Spoofed From: Prevention 532
An anonymous reader writes "It looks like the next promising advance in the war on spam is here! Introducing SPF: Sender Permitted From. A draft RFC is still being written, but the idea is simple: we can prevent forged emails by having domain owners publish a list of IP addresses authorized to send mail from their domain. It's no silver bullet, but how much spam can we eliminate by preventing forged mail from spoofed domains? Maybe we really don't need anti-spam legislation after all? The SPF site is chock-full of juicy info for our reading enjoyment. Bon appetit!" Interestingly, the to-do list mentions the possibility of seeking a defensive patent on this scheme, too.
great idea... (Score:4, Interesting)
Re:great idea... (Score:5, Insightful)
This can already be done (Score:5, Interesting)
...something that can already be done with Postfix and other mailers. It's very simple. Postfix can check to see if the hostname you claim to be from matches your IP. It can also check to see if the IP reverses to the hostname you claimed(this one is not as wise, as there are perfectly valid reasons for not having a reverse entry, although you -should- have one). Further, Postfix can return not-authorized if you try and give a MAIL FROM address which doesn't match your domain; ie, if you're coming from a01.nastyspammer.com, you're not going to be able to say "MAIL FROM: niceguy@yahoo.com". It is -incredibly- effective against blocking spam, but the problem is that many ISPs and company just don't have properly configured mail servers, or hostnames set up for their mail servers(an even more common mistake is for the hostname to not match the name reported by the connecting server in the HELO command- most often Exchange servers). This would change quickly if more people configured their mail servers to block such shenanigans.
Right now that RFC seems a)unnecessary and b)like a very thinly veiled attempt by ISPs to prevent their customers from running mailing lists and the like. I help run a VERY low budget mailing list that has about 3,000 subscribers in total, and we may end up using DSL again for connectivity. Said DSL provider could easily screw us over with this.
Re:This can already be done (Score:4, Interesting)
But as a matter of course, I have mutt configured on my desktop box to send in the name of my halfway-across-the-country account, even though it sends through my ISP's SMTP server. (It used to send through my home Linux box's own SMTP server, but then a lot of addresses started bouncing it because it was on a list of cablemodem IPs.) How would I be able to continue doing this under such a system?
Re:This can already be done (Score:4, Informative)
Two ways:
The "problem" (for you) occurs if you do not control the domain name, and whomever adds a list of valid sending IP addresses does not include the IP number you are using. In that case, you'd be out of luck.... but so will spammers.
What I'd like to do is reverse EMAIL lookup checks (Score:4, Informative)
Perhaps it could say DATA/If you receive this, your email server has been misconfigured./Please ask your system administrator or ISP to configure the server to discard incomplete email messages.// -pause- disconnect.
That won't get them all, and there will be the odd false positive (550 unable to validate sender address), but it should get most, no worries. It'll certainly get the zillion or so messages spoofed as being from "@hotmail.com" "@yahoo.com" and so on. If you wanted to be a pedand, you'd check the embedded "From:" address as well as the enveloped one.
I'd also appreciate some name-finding AI, so that when a message which programs like SpamAssassin become absolutely dead-set convinced is spam (ie, the filter doesn't say "maybe spam", the filter says "if this isn't spam, upload me to a microwave") arrives - but passes the above test - any email addresses mentioned in it get a score or so of vary different but realistic-looking "replies" based on the original message ("Re: P*E+N~I:S E|N-L=A/R'G\E!R/Dear Sexy Sal//Please send me four boxes of penis perpetration patches. My credit card number is 3141-5926-5358-9793 and expires on 04-04. My address is Australian Federal Police/Hay Street/East Perth 6001.//Please use plain brown wrapper on the parcel.//Fred Q Nurk esq") but from a variety of bit-bucket addresses and spread out over the next few hours. A bit sad if the spammer is spoofing from your address, but you can easily filter everything related to such spoofing - and otherwise forces the scumbags to work for their addresses. Even better if he wants to talk to a bot about invalid credit card numbers or mismatched expiry dates. Better still if you can arrange to get them done for credit card fraud, maybe by using numbers from your local supermarket's stolen-cards list. Working for their addresses is exactly what spammers don't want to do.
You see, I've become convinced that a war of attrition - making it harder for spam to get through - isn't enough.
The thing that makes spam work is that it's cheap to get addresses and cheap to send out mail. Since there will always be bad-apple ISPs (and dumbo-sucker ISPs) who let the canned-ham merchants send the stuff, the obvious step is to make collecting the addresses harder.
Collecting addresses is a two-phase process. Phase one harvests addresses wholesale using spambots and/or people stupid enough to fill in random on-line forms accurately, phase two qualifies those addresses by sending stuff to them. Unfortunately, the same people stupid enough to fill in forms willy-nilly are the same people stupid enough to respond to spam. I guess it's just not a good survival characteristic.
If it were possible to establish a contract by sending someone email, we could make the initial harvest very expensive, very quickly by simply embedding the email address in an offer of contract. Unfortunately, the courts have so far decreed that such an event doesn't necessarily entail a "meeting of minds" necessary to establish a contract - even if the email address says "email-to-this-address-costs-USD-1000-in-advance@m ydomain.dom". To me, this makes no sense, kind of analogous to releasing an automated tank and being able to claim that any damage done by it was not deliberate.
Nevertheless, if we can make
You don't understand how this works (Score:3, Informative)
Another problem: (Score:3, Insightful)
I would be happier if he GPL'ed it.
Actually, that brings something important to mind: Here in Australia a very large proportion of mail servers are Debian boxes. If that patent idea gets taken up, I can't see Debian including SPF; it'll be poison.
Re:Another problem: (Score:5, Informative)
He refered to patenting it, and immediately releasing it as Public Domain. This means it can be used by anyone, in any license, even Microsoft. Actually, you NEED Microsoft to use it if you want it to work anyway. But there is already lots of PD in Linux, including Debian, so no worries.
Re:Another problem: (Score:5, Interesting)
and
I would be happier if he GPL'ed it.
There is no reason that he couldn't distribute this under the GPL even if he patented it.
The patent could be used as a method to could prevent a company from implementing an incompatible "one-off" that it distributed with it's own propietary, market dominating OS in order to prevent other systems from interoperating with it's email software when the feature is activated.
On the other hand there is the issue of software patents in general. Even if you intend no harm, or are actually using the patent system to protect the freedom of your implementation, you are also endorsing software patents that are being used in far less benign ways.
If that patent idea gets taken up, I can't see Debian including SPF; it'll be poison.
Once again, the existance of the patent does not dictate how the patent holder distributes or licenses the patented invention. If this developer is concerned that this be widely implemented and thus chooses the GPL or similar to license the invention, the patent could ensure that any subsequent inventions that are dependant on or derived from this one be distributed under a similar or compatible license.
Think of the email virus/worm consequences... (Score:5, Insightful)
possibly job security (Score:2)
If spam goes away, it'll be as devastating as an asteroid hitting Earth. Jobs will be lost, and America will become a third world nation. Didn't we cover this earlier today?
Re:great idea... (Score:5, Interesting)
If the spammers are your customers, you want to keep spam moving. This system may help us see who is the good guys and who is not.
Re:great idea... (Score:5, Interesting)
The same reasons that top-teir backbone providers are totally unwilling to help block spam. If a spammer buys some bandwidth from some ISP, and starts sending GB's of spam, that ISP gets lots of money. For the top-teirs, they get to charge for the spam coming across their pipes (both the people sending and the people reciving). They get to charge more when half of the emails bounce.
An admin of an individual server/company wouldn't necessiarily want spam moving, but the tertiary people (ie, the bandwidth providers and ISPs), in addition to the spammers or the people they're spamming for, are making money.
TXT, not A vs. NXDOMAIN (Score:2, Insightful)
And assuming one were to piggy back it on DNS or some existing service, how would something like Verisign sitefinder fuck it up?
It is piggybacked on DNS, and it's done through TXT records that specify either "spf=allow" or "spf=deny". A confusion of A vs. NXDOMAIN, such as if VeriSign goes meddling again, seems not to affect the system.
Re:black hole relay... (Score:4, Insightful)
Yes, you might send some spam to /dev/null with this approach, but it would be only hurt the clueless to amateur spammer and the quantity wouldn't be that much.
Re:black hole relay... (Score:4, Interesting)
Hmmm... I have to say I partially disagree. My server logs show 3 - 10 attempts per day to use it as a relay. I ran an open relay one to see how long it would take and how much spam would be sent. fast and a lot were the answers. I'll bet I could black hole 100K slices O spam a week...
Re:black hole relay... (Score:4, Informative)
Your idea of running fake open proxies for spammers to discover and 'abuse' is not new. There is already software for this purpose. Search for 'proxy honeypot' or 'proxypot' in Google.
In fact, Ronald F. Guilmette who ran the monkeys.com anti-spam website and open proxy blocklist and who was forced to shut down [slashdot.org] due to DDoS-attacks also ran an extensive network of proxypots to unconver those criminal spammer gangs who regularly abuse open proxies and also to uncover the rouge ISPs who host these criminals and who let the proxy hijackers to be connected.
Mr. Guilmette posted several times to the news.admin.net-abuse.email newsgroup [google.com] (charter [killfile.org]) compiled lists of the top proxy-abuse allowing ISPs and extensive analyses of the proxy-hijackers' operations (examples here [google.com], here [google.com], here [google.com], here [google.com] and here [google.com]). This anti-spam work was partly very fruitful, resulting in several ISPs to be outed as spammer-friendly and also being forced to clean up their act.
Re:black hole relay... (Score:3, Informative)
Thanks for the suggestion... downloaded a SMTP honeypot i'll see how well it works. However most of the proxy/honeypots were aimed at servers not for "grandma's DSL Wintel box". Simple and stupid for the end user. Think distributed computing seti@home meets anti-spam. No single site (monkeys.com) to take down. It would not
Won't work unless everyone implements this (Score:3, Insightful)
As far as I understood, unless everyone with a domain uses this, the spammers can just adjust their scripts/programs to just generate fake emails from domains without SPF. (or did I miss something?)
Re:Won't work unless everyone implements this (Score:4, Informative)
In fact, other
Re:Won't work unless everyone implements this (Score:2, Insightful)
Re:Won't work unless everyone implements this (Score:2)
I like this idea a lot. It's simple and it doesn't "break" anything. Kudos.
Re:Won't work unless everyone implements this (Score:5, Insightful)
This is not much different than feel that they should be allowed to run open relays [toad.com]. They will end up on DNS blacklists and others may choose not to accept mail from them. Their server, their rules. No one is forcing anyone to close open relays, and no one is forcing anyone to accept email from everyone.
Re:Won't work unless everyone implements this (Score:4, Interesting)
Why should't I blacklist all open relays? If they are not spewing spam today they will as soon as they are discovered.
Finally. Why would anybody run an open relay? Just exactly what are you trying to accomplish by doing such a thing.
I don't like that idea. (Score:3, Insightful)
Re:I don't like that idea. (Score:2)
Re:I don't like that idea. (Score:2)
Re:I don't like that idea. (Score:2)
"business account" (Score:3, Insightful)
Hey man, I love abusing my cable connection too, but since I'm not willing to pay $100 instead of the $40 I'm paying now, I don't expect being able to do everything I want to.
Re:I don't like that idea. (Score:3, Informative)
Not really. First, mail servers likely won't accept/reject mail solely on this criteria. This SPF compliance metric will just join many other anti-abuse metrics already employed.
Second, if you run your domain there is no problem to begin with. The receiving mail server will look up your personal domain name and
Your server really *isn't* authorized, though. (Score:3, Insightful)
One of the ways they do this is by providing inbound and outbound email services, through legitimate servers published through DNS. As a customer of the ISP, you're given rights to use those services, and they're responsible for ensuring your access to same -- that is, they're the responsible party for any given email a
Re:I don't like that idea. (Score:2)
Re:I don't like that idea. (Score:4, Interesting)
Many large ISPs (such as AOL) have already started filtering mail based on the IP of the relaying server. So if your SMTP server talks directly to AOL, then AOL may reject your mail simply because you're *likely* to be a spammer relay (even though you're not).
Meanwhile, cable companies like Cox have already implemented a total blackhole on *outgoing* SMTP. Not only is this annoying for people who run servers, but it also sucks for those of us with POP/IMAP accounts... if I'm connected from home I have to set my outgoing SMTP to Cox, and when I come in to work I have to flip it back to my company's mail server. (I've since set up an automatic ssh tunnel to get around Cox, but the average joe has no hope of doing that for themselves.)
Either way, this new idea isn't going to make sending mail from your own domain any harder than the cable companies are going to make it anyway...
Re:I don't like that idea. (Score:4, Interesting)
I've always thought that ISPs should add a default "smtp" zone for their customers that resolves to their mail server. That way, you can set your progarm up to use "smtp" and no matter where you are, it will resolve properly.
Now, as far as blocking port 25, I've always thought that was a great idea as well, until last week. Our office has used BellZinc's DSL for connectivity. A few months ago, our smtp suddenly stopped working, and after calling tech support, they told me they had accidentally left port 25 on one of their racks unblocked (and I happened to be on that rack) so they had fixed the situation. (Actually, I had to call twice to find that out, the first guy had no clue whatsoever).
So I switched the smtp server in the office to resolve to Bell's, and all was good. But we've had a few interruptions, espessially over the last couple weeks, where we couldn't send mail at all. After talking to tech, it turns out their mail server is being hammered by whatever virus-of-the-week was hitting windows, and was unusable. I was blown away by their lack of willing to help me: they wouldn't unblock port 25 for me (even to one specific IP), and they has no answers to "Well, what am I supposted to tell everyone in the office? No email for ... an unknown amount of time?"
Of course, I could have just set up my server to accept mail on another port, but that would have been a pain for me - local change on every client, instead of one SMTP fix. Anyways, as of Monday, we have a new ISP. (I won't get into how Bell tried to tell us we had a 1-year contract and wanted to charge us 4 extra months for breaking. They couldn't send us any proof, but apparently it was a "verbal" contract. Wow.)
Anyways, I'm a little mixed on blocking port 25. I don't know what a better solution would be. Perhaps not allowing a computer running Windows to directly connect to the internet. Or maybe monitoring the email sent, and setting either a limit on the number per day, or just watching for patterns of mass mailings.
I think you have it exactly backwards. (Score:3, Insightful)
Re:I don't like that idea. (Score:2)
This hard reality sucks. The internet used to be a collaborative thing. Now it is consumption only.
I'm now paying quite a bit per month for a virtual freebsd jail to handle my needs. This is after 8 years online with residential broadband being an acceptable solution.
I wish I had enough people interested that I could just get a T1 drop as a business venture and write it off.
Re:I don't like that idea. (Score:3, Informative)
Re:why not? (Score:3, Insightful)
How so?
it reduces the load on your server
The load on my server is already negligible.
and you do not need to do DNS lookups.
I don't have to do that now. My server does, but see above about its load. Besides, the number of lookups it does for outgoing mail is dwarfed by the number it needs to do for incoming mail, and even more by those issued with some casual web browsing, so it wouldn't make much of a difference to the servers and networks I'm requesting the DNS data from ei
Re:I don't like that idea. (Score:3, Insightful)
Say, I want to pay $800/month for a T-1. I have permission to run a mail server, and everything else.
But, for $40/month DSL, no. As one paying for an expensive t-1 (hypothetically), I don't want you doing the same thing with your bandwidth that I do with mine.
Errr... Well, frankly, I don't care how much you pay for your T1. It's none of your business what anyone else does with their bandwidth. It's only when they start using your bandwidth that it becomes your busin
BAD Idea (Score:3, Insightful)
This is going to make a LOT of people's lives worse, and spammers will get around it anyway. After all...they can still send from another username@theirisp.com. The accounts they're sent from are garbage anyway, because many people notify the proper abuse@ based on the headers (as they should) and not the From address. Forging the from doesn't provide any cover for spammers anyway.
Re:BAD Idea (Score:5, Insightful)
Running a mail server is a lot of work; providing SSL and SMTP AUTH isn't much more.
I'm not sure this would work very well, but having more ISPs support SSL and SMTP AUTH doesn't sound like a terrible thing even if it doesn't.
Re:BAD Idea (Score:3, Informative)
> different email accounts that I use for different
> things, and I want to send mail from each of them
> from my home ISP? Sure, each email provider can
> provide a secure SMTP for me to log into, but this
> sounds like a lot of work.
Actually it's a very good idea.
A lot of work? For the ISPs? Or for you?
Setting up an authenticated SMTP server is not hard, and the cost -- compared to the costs that ISPs are forced to incur to deliver spam, wou
Another satisfied user of authenticated SMTP. (Score:2)
If your provider is responsible for an email address, then they must provide you with a reasonable means of using their service to send mail, either by POP-validated SMTP or by authenticated SMTP.
If you're responsible for an email address, then you have no excuse whatsoever not to be using authenticated SMTP. Repair your outgoing mail server immediately.
But *everyone* would have to do it (Score:3, Interesting)
Re:But *everyone* would have to do it (Score:2)
Re:But *everyone* would have to do it (Score:2)
Well, if I understood right, before the mail gets accepted, a query is run from the DNS server. I would assume that if they did DDoS a DNS server, no mail would go through. Kinda sure that would qualify as a felony. And then w
Re:But *everyone* would have to do it (Score:2)
Thumbs up (Score:3, Insightful)
If the big email services such as Hotmail and Yahoo adopted it, spammers would suddenly find that they have to spend more effort to send out spam by finding domains that didn't opt to use these rules. Even so, it would be a lot easier to filter a specific domain in China or Nigeria than worrying about every piece of mail from Hotmail.
The near perfect spam solution exists.... (Score:2, Insightful)
Working wonders here.
There's another problem this could help with. (Score:3, Interesting)
Perhaps this could stop spammers from spoofing the addresses of other internet users. However, I don't know if this will stop spammers from using whatever return address they want to regardless of what domain they send their spam from. Would it?
Re:There's another problem this could help with. (Score:4, Insightful)
This would also cause serious problems for mobile users -- if I'm on the road, who knows what ISP I'll be connecting to. However, I probably want my From: address to stay the same no matter where I'm connected.
This solution doesn't seem likely to make a serious dent in the flow of spam, and would likely add unwanted restrictions to the actions of users. As such, it seems unwise.
Re:There's another problem this could help with. (Score:2, Interesting)
pink contracts (Score:2, Insightful)
Look at Bellsouth and OptIn.com for heaven's sake!
I love America. (Score:2, Insightful)
Only in America do you have
Re:I love America. (Score:2)
The public domain means NO PROPERTY RIGHTS AT ALL exist. No copyright, no patent, no trade secret.
Relay host spoofing (Score:2)
STMP is inherently untrusted. You could simply claim that you don't accept relayed mail but wth, why even bother using STMP anymore if you do that..
not the perfect solution (Score:2, Insightful)
a solution like this would be all or none, either everyone uses it and follows those rules, or no one will use it.
besides you now have to get all the people who own domains to get a list of ips together, not the most trivial thing for non
No good. (Score:2)
So, that thing isn't gonna work for me.
Re:No good. (Score:2, Informative)
Add a TXT record in your domain's DNS saying that senders are permitted from your ISP's SMTP server. See Setting up SPF [pobox.com].
Re:No good. (Score:2)
Comment removed (Score:3, Interesting)
way too complicated... (Score:4, Insightful)
Re:way too complicated... (Score:3, Informative)
That being said, the SPF system is not intended to be the only tool that will help create a more trustworthy mail system. I haven't heard anyone involved in the SPF system argue against using all appropriate tools.
There is also the point that SPF is designed to help determine if someone is authorized to use a domain name, while GPG is designed to authenticate who is sending the email. These are different problems, so SPF and GPG comple
Re:way too complicated... (Score:2)
RMX? (Score:4, Insightful)
If not, what are the key differences?
Re:RMX? (Score:3, Informative)
Section 6.1 of their RFC [pobox.com] covers this.
Briefly:
RMX allows the recipient to look up information using a greater range of possible keys than just the sending IP address;
SPF reuses a pre-existing part of the DNS (TXT records) rather than adding a new RR type as RMX does;
the design of SPF lets the spoofed domain's admins know who's spoofing their address (because the spoofer's IP address is part of the lookup).
Re:RMX? (Score:5, Interesting)
Basically, RMX has to critical flaws. First, it requires a new DNS resource record type, which is going to require everyone to upgrade their name servers if they want to use it. Secondly, there is a limit to how many resource records can be sent in a UDP packet and many important ISPs such as AOL, MSN, Yahoo, etc., have far to many. If I recall correctly, there are several thousand(!) IP addresses that Yahoo will send email from.
Making things worse (Score:2)
Webmail (Score:2)
my idea is still better (Score:2)
Oh, and who will enforce this (Score:2)
Nice, but hope it's dynamic-IP friendly (Score:2)
As someone who hosts my sites from a dynamic IP address, I certainly hope this system can be dynamic-IP friendly... I would like to protect my own little domain as much as I can.
Bad Idea (Score:2)
entries in it . . .
A Problem? (Score:2)
Not realistic, and not a complete solution. (Score:5, Insightful)
Yes, having information on which SMTP servers are the expected and typical mail "emitters" for a given domain would help reduce (not eliminate) spam.
But the number of cases where users "forge" their from lines for perfectly innocent reasons is huge. Everyone here can probably think of a few cases. Here's one to get you started: "I'm working from home today about I don't want replies to my business email sent to my home account."
Of course, they've covered that in their FAQ. Their answer boils down to: "Tough noogies. You have to suffer the inconvenience and change your behavior because I don't want to suffer the inconvenience of spam."
This, alas, it typical of the disdainful, anti-user mentality that one finds in too many anti-spam efforts.
Here's a clue: want an anti-spam solution to work? Then start from the idea that it needs to make the life of the end user easier, not harder.
Of course, I'm biased. See my sig.
Mail Relays (Score:2)
*sigh* (Score:3, Insightful)
Yes, this measure will operate to make e-mail somewhat less convenient and require authenticated SMTP servers and the like.
But YES, Spam is awful and a serious problem, and if we wait for the silver bullet, we will accomplishn nothing ever at all.
We need to take steps, a few at a time, that will help, a bit. Steps, a few a t a time, that will help a bit, even if it means some inconvenience.
Eventually, the problem will be better.
Eventually,m the problem will be much better.
And maybe, the dollars will start moving to other ways to annoy us.
Web Hosting Companies, Cable, DSL servers... (Score:2)
This assumes that all mail from a domain comes and goes from a central point of authority, but because of smtp's untrusted nature by design, people don't need to operate along those principles.
The one way for this to work is for all of those
Just use a PKI (Score:2)
The only thing... (Score:2)
Every mail server admin defines a list of people whom he trusts (those might also be institutions), and they delegate their trust further, with different levels.
If spam appears, you kick the trusted person who is the first in the chain to the spammer from your side. He does the same, until the chain breaks ... the last one in the chain revokes his key, and that's it.
Needless to
Interesting approach to the Essential Problem (Score:5, Interesting)
Possibly, the system could require authentication all the way back to the message originator, but that implies some central repository of mail originator credentials (again, to allow for transient connections), which would have to be is-a-person credentials to be of any use in tracking and punishing spammers. Since TANSTAAFL, that means to send mail, you have to buy an admission pass for the network. That implies an infrastructure to issue and validate these credentials, as well as no provisions for unlinked mail nyms. Big Brother USPS, anyone?
Re:Interesting approach to the Essential Problem (Score:3, Interesting)
Sam Spammer simply impersonates a server that's passing in-transit messages and forges the upstream transit records.
Sam is going to have a very difficult time spoofing an IP address that is authorized for the sender address, because TCP requires at least one packet to travel from the destination back to the Sam Spammer before the TCP session is even established.
Spoofing the DNS lookup the SPF uses is probably a weaker path, but also quite difficult for a
Web page defacer's delight (Score:4, Insightful)
Web sites on vanity domains are just the sort of thing people like to deface. But how to go about it? Usually there's so little chance that the owner of such a domain is going to be suckered by a mail bomb. Hmm.. what's this SPF record? Seems to point to the network where the owner of this domain connects up to.. that's useful.
what about ip6?? (Score:3, Insightful)
Re:what about ip6?? (Score:4, Insightful)
Spammers *will* register with SPF (Score:4, Insightful)
The FAQ says...
To which I can only add:
Or is there something I'm missing here?Re:A translation (Score:4, Insightful)
Secondly, in order to register a domain you need to provide some sort of cc information which would imply that there would be a way to track down spammers (assuming they didn't use stolen cc's, and I wouldn't put that past 'em -- but then they're commiting an actual crime and this kind of thing is much easier to put people in jail for than the current crimes they commit).
Thirdly, it adds costs to the spammer's bottomline. Reducing "profitablity" from spamming == good way to reduce spamming; if it cost them a new domain for every 10000 spams they send out, it'd cost them $800 to send one million spam emails. Not to mention the time it takes for domain info to propigate after registering it, etc (spams will fail to get through until the dns info exists).
As far as registering the victim hostname with the SFP server, that would imply that you would have access to the SFP server. I doubt that it would be something you could have a random computer "register" with. I'd imagine it'd be some sort of non-dynamic system, similar to creating a domain server authoritative for your particular domain (most people don't have fancy systems to update dns entries dynamically; at least I never have).
Travelling Mailman problem's solution's problem (Score:5, Insightful)
He mentions the Travelling Mailman problem, that of being able to use your home e-mail address while not on your home network. His solution, having your home mailserver use authentication so that you always send via it, has it's own problem. The problem is Windows malware that e-mails itself out. Several large ISPs have responded to this by prohibiting the use of any mailserver but their own from inside their network. This puts me in a quandry: I wouldn't be able to use my domain while on my ISP's (Cox Cable) network because SPF would reject it, and I can't use my domain's mailserver because my ISP won't let me connect to it. This is, IMHO, a fatal flaw in the scheme.
Re:Travelling Mailman problem's solution's problem (Score:3, Informative)
In this situation, wouldn't you just connect to the ISP's SMTP server and send the email? This system is designed to authenticate SMTP servers, not people connecting to them.
Any mailserver internal to a network
If your internal server tries to send email from reported to be from cox.net (or whatever their domain is) then yes, you'll have a problem. Don't do that.
However, if you own mydomain.com, and have your SPF server report it's ip as an authoritative SMTP server for sendin
Verisign will assume they know better (Score:4, Funny)
*.com. IN TXT "spf=deny"
*.net. IN TXT "spf=deny"
-ez
So the spammer just forges the source IP. (Score:3, Interesting)
double edged sword (Score:3, Interesting)
two problems (Score:3, Interesting)
The *DSL user that has bought a domain foo.bar that is hosted on a server, somewhere in the world (that doesn't allow mail relaying). And this user want to send mail that originates from the foo.bar domain.
Ehhh.. that user is screwed by this.
And patent? Well, that will be very good for making it a technique that every MTA will use.... releasing it as Public Domain? Remember Rambus?
Do as I say, not as I do? (Score:3, Interesting)
$ perl -MMail::SPF::Query -le 'print for Mail::SPF::Query->new(ipv4=>shift, sender=>shift)->result' 207.8.214.4 umbrella.listbox.com
...
fail
client umbrella.listbox.com[207.8.214.4] is not a designated mailer for domain of sender umbrella.listbox.com
So apparently these guys don't have their own mailing list system set up to use their protocol properly? Or am I using their tool wrong? (I'm pretty much just typing in what the README gives).
What about... (Score:3, Funny)
Re:*sigh* people with good intentions... (Score:2)
It used to be, though, that "_" was not legal in hostnames. Since these are not hostnames that are being put into DNS, this is a valid usage.
However, it's still a bad idea as some name resolver libraries and other software do assume, through misunderstanding, that "_" is not legal in DNS and fail responses that contain it.
The fault here is with the resolvers, not this scheme, but since the underscores don't add value here, why not make things more compatib
Re:I-D appears expired Expired (Score:2, Insightful)
Re:SPF doesn't really do anything (Score:2, Insightful)
Re:Isn't this what MX is for? (Score:3, Insightful)
This is, additionally, more elegant than the 'RMX' proposal, as 1. there could be potentially thousands of machines which were trusted to send mail from a given domain, and 2. it doesn't require a new RR type.