LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

That much trouble?

That much trouble?

Posted Sep 6, 2004 6:33 UTC (Mon) by neilbrown (subscriber, #359)
In reply to: That much trouble? by paulj
Parent article: Debian rejects Sender ID

This is a common misunderstanding of SPF.

SPF doesn't break anything and is not expected to prevent spam.

SPF simply provides a score - PASS, FAIL, UNKNOWN, ERROR (or something like that). What you do with that score is up to you.

This score is *not* a measure of how likely it is spam (though there is a correlation today, it is dropping). But that is not how you use the score.

I currently use the score like this: If it isn't PASS, and the mail contains a potentially executable attachment, drop the mail. This kills all mass-mailer viruses at very little cost.

If I ever implement a challenge-response system, it would use the score to say "Only send a challenge if the score is PASS", otherwise you might be spamming innocent people with your challenges. If the score is not PASS, and the address isn't on my white list, then I probably don't read the mail, though a very, very low spam assassin score might let it get through to me.

SPF doesn't address spam *at*all*. It addresses forgery. Once you have eliminated forgery, then other anti-spam measures like challenge-response and white-lists become must more useful.

The "breaks forwarding" is a very common misconception. Rejecting all SPF-fail messages would break forwarding, but such behaviour is not rational. Presumably you know everone who you expect to forward mail you. These sites can be whitelisted (if you trust them) or discontinued (if you don't).

(Log in to post comments)

That much trouble?

Posted Sep 6, 2004 7:50 UTC (Mon) by khim (subscriber, #9252) [Link]

It addresses forgery. Yeah, right. There are 3 millions .com domains. God knows how many in .XX for different countries and so on. More then thousand of new domains are created each day in .com. And I'm not even talking about domains of 3-4-5 level.

And the only way to track someone with SPF is to ask domain owner (often - not real person as well). The sad truth is that you can not trace sender with SPF: it's too weak to be used as court argument, for example. Any scheme where you can easily track physical sender will be rejected by masses (we already had one for more then 10 years - PGPmail or S/MIME) and if you can not do it then it'll be useless against spammers. Just like SPF is useless and will become even more useless if the future.

That much trouble?

Posted Sep 6, 2004 10:35 UTC (Mon) by neilbrown (subscriber, #359) [Link]

I think your understanding of "forgery" must be different to mine.

I mean "sending mail claiming to be from the address of some person, but not really being sent by that person".

It doesn't matter how many new domains there are every day.

It also doesn't matter whether I can track down who actually sent the forgery or not.

It just matters whether I can tell if a mail item is a forgery or not. That is the point of SPF and it does a very adequate job.

That much trouble?

Posted Sep 6, 2004 13:44 UTC (Mon) by khim (subscriber, #9252) [Link]

I think your understanding of "forgery" must be different to mine.

Hmm. Are you sure ? If mail is sent from domain where are no real users at all are registered (just SPF records and some cracked SMTP server) it's forgery or not ?

I mean "sending mail claiming to be from the address of some person, but not really being sent by that person".

Hmm... What about "mail sent from god knows where and by god knows whom" ? That's the real problem with spam, right ?

It just matters whether I can tell if a mail item is a forgery or not. That is the point of SPF and it does a very adequate job.

No, it does not. If I'm concerned about my regular correspondents PGP does much more adequate job. And when I'm concerned about others it does not make much difference to me if it's mail from joe@somewhere.com or joe@someplace.com if both joe@someplace.com and joe@someplace.com can not be traced back to physical person. Domain names are meaningless - you need to stop real physical person or you'll fight windmills forever.

That much trouble?

Posted Sep 6, 2004 15:20 UTC (Mon) by jamesh (subscriber, #1159) [Link]

Hmm. Are you sure ? If mail is sent from domain where are no real users at all are registered (just SPF records and some cracked SMTP server) it's forgery or not ?

I wouldn't call that a forgery. The SPF records tell you that the message was sent from a server authorised by the domain name holder. It doesn't tell you whether you can trust the domain name holder though (and has never claimed to).

That much trouble?

Posted Sep 6, 2004 15:26 UTC (Mon) by khim (subscriber, #9252) [Link]

I do not ask you "is it forgery from SPF point of view". I ask you "is it forgery or not". I know what SPF does. It's just what SPF does is useless: it adds new hoops for "honest" people and adds very small protection against type of forgery used by spammers.

That much trouble?

Posted Sep 6, 2004 18:10 UTC (Mon) by marble (subscriber, #2719) [Link]

You wouldn't say that when you're treated to thousands of bounces, hatemails
etc, cos some spammer has decided to send email from your address. This
happens, SPF offers a solution. SpamAssassin already does a fairly decent
job of filing spam away in the bit bucket so with widespread adoption of
SPF, I'd be happy. (Yes, it has happened to me.)

That much trouble?

Posted Sep 6, 2004 19:42 UTC (Mon) by paulj (subscriber, #341) [Link]

But you can protect against bounces with outbound-envelope-cookie schemes like SRS. Further, with SRS, you protect *yourself*, you dont rely on other people to check SPF first before sending a bounce to you.

Unlike SPF, outbound-cookies dont break, the very common, use of SMTP forwards.

SPF! It "authenticates" (cough) mail from my domain, Yay for SPF!

/me uninstalls gnupg

That much trouble?

Posted Sep 6, 2004 20:30 UTC (Mon) by rdowner (guest, #3960) [Link]

A few months ago I was "joe-jobbed". A spammer, for several weeks, was sending out spams forged to appear from my domain. The invalid email addresses were, of course, bounced back to *me* -- several hundred *a day*. If those mails servers processing the received mail support SPF (and if I had an SPF record on my domain), I would not have bombarbed with the "shrapnel" -- the receiving mail servers would have realised that it wasn't me sending the e-mail and would not have even accepted them for delivery. This would have saved me the problem of suddenly getting hundreds of messages in a short period of time, desperately reconfiguring my mail setup trying to stem the flow of bounces, and inevitably losing some of my valid mail in the process

No, SPF will not solve the spam problem, cure all disease or bring about world peace. But it will solve *some* problems, such as the problem I've just described. There is money to be made in spam and there is no doubt that the professional spammers will find new ways to get the spam delivered. However, today, I believe there is value in SPF - it will stop a class of spam attack (assuming SPF is widely adopted). It doesn't add "hoops" for the vast majority of people, as ISPs will simply need to update their DNS records with info on their mail servers and their end users need take no action (it has been remarked that "mobile" users may have some issues but there are workable solutions to that too.)

regards,
Richard Downer

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds