LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for January 8, 2009

Btrfs aims for the mainline

The Android Dev Phone 1

LWN.net Weekly Edition for December 25, 2008

The Grumpy Editor's 2008 retrospective

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

That much trouble?

That much trouble?

Posted Sep 6, 2004 13:44 UTC (Mon) by khim (subscriber, #9252)
In reply to: That much trouble? by neilbrown
Parent article: Debian rejects Sender ID

I think your understanding of "forgery" must be different to mine.

Hmm. Are you sure ? If mail is sent from domain where are no real users at all are registered (just SPF records and some cracked SMTP server) it's forgery or not ?

I mean "sending mail claiming to be from the address of some person, but not really being sent by that person".

Hmm... What about "mail sent from god knows where and by god knows whom" ? That's the real problem with spam, right ?

It just matters whether I can tell if a mail item is a forgery or not. That is the point of SPF and it does a very adequate job.

No, it does not. If I'm concerned about my regular correspondents PGP does much more adequate job. And when I'm concerned about others it does not make much difference to me if it's mail from joe@somewhere.com or joe@someplace.com if both joe@someplace.com and joe@someplace.com can not be traced back to physical person. Domain names are meaningless - you need to stop real physical person or you'll fight windmills forever.

(Log in to post comments)

That much trouble?

Posted Sep 6, 2004 15:20 UTC (Mon) by jamesh (subscriber, #1159) [Link]

Hmm. Are you sure ? If mail is sent from domain where are no real users at all are registered (just SPF records and some cracked SMTP server) it's forgery or not ?

I wouldn't call that a forgery. The SPF records tell you that the message was sent from a server authorised by the domain name holder. It doesn't tell you whether you can trust the domain name holder though (and has never claimed to).

That much trouble?

Posted Sep 6, 2004 15:26 UTC (Mon) by khim (subscriber, #9252) [Link]

I do not ask you "is it forgery from SPF point of view". I ask you "is it forgery or not". I know what SPF does. It's just what SPF does is useless: it adds new hoops for "honest" people and adds very small protection against type of forgery used by spammers.

That much trouble?

Posted Sep 6, 2004 18:10 UTC (Mon) by marble (subscriber, #2719) [Link]

You wouldn't say that when you're treated to thousands of bounces, hatemails
etc, cos some spammer has decided to send email from your address. This
happens, SPF offers a solution. SpamAssassin already does a fairly decent
job of filing spam away in the bit bucket so with widespread adoption of
SPF, I'd be happy. (Yes, it has happened to me.)

That much trouble?

Posted Sep 6, 2004 19:42 UTC (Mon) by paulj (subscriber, #341) [Link]

But you can protect against bounces with outbound-envelope-cookie schemes like SRS. Further, with SRS, you protect *yourself*, you dont rely on other people to check SPF first before sending a bounce to you.

Unlike SPF, outbound-cookies dont break, the very common, use of SMTP forwards.

SPF! It "authenticates" (cough) mail from my domain, Yay for SPF!

/me uninstalls gnupg

That much trouble?

Posted Sep 6, 2004 20:30 UTC (Mon) by rdowner (subscriber, #3960) [Link]

A few months ago I was "joe-jobbed". A spammer, for several weeks, was sending out spams forged to appear from my domain. The invalid email addresses were, of course, bounced back to *me* -- several hundred *a day*. If those mails servers processing the received mail support SPF (and if I had an SPF record on my domain), I would not have bombarbed with the "shrapnel" -- the receiving mail servers would have realised that it wasn't me sending the e-mail and would not have even accepted them for delivery. This would have saved me the problem of suddenly getting hundreds of messages in a short period of time, desperately reconfiguring my mail setup trying to stem the flow of bounces, and inevitably losing some of my valid mail in the process

No, SPF will not solve the spam problem, cure all disease or bring about world peace. But it will solve *some* problems, such as the problem I've just described. There is money to be made in spam and there is no doubt that the professional spammers will find new ways to get the spam delivered. However, today, I believe there is value in SPF - it will stop a class of spam attack (assuming SPF is widely adopted). It doesn't add "hoops" for the vast majority of people, as ISPs will simply need to update their DNS records with info on their mail servers and their end users need take no action (it has been remarked that "mobile" users may have some issues but there are workable solutions to that too.)

regards,
Richard Downer

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds