ago | (#10153786)

Heh, so when a spammer has a SPF record that states the IP sending the spam (some Chinese proxy) is valid, what will that get us? Proof that they really are sending it from China?

Re:Appearantly, some people missed the point... (1)

Otto (17870) | more than 9 years ago | (#10153966)

Heh, so when a spammer has a SPF record that states the IP sending the spam (some Chinese proxy) is valid, what will that get us? Proof that they really are sending it from China?

Well, yes, but it's also proof that they really owned the domain that sent the email, because it's the domain's SPF entry that told you it was legit. Which means you can try to track down the owner of that domain.

Re:Appearantly, some people missed the point... (2, Interesting)

taustin (171655) | more than 9 years ago | (#10153905)

Spammers already use automated systems to sign up for dozens of domain names at a time, using fake contact info. Nothing can be done about that, because the after life of a spam domain is less than the time it takes to detect the bogus contact info anyway. And the whole thing likely operates through a zombied proxy, making it impossible to track down the real point of origin. Add in a stolen credit card number (spammer would never do something criminal, would they?), and you have a system where adding in SPF records is one extra line of code to the section that adds in the other DNS records.

SPF will do nothing to stop, or even slow down, spam. And the more people who use SPF to whitelist, the more it will increase spam getting through.

Fake contact info... (1)

Otto (17870) | more than 9 years ago | (#10153976)

I admit that a spammer signing up for domains using zombied proxies and fake contact info is going to make it difficult to track 'em down that way. But you really have to take on one problem at a time, here.

You might consider bitching at the registrars and the system that allows somebody to buy a domain name with fake, unverified information and stolen credit cards. Something really should be done about that as well, don't you think?

In other news (4, Funny)

Dirtside (91468) | more than 9 years ago | (#10153707)

Wong, one of the original authors of SPF and a co-author of SID, says that it was never intended to combat all spam. Weng, another researcher in the space, says that this is just one of the many pieces of the puzzle needed to combat spam.
Wung, on the other hand, claims that a variation of SPF will eventually win the day, while Wing, yet another researcher, believes that any acronym that can be confused with sunscreen will inevitably fail. And someone named "Wang" would like you to know that you can increase your penis size by 20% in just 2 hours!

SPF is an anti-forgery tool, not an anti-spam tool (5, Interesting)

cas2000 (148703) | more than 9 years ago | (#10153727)


SPF doesn't and can't block spam.

it has a different purpose. it prevents some email address forgeries. its main use is to allow a domain owner (e.g. an individual or an organisation or a corporation such as a bank) to specify exactly which hosts are allowed to send mail claiming to be from that domain.

in other words, it can be used to block forgeries such as phishing spams and viruses, but it is not a general purpose spam blocker.

it does that job reasonably well (or, it will when it is implemented by enough mail servers). to complain that it doesn't do a job it was never designed to do is just absurd.

Re:SPF is an anti-forgery tool, not an anti-spam t (1, Interesting)

joeljkp (254783) | more than 9 years ago | (#10153902)

Wait, wait. SPF prevents you from sending an email from one domain with a different @domain.com?

I have a university e-mail address that ends with @msstate.edu. But I don't live on campus, I live in the surrounding town and so am not on the msstate.edu domain. My SMTP host is nctv.com.

Right now, I can just set up my mail client to use email_address@msstate.edu and send it through nctv.com. Will SPF prevent me from doing that and force me to use webmail or something equally inconvenient?

Re:SPF is an anti-forgery tool, not an anti-spam t (1)

QuickFox (311231) | more than 9 years ago | (#10153941)

to complain that it doesn't do a job it was never designed to do is just absurd.

Wrong. To complain that it doesn't do a job it was never designed to do is just Slashdot.

It's not meant to stop spam (1)

FattMattP (86246) | more than 9 years ago | (#10153757)

this means that the common dream of SPF or SID clearing up the spam problem wont be coming true.
Argh! It's not meant to stop spam. It's meant to stop joe-jobs.

SPF not an effective anti-joe-job tool (1)

0x0d0a (568518) | more than 9 years ago | (#10154010)

SPF is not an effective anti-joe-job mechanism either. I have posted analysis (very negative) of SPF's anti-spam and anti-joe-job capabilitites to Slashdot before.

The reason SPF isn't good at anti-joe-jobbing is that there is no trusted map for users between a domain name and a company identity. If I send an email from @boa-international.com or @bankofamerica.banknetwork.com, end users won't consider the fact that it doesn't come from @bankofamerica.com. SPF is fundamentally tied to domain names. Furthermore, SPF has only domain-level granularity, which means that the larger the company, the weaker the anti-joe-job factor. It just takes compromising one computer anywhere at Ford to be able to send trusted "Ford official customer service" email.

SPF is (a) not a good anti-spam mechanism, and (b) not a good anti-joe-job mechanism. It is a very weak and fairly broken authentication scheme. It lacks trust management (despite the fact that the SPF people admit the need for trust network management). There are known attacks on SPF that will beat it, like the fact that it rides on an easily spoofable protocol (DNS) and does not attempt to establish a secure connection on top of it.

I'm not saying that PGP is ideal, but it could be used to provide a foundation to build a strong, effective anti-spam mechanism that doesn't suffer from SPF's flaws.

Note that Microsoft's Sender ID largely suffers from the same problems as SPF.

Yahoo's Domain Keys is actually somewhat better built (provides for a more sane delegation of mail server authority, and so forth), but still is a fairly inflexible and ineffective system.

Designing secure systems is very hard, no matter *how* good at it you think you are. It took a *long* time to get SSL reasonably mature and free of attacks. Throwing out a system like PGP which *is* mature, well-tested, well-built, flexible, and in favor of something new hacked up is really not a very wise decision.

That doesn't mean that we should just take PGP and whitelist people that you know (knowing that someone's identity is correctly associated with their email address is a different thing than knowing whether they won't spam you), but if there are flags like "authorized to authorize people as legitimate email parties", non-boolean trust metrics ("I trust this person .5, he trusts this person .1, so I trust the second person .05, which is above my threshhold of .001"), and some form of feedback mechanism ("This person spammed me so I trust not only him not at all, but the person that trusted him less") you have major benefits -- you have carry-over reputation ("Linus just got a new email address, but it's endorsed by his old email address") and the like. Futhermore, you can have a "company postmaster" PGP key, which is used to sign keys of employees at a company, so when a large company opens a business relationship with that company, it just has their own postmaster (which their local users trust) sign the key of the other postmaster.

What the?! (0, Troll)

Gentlewhisper (759800) | more than 9 years ago | (#10153764)

So that's it??

Any chance that "Wong", "Weng" and possibly "Wang" and many others are all really one person?

The department just create new names to make themselves look big :)

Then again, I seriously doubt it is meant to fix anything, it is just to create a new intermediatary so that we will have to end up paying them.

Constantly paying and paying, can't run away from it in Corporate Amerika!!

The real solution ... (0)

Anonymous Coward | more than 9 years ago | (#10153778)

... to spam is fear. Fear is brought on by threats of imminent bodily injury backed up by action. Chairman Mao was right: Power comes from the barrel of a gun.

Technological measures have not worked. Legal measures, where they exist, have proved worthless. That leaves the tried-and-true vigilanty method.

If you believe you will get the holy living crap beat out of you for doing something, chances are considerably less that you'll do it. Ask any abused child. Half a dozen broken kneecaps and dislocated hip joints on the bodies of half a dozen well-known spammers just might do a world of good.

Nothing else does (he says as he dumps his 100,000th spam of the day).

These are only the easy solutions (1)

Dracos (107777) | more than 9 years ago | (#10153781)

The only real way to combat spam is to also stop sites and spammers from selling email addresses to each other. If the spammers don't have their most precious commodity, they can't spam.

Important notice: please update your USBank info! (4, Insightful)

coyote-san (38515) | more than 9 years ago | (#10153802)

There are four separate "spam" problems:
  • Unsolicited but legal mail from a legitimate mail server
  • Unsolicited mail (legal or not) from hijacked systems, open mail relays, etc.
  • Viruses
  • Fradulent mail

SPF can be circumvented in the ways we're already seeing for the first category, but it should knock out the second two (and probably related) problems.

As for the final one... law enforcement may still not take phishing seriously. But I bet Citibank, US Bank, et al do. They're probably losing millions of dollars cleaning up the mess left by phishers, and that money would go a long way towards making phisher's lives miserable and cautionary tales for others. These organizations are large enough that phishers can't even hide behind international borders - piss of Citibank by protecting phishers and that bank may decide that it's not worth doing any business in your country.

Re:Important notice: please update your USBank inf (1)

The Blue Meanie (223473) | more than 9 years ago | (#10154030)

law enforcement may still not take phishing seriously. But I bet Citibank, US Bank, et al do.

And you might actually lose that bet. I received a "phishing" spam allegedly from CitiBank, and when I tried to send it on to spoof@, abuse@, and postmaster@, I got three very curt, very automated replies informing me that "an email you sent to us was blocked from being delivered because it appeared to be spam". Well, no shit, you geniuses. At that point I decided that I'll simply delete any further CitiBank "phishing" scams I get, and CitiBank can go pound sand. Good thing I'm not (and won't ever be) a customer of theirs.

Well, duh (1)

taustin (171655) | more than 9 years ago | (#10153858)

How could anyone possibly have thought SPF would reduce spam in any way?

No system that is under the technical control (like SPF) will reduce spam, since the spammers will simply comply. In the case of SPF, all the need do is add in a new section to the script they use to automate signing up for dozens of new domain names at a time, to add the SPF records. (These scripts already add in the other DNS records, so this is trivial.)

And no system that is under the control of someone other than the domain holder will ever be used. (Like the .mail scheme from Spamhaus, where the registrar controls your DNS records.) Only insane people will tolerate that.

The solution to spam involves dark alleys and cattle prods, not wacky technical solutions that won't do anything.

Thoughts from the peanut gallery (1, Insightful)

jd (1658) | more than 9 years ago | (#10153865)

First, the two quoted experts are Weng and Wong. If somebody posts that they both work at Wang, I am going to scream.


Second, I'd have thought that it would be obvious that trivial authentication would be useless. It's like using the existance of an X.509 certificate as proof that a site is genuine, notwithstanding that anybody can download a roll-your-own certification program and generate their own.


Third, it's ironic that corporations (who lose millions, if not billions, to fraud each year) aren't the least bit interested in authentication of any kind, whereas spammers (who probably make a very livable income from fraud) are adopting it in droves.


This last one is the most bothersome. Many (but by no means all) corporate websites use SSL for credit card info, but that's about it. And even then, usually only the server has a certificate. Client-side authentication is extremely rare.


Even for business-to-business networking, where you would have thought it very important that both ends of the connection are who they say they are, it's extremely rare to find even the most basic of security measures. IPSec? Kerberos? Nah. I've worked for companies - and even Government agencies - that were quite confident that their .rhosts file would only allow legit users access to their computers.


It's a sad day, when the only e-mail you can be sure is genuine is the e-mail that's pure crap.

Just goes to show... (0, Offtopic)

Mateito (746185) | more than 9 years ago | (#10153870)

Wong, one of the original authors of SPF and a co-author of SID, says that it was never intended to combat all spam.

... that wong was wrong all along. So long.

impossible (1)

geoff lane (93738) | more than 9 years ago | (#10153894)

The only reasonable spam solution is email acceptance rate limits by the major email routers.

A zombie PC will rapidly move from a low emmission of emails to a much more rapid rate. If the upstream email routers rate limit email transmission based on historical information you strangle the spam at source.

Spam isn't eliminated, but it's seriously limited hopefully to the point where it is
unprofitable.

All other methods do not address the major characteristic of spam, the large number of emails and the very low response rate.

Why all the fuss? (0)

Anonymous Coward | more than 9 years ago | (#10153895)

Slightly OT perhaps, but for the life of me I don't understand why everyone gets so upset about spam. Don't get me wrong.....I hate having to delete all the spam I get, but it's nothing compared to the physical junk mail I get in my mailbox. I think that's twice as annoying as spam.

With spam, I select some messages, hit delete, they're gone. With junk mail in my mailbox, I have to haul it from the mailbox to the trashcan, sort through it to make sure nothing is real mail I actually want, and throw it away. It wastes paper, it fills up waste recepticals faster and IMHO, far more annoying than spam.

Yet it receives far less attention.

SPF working perfectly (1)

NigelJohnstone (242811) | more than 9 years ago | (#10153897)

But that's the point isn't it! Its to stop spammers hiding behind faked addresses. If they publish proper SPF records then the spammer black list catches them.

If they fake their address to a domain publishing SPF records then the SPF check fails and the message gets flagged for aggressive filtering them.

Either way they're screwed.

The day after (1)

qucmd (792313) | more than 9 years ago | (#10153926)

Just imagine we manage to kick the spam out of the internet with this temporary fixes, what happen next? I bet we'll get sloppier or disable the filters as they are so effort and time consuming. And them the spam will kick in again.
Folks. We need a definitive solution, not temporary patches.

Let me explain this (2, Informative)

Trailer Trash (60756) | more than 9 years ago | (#10153928)

Two of my domains are used in the from address of spams, to the point that I often get thousands of bounces per day. This is the "reward" for years of turning spammers in and getting them tossed from their ISP's.

These sender id schemes won't stop spam at all. It's easy for a spammer to modify his dns to show the correct records and allow him to send.

But, here's the thing: HE DOES IT TO HIS OWN DOMAIN. We can then blacklist his domains and force him to keep coming up with new ones. Whack-a-mole, yes, but at least the "moles" aren't at legitimate domains.

You can complain all you want about how this isn't going to stop spam. Maybe it won't for you, but it will cut down the worthless junk hitting my mail server.

SPF + Reputation = No Spam (2, Insightful)

Titusdot Groan (468949) | more than 9 years ago | (#10153934)

SPF was not, by itself, intended to stop spam. It was intended to stop spoofing and phishing (ie. somebody claiming to be from Citi Bank asking you to update your info).

However, once SPF is adopted it allows several things:

  1. Whitelisting of well known domains that use spf (eg. ge.com, ibm.com, etc)
  2. Blacklisting of well known spammers who use spf (ie. workable rbls)
  3. More aggressive spam content filtering of everybody who isn't using SPF -- after all you've whitelisted a LOT of the important people already.

I fully expect the anti-spam vendors to eventually come up with reliable whitelists based upon SPF eventually.

First comes the sender verfication (1)

NoMercy (105420) | more than 9 years ago | (#10153973)

Then comes the blacklist of senders, so spammers can't send emails as joe@microsoft.com and instead have to send emails as joe@viagra4less.com and then you can just block viagra4less.com :)

One thing Usenet has taught me... (0)

Anonymous Coward | more than 9 years ago | (#10154006)

People who expect the Internet to be place of order will die unhappy.

So what if they are? (0)

Anonymous Coward | more than 9 years ago | (#10154015)

spamassassin/trunk/rules/50_scores.cf says it all right here:

#
# SPF
# Note that the benefit for a valid SPF record is deliberately minimal; it's
# likely that more spammers would quickly move to setting valid SPF records
# otherwise. The penalties for an *incorrect* record, however, are large. ;)
#
ifplugin Mail::SpamAssassin::Plugin::SPF
score SPF_PASS -0.001
score SPF_FAIL 0 0.000 0 0.875
score SPF_SOFTFAIL 0.500 0.842 0.500 0.500
score SPF_HELO_PASS -0.001
score SPF_HELO_FAIL 0 0.405 0 0.001
score SPF_HELO_SOFTFAIL 0 1.002 0 3.140
endif # Mail::SpamAssassin::Plugin::SPF

Sendmail doesn't give points for giving a hostname that resolves. However, it rejects the connection when the hostname doesn't resolve. Same thing here.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...