Invalid recommendations
Invalid recommendations
Posted Nov 29, 2024 17:46 UTC (Fri) by Curan (subscriber, #66186)Parent article: Book review: Run Your Own Mail Server
We should rather point out bullshit and snakeoil requirements in the existing system. Has anybody ever received less spam after adding SPF and/or DKIM? I don't think so. It is just "bullshit compliance" required by big e-mail service providers to keep individuals out of the game (which rarely are the real issue). My personal best option to prevent spam, was blacklisting certain IP ranges. Ever since I did that, my spam level dropped to basically "no longer measurable". But that is, I have to admit, not a politically convenient option. And probably not something you can do like this all around the world, probably not even in most cases.
I can only recommend that everybody runs their own MTA (and makes sure it is secured, of course, but that was an issue from the beginning anyway).
Posted Nov 29, 2024 17:48 UTC (Fri)
by mpr22 (subscriber, #60784)
[Link] (6 responses)
Posted Nov 29, 2024 18:00 UTC (Fri)
by Curan (subscriber, #66186)
[Link] (5 responses)
But you are correct in the basic statement. Directly only my outbound e-mails would be affected. And to be honest: I never saw the reason why a MTA could accept my e-mails today, but not the next day, because I didn't have DKIM/SPF. It is just bullshit compliance theatre, imposed by organisations like CISA/BSI/ENISA/… (in my humble opinion).
Posted Nov 29, 2024 18:28 UTC (Fri)
by pizza (subscriber, #46)
[Link] (4 responses)
SPF/DKIM only attests that the sender is allowed to send on behalf of their domain. That by itself has *significantly* cut down on the amount of outright fradulent or malicious stuff landing in folks' inboxes -- think phising or worse, where the sender is actively trying to hide the origin of their messages.
The latter used to _heavily_ rely on spoofing legitimate domains via open relays or compromised systems; now those folks have to rely on stolen credentials, with a narrow window before the provider shuts it down.
Of course DKIM/SFP does nothing for "legitimate" [1] UCE, but then it's not supposed to.
[1] "unsolicited commercial email" where the sender is who they claim they are, aka what we traditionally referred to as "spam"
Posted Nov 29, 2024 18:45 UTC (Fri)
by Curan (subscriber, #66186)
[Link] (3 responses)
There is a (comparatively) small amount of e-mails that would be caught by SPF and/or DKIM.
Posted Nov 30, 2024 13:24 UTC (Sat)
by mathstuf (subscriber, #69389)
[Link] (2 responses)
Might this, perhaps, be *because* they are enforced? That is, they've been required long enough that what they prevent has indeed been extinguished, but it is still cheap enough even with these being required to churn out junk email that it *appears* nothing has changed? Short of charging per email exchanged or much higher registration fees…what is actually going to increase costs for these operators?
Posted Nov 30, 2024 13:48 UTC (Sat)
by pizza (subscriber, #46)
[Link]
Yes, exactly this.
This discussion reminds me of Y2K, afterwards, laypeople (and many that should know better!) were going "what was the big deal, the world didn't end, we're not going to believe the next so-called panic" completely missing the fact that it was a non-event only because obscene amounts of effort went into fixing everything up (barely) in advance.
Posted Nov 30, 2024 16:53 UTC (Sat)
by Curan (subscriber, #66186)
[Link]
Posted Nov 29, 2024 18:16 UTC (Fri)
by farnz (subscriber, #17727)
[Link] (6 responses)
My incoming mail volumes reduced by about 5% when I implemented both DKIM and SPF; I was facing a significant amount of backscatter (due to other people's badly configured MTAs accepting spam with my address as the "From", then sending a delivery report my way when they couldn't deliver it). On some days, backscatter was more than 50% of my total incoming mail.
Implementing DKIM and SPF removed virtually all of that; I can see from DMARC reports that people are still trying to forge my e-mail address as the reply target, but their mail is no longer being accepted. And the rate of forgery has nosedived; when I first implemented it, DMARC reports from the big players (Google, Outlook.com, mail.ru) showed that they were rejecting around 99% of mail that claimed to be from me. Now, they're not reporting any.
Posted Nov 29, 2024 18:41 UTC (Fri)
by Curan (subscriber, #66186)
[Link] (5 responses)
Posted Nov 29, 2024 19:05 UTC (Fri)
by farnz (subscriber, #17727)
[Link] (3 responses)
It wasn't my experience, until spammers started forging my address as the "From" address of their spam. At that point, backscatter went from "something I see once or twice a month" to 5% of my incoming mail. I implemented the entire set of DMARC measures more or less out of desperation, and it basically reduced backscatter to nil. It also, as far as I can tell from the DMARC reports, had a significant impact on the amount of spam that other people got with my address forged onto it.
Posted Nov 30, 2024 6:01 UTC (Sat)
by Curan (subscriber, #66186)
[Link] (2 responses)
I am really sorry, you saw an increase in spam, but I will contest, that SPF/DKIM actually helped you. I will agree, that those technologies will have helped you to paper over existing issues, but in the end it won't matter. Today my most common spam sending e-mail domains are `gmail.com` and `hotmail.com` (ie.: Google & Microsoft, who have been pushing the hardest for SPF/DKIM).
And, TBH, it is in their interest to have these accounts. It just is not in mine and there is no automated way to prevent that e-mail from being processed by my local filters. Those catch the spam and sort it accordingly, but that also means I have to expend far more resources than I want to.
Posted Nov 30, 2024 13:03 UTC (Sat)
by pizza (subscriber, #46)
[Link]
Contest it all you want, but you're going to need a more reasoned argument than "I don't believe you" and quoting wikipedia definitions.
(BTW: I've been self-hosting my own email for over 25 years. The combination of SPF, DKIM, and DMARC made a *huge* difference on the domains I control)
> Today my most common spam sending e-mail domains are `gmail.com` and `hotmail.com` (ie.: Google & Microsoft, who have been pushing the hardest for SPF/DKIM).
You sound like the person who points at snow on the ground claiming that as proof that global warming isn't real.
> It just is not in mine and there is no automated way to prevent that e-mail from being processed by my local filters
Uh, nobody has ever prevented you from running your own client-side filters. (Except perhaps your employer, but that's their problem, not yours)
Posted Nov 30, 2024 15:31 UTC (Sat)
by farnz (subscriber, #17727)
[Link]
OK then; if SPF/DKIM didn't help me, what exactly did reduce the load? I went from approximately 2 backscatter mails caused by spam with my address forged on it in a month, to typically 10,000 in a day, and the thing that caused it to go back down to approximately 2 in a month was implementing DKIM, SPF and a DMARC policy.
Further, having done this, I could see from the DMARC reports that for about 3 months after I set this up, big hosts like mail.ru, fastmail.com, Outlook.com, and Google were seeing typically 20,000 hosts not compliant with my DMARC policy in a day. That has now dropped to zero.
If it wasn't DKIM, SPF and a DMARC policy that helped, what was it?
Posted Nov 29, 2024 21:15 UTC (Fri)
by dskoll (subscriber, #1630)
[Link]
I expect that it's no longer the case [that SPF "pass" is a mild spam indicator] because the standard is old and most people have caught up.
Posted Nov 29, 2024 18:38 UTC (Fri)
by dskoll (subscriber, #1630)
[Link] (4 responses)
Neither SPF nor DKIM are anti-spam measures. They are designed to make it harder for someone to fake mail from your domain. Back when I ran an email security company (so 2000-2018) we found that an SPF "pass" was a slight spam indicator, because spammers were more diligent about maintaining correct SPF records than non-spammers.
Google et. al. demand SPF/DKIM/DMARC not to reduce spam, but to be able to hold senders accountable... if a piece of spam passes DKIM and SPF, we can generally know who (as in which domain or which MTA) was responsible for letting it out onto the Internet.
I agree that telling people not to run their own MTA is very harmful and is damaging to the integrity of the Internet. We cannot let an open and useful protocol slip out of the hands of the community and into the hands of a few powerful multinationals.
Posted Nov 29, 2024 18:56 UTC (Fri)
by Curan (subscriber, #66186)
[Link] (3 responses)
You should really tell this to various government bodies. Because they list this as requirements to combat spam...
Bud I do understand your position, it is just not, what is implemented in the world by big providers and required by government bodies.
> Back when I ran an email security company (so 2000-2018) we found that an SPF "pass" was a slight spam indicator, because spammers were more diligent about maintaining correct SPF records than non-spammers.
And just like that you told me, that SPF is pointless.
> Google et. al. demand SPF/DKIM/DMARC not to reduce spam, but to be able to hold senders accountable... if a piece of spam passes DKIM and SPF, we can generally know who (as in which domain or which MTA) was responsible for letting it out onto the Internet.
Oh come on, that is not helping anybody. Unless you try to tell me it is hard to get a domain. Which it is not, I must say. And if we assume getting a domain is easy: what does anybody gain by knowing "who" it was? The spammers will just change the domain.
Anyway, in my experience most spam comes from „legitimate“ domains like `gmail.com` and such. Making the whole endeavour circular at least.
Posted Nov 29, 2024 19:47 UTC (Fri)
by mbunkus (subscriber, #87248)
[Link] (2 responses)
You're wrong insofar as you're only thinking about fighting spam. But as Diane said, SPF & DKIM are supposed to establish authenticity. When I receive email from my customers (for whom my company has set up SPF, DKIM, DMARC in the past) I can rely on two things:
1. The email does indeed come from my customer & not from a malicious third party.
These particular technologies are not about fighting spam. They addressed different shortcomings of the SMTP protocol itself:
1. No way to verify that a sender (both in the sense of the program creating the mail & the server relaying the mail) is allowed to send mail for a certain domain. This is what SPF addresses.
Again, this is _not about spam_.
[1] Before DKIM there had only been a way to protect email bodies from malicious modifications by sending cryptographically signed emails (GPG, S/MIME). Those didn't do anything for the headers, though.
Posted Nov 30, 2024 5:33 UTC (Sat)
by Curan (subscriber, #66186)
[Link] (1 responses)
No you can't, because this still assumes honest players. Really, I am running MTAs for very large organisations and my experience is: a lot of legitimate e-mails would be filtered if I enforce SPF/ DKIM. On the other hand I have actual and obvious spam in troves, that meets SPF/DKIM requirements.
In my personal experience: the best way to verify a sender is OpenPGP. That being said: that is a negligible amount of traffic here.
But since you insist on the "not about spam" line: that is not how it is sold. And not how it is promoted. See eg. https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail where it says in the first line
> DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in email (email spoofing), a technique often used in phishing and email spam.
Or in https://en.wikipedia.org/wiki/Sender_Policy_Framework
> Sender Policy Framework (SPF) is an email authentication method which ensures the sending mail server is authorized to originate mail from the email sender's domain.[1][2] [...] Forgery of this address is known as email spoofing,[3] and is often used in phishing and email spam.
And I know Wikipedia is not the best source, but if you are honest you will find, the RFCs and other industry sources agree.
---
That being said: I do not think us discussing this issue over text in a comment section is going to help us, because this is a very poor communication channel. If you are at FOSDEM, let me know and we can meet up in person and discuss this better. Probably over a beer or two. ;-)
Posted Nov 30, 2024 7:20 UTC (Sat)
by Cyberax (✭ supporter ✭, #52523)
[Link]
FWIW, spammers don't even bother with forging the 'from' field anymore because they assume that SPF/DKIM is everywhere.
Invalid recommendations
Invalid recommendations
Invalid recommendations
Invalid recommendations
- barely secured domains (the spammers got a "legitimate" account, even though the operator would say "not an actual user")
- domains created for spamming
Invalid recommendations
Invalid recommendations
> Might this, perhaps, be *because* they are enforced?
Invalid recommendations
Invalid recommendations
Invalid recommendations
Invalid recommendations
Invalid recommendations
Invalid recommendations
Invalid recommendations
Invalid recommendations
Invalid recommendations
Invalid recommendations
Invalid recommendations
2. No malicious third party has modified the most important headers while in transit.
2. No way to validate that email headers haven't been modified after having been sent by the sender. This is what DKIM addresses.[1]
3. DMARC as the third part finally tells the recipient that both SPF & DKIM are actually supposed to be used by all mail originating by a domain, and what the domain's owner wants the recipient to do if one of both or them are invalid or missing.
Invalid recommendations
Invalid recommendations