Spoofed From: Prevention 532
An anonymous reader writes "It looks like the next promising advance in the war on spam is here! Introducing SPF: Sender Permitted From. A draft RFC is still being written, but the idea is simple: we can prevent forged emails by having domain owners publish a list of IP addresses authorized to send mail from their domain. It's no silver bullet, but how much spam can we eliminate by preventing forged mail from spoofed domains? Maybe we really don't need anti-spam legislation after all? The SPF site is chock-full of juicy info for our reading enjoyment. Bon appetit!" Interestingly, the to-do list mentions the possibility of seeking a defensive patent on this scheme, too.
Re:Won't work unless everyone implements this (Score:4, Informative)
In fact, other
Re:No good. (Score:2, Informative)
Add a TXT record in your domain's DNS saying that senders are permitted from your ISP's SMTP server. See Setting up SPF [pobox.com].
Re:I don't like that idea. (Score:3, Informative)
Not really. First, mail servers likely won't accept/reject mail solely on this criteria. This SPF compliance metric will just join many other anti-abuse metrics already employed.
Second, if you run your domain there is no problem to begin with. The receiving mail server will look up your personal domain name and probably find no SPF record to begin with. End of story.
The only problem might be if you want to use your mail server to send messages using your ISP's domain as the sender's field. Now that might indeed look like abuse. The solution would be to send mail carrying your ISP's domain name through your ISP's mail server.
Re:BAD Idea (Score:3, Informative)
> different email accounts that I use for different
> things, and I want to send mail from each of them
> from my home ISP? Sure, each email provider can
> provide a secure SMTP for me to log into, but this
> sounds like a lot of work.
Actually it's a very good idea.
A lot of work? For the ISPs? Or for you?
Setting up an authenticated SMTP server is not hard, and the cost -- compared to the costs that ISPs are forced to incur to deliver spam, would be small.
For you? Just go into your Outlook (or whatever) preferences and edit the outgoing server. Big deal.
As for spammers getting round it, sure they can forge their mail as if it were from someone else at the same domain. But the admins of that domain will have their server logs and will know who to go after.
And the fact that the spammer will only be able to post from a domain he (any "she" spammers out there feeling hard done by, do speak up) controls will greatly reduce the number of bounces you and I get from spam that pretends to be from us.
So, overall, while SPF won't stop spam, it will help, and it will introduce a lot more accountability into the email process -- which can only be a good thing.
Re:RMX? (Score:3, Informative)
Section 6.1 of their RFC [pobox.com] covers this.
Briefly:
RMX allows the recipient to look up information using a greater range of possible keys than just the sending IP address;
SPF reuses a pre-existing part of the DNS (TXT records) rather than adding a new RR type as RMX does;
the design of SPF lets the spoofed domain's admins know who's spoofing their address (because the spoofer's IP address is part of the lookup).
Re:Not effective (Score:1, Informative)
I was completely wrong
Re:way too complicated... (Score:3, Informative)
That being said, the SPF system is not intended to be the only tool that will help create a more trustworthy mail system. I haven't heard anyone involved in the SPF system argue against using all appropriate tools.
There is also the point that SPF is designed to help determine if someone is authorized to use a domain name, while GPG is designed to authenticate who is sending the email. These are different problems, so SPF and GPG complement each other.
Re:Another problem: (Score:5, Informative)
He refered to patenting it, and immediately releasing it as Public Domain. This means it can be used by anyone, in any license, even Microsoft. Actually, you NEED Microsoft to use it if you want it to work anyway. But there is already lots of PD in Linux, including Debian, so no worries.
Re:No good. (Score:1, Informative)
Sure, I could probably get our hosting provider to add mail.workisp.com to allowed senders, but what about the home addresses? Would YOU be thrilled if your employer started going around, asking you for a comprehensive list of ISPs you use to connect to the net when at home, on the road, visiting friends/relatives, etc.?
Sure, our provider provies an SSL authenticated smtp server that all our employees can use. But one can just as easily argue that that's wrong and they should be using the SMTP server of whatever ISP they use to connect to the net, rather than the server that receives mail for them.
What I'd like to do is reverse EMAIL lookup checks (Score:4, Informative)
Perhaps it could say DATA/If you receive this, your email server has been misconfigured./Please ask your system administrator or ISP to configure the server to discard incomplete email messages.// -pause- disconnect.
That won't get them all, and there will be the odd false positive (550 unable to validate sender address), but it should get most, no worries. It'll certainly get the zillion or so messages spoofed as being from "@hotmail.com" "@yahoo.com" and so on. If you wanted to be a pedand, you'd check the embedded "From:" address as well as the enveloped one.
I'd also appreciate some name-finding AI, so that when a message which programs like SpamAssassin become absolutely dead-set convinced is spam (ie, the filter doesn't say "maybe spam", the filter says "if this isn't spam, upload me to a microwave") arrives - but passes the above test - any email addresses mentioned in it get a score or so of vary different but realistic-looking "replies" based on the original message ("Re: P*E+N~I:S E|N-L=A/R'G\E!R/Dear Sexy Sal//Please send me four boxes of penis perpetration patches. My credit card number is 3141-5926-5358-9793 and expires on 04-04. My address is Australian Federal Police/Hay Street/East Perth 6001.//Please use plain brown wrapper on the parcel.//Fred Q Nurk esq") but from a variety of bit-bucket addresses and spread out over the next few hours. A bit sad if the spammer is spoofing from your address, but you can easily filter everything related to such spoofing - and otherwise forces the scumbags to work for their addresses. Even better if he wants to talk to a bot about invalid credit card numbers or mismatched expiry dates. Better still if you can arrange to get them done for credit card fraud, maybe by using numbers from your local supermarket's stolen-cards list. Working for their addresses is exactly what spammers don't want to do.
You see, I've become convinced that a war of attrition - making it harder for spam to get through - isn't enough.
The thing that makes spam work is that it's cheap to get addresses and cheap to send out mail. Since there will always be bad-apple ISPs (and dumbo-sucker ISPs) who let the canned-ham merchants send the stuff, the obvious step is to make collecting the addresses harder.
Collecting addresses is a two-phase process. Phase one harvests addresses wholesale using spambots and/or people stupid enough to fill in random on-line forms accurately, phase two qualifies those addresses by sending stuff to them. Unfortunately, the same people stupid enough to fill in forms willy-nilly are the same people stupid enough to respond to spam. I guess it's just not a good survival characteristic.
If it were possible to establish a contract by sending someone email, we could make the initial harvest very expensive, very quickly by simply embedding the email address in an offer of contract. Unfortunately, the courts have so far decreed that such an event doesn't necessarily entail a "meeting of minds" necessary to establish a contract - even if the email address says "email-to-this-address-costs-USD-1000-in-advance@m ydomain.dom". To me, this makes no sense, kind of analogous to releasing an automated tank and being able to claim that any damage done by it was not deliberate.
Nevertheless, if we can make
Re:This can already be done (Score:4, Informative)
Two ways:
The "problem" (for you) occurs if you do not control the domain name, and whomever adds a list of valid sending IP addresses does not include the IP number you are using. In that case, you'd be out of luck.... but so will spammers.
Re:I don't like that idea. (Score:3, Informative)
Re:Travelling Mailman problem's solution's problem (Score:3, Informative)
In this situation, wouldn't you just connect to the ISP's SMTP server and send the email? This system is designed to authenticate SMTP servers, not people connecting to them.
Any mailserver internal to a network
If your internal server tries to send email from reported to be from cox.net (or whatever their domain is) then yes, you'll have a problem. Don't do that.
However, if you own mydomain.com, and have your SPF server report it's ip as an authoritative SMTP server for sending mail from mydomain.com, you don't have any problems.
Re:black hole relay... (Score:4, Informative)
Your idea of running fake open proxies for spammers to discover and 'abuse' is not new. There is already software for this purpose. Search for 'proxy honeypot' or 'proxypot' in Google.
In fact, Ronald F. Guilmette who ran the monkeys.com anti-spam website and open proxy blocklist and who was forced to shut down [slashdot.org] due to DDoS-attacks also ran an extensive network of proxypots to unconver those criminal spammer gangs who regularly abuse open proxies and also to uncover the rouge ISPs who host these criminals and who let the proxy hijackers to be connected.
Mr. Guilmette posted several times to the news.admin.net-abuse.email newsgroup [google.com] (charter [killfile.org]) compiled lists of the top proxy-abuse allowing ISPs and extensive analyses of the proxy-hijackers' operations (examples here [google.com], here [google.com], here [google.com], here [google.com] and here [google.com]). This anti-spam work was partly very fruitful, resulting in several ISPs to be outed as spammer-friendly and also being forced to clean up their act.
How the hell did you get modded up, twice? (Score:1, Informative)
SPF doesn't publish any sort of list. SPF simply uses DNS to respond to whether any particular host is authorized to send mail on the behalf of a domain. SPF doesn't add anything to DNS that would make it more vulnerable to DDOSing than it is now.
Re:black hole relay... (Score:3, Informative)
Thanks for the suggestion... downloaded a SMTP honeypot i'll see how well it works. However most of the proxy/honeypots were aimed at servers not for "grandma's DSL Wintel box". Simple and stupid for the end user. Think distributed computing seti@home meets anti-spam. No single site (monkeys.com) to take down. It would not stop spam but it could make there lives that much more difficult by removing one tool in their toolbox. And costing them time/money/product in the process. My SMTP logs show that I get plenty of relay attempts in a day so using other peoples servers is still a widely used tactic. I think this would be a good response.
You don't understand how this works (Score:3, Informative)
Re:black hole relay... (Score:2, Informative)
SPF (and other RMX-link proposals) would be effective at detecting the situation you describe. The spammer who trojaned a Win32 box would only be able to use it to send spam with an envelope sender of something@spammercontrolleddomain.com.
The admin can use a real time black list or other mechanism to enforce policy (drop mails from known spam domains).
Spammers can register many throwaway domains, but: it only takes a few spams detected and reported to the black list before the domain becomes worthless to the spammer again; and such domains will end up being composed of random characters, which tools like Spamassassin can use in their suite of tests (for example, SUSPICIOUS DOMAIN = +2) to make detection even easier.