LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

So why not use a callback instead?

So why not use a callback instead?

Posted Sep 6, 2004 9:13 UTC (Mon) by lolando (subscriber, #7139)
In reply to: So why not use a callback instead? by leonbrooks
Parent article: Debian rejects Sender ID

Assume I'm a spammer. Like my fellow spammers, I don't send e-mail from my own hosts but from open relays. I therefore register the whatever.com domain, host its name servers, and make its A/MX records point to some poor sod's open relay (that would be B by your notation, if I understood it correctly). Your A receives an email from my B (appearing to be from foo@whatever.com), double-checks everything, and proceeds to deliver it, or not (that will depend on how B is set up, I suppose). In any case, I have used very little of my own bandwidth.

Maybe I missed something.

(Log in to post comments)

So why not use a callback instead?

Posted Sep 6, 2004 10:02 UTC (Mon) by frankie (subscriber, #13593) [Link]

SPF-like protocols are not universal panacea. SPF just blocks forged addresses, like those used by a few spammers and worms.
Many other spammers use fictious domains (with good SPF records)
and pass anyway. The same thing could be done by worms potentially.
So SPF complicates life of normal users (who cannot use regular forwarding)
and have very little impact on true spammers who have methods to by pass it.
I see no evidence that Sended-Id is better...

So why not use a callback instead?

Posted Sep 6, 2004 10:58 UTC (Mon) by sdalley (subscriber, #18550) [Link]

If by a fictitious domain you mean a domain that does not exist, then DNS lookup would not be able to obtain DNS records of any sort. Or do you actually mean something different?

Why no network of trust?

Posted Sep 7, 2004 14:53 UTC (Tue) by forthy (guest, #1525) [Link]

It is not obvious for me that you can't add a network of trust to a
SPF-like framework. Like S/MIME or PGP, SPF records would need a signature
(or several signatures, if you like). If you create your domain, the NIC
usually would also sign your SPF record; done. Since domain creation is a
hierarchical situation, tracing signatures back to some known good "root"
signature is not really difficult.

In the end, this does not help bot-based spam networks and worm floods.
Even if you require the user to enter a passphrase for every outgoing
mail, an infected PC could grab that passphrase and send spam and worms
under the name of the victim. However: It is now possible to help the
victim, since you can identify her (or him). Part of the success of
captured computers is that the user doesn't know about it.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds