TMDA Re: [Gllug] New worm doing the rounds?

Alistair Mann alistair at lgeezer.net
Tue Feb 17 18:54:18 UTC 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thus spaketh Bruce Richardson on Tuesday 17 February 2004 3:48 pm:
> On Tue, Feb 17, 2004 at 12:25:18PM +0000, Alistair wrote:
> > I'm less optimistic about SPF. A greater problem than low value for early
> > adopters will be low value for all once widely adopted, as it is trivial
> > to circumvent: just make the envelope sender sufficiently accurate.
>
> No.  SPF can quite validly be used to validate From and Sender headers
> as well as the envelope sender.  

SPF would tend to reduce the utility of email address portability. It is 
useful for me when onsite to send email from my own work's email address. It 
is useful for sales managers -- bless their cotton socks -- to send from just 
one email address whether they be in the office, under a hotpoint or in a 
hotel in Sydney, AU. It is useful for the less computerate (ie, PHBs) to be 
able to send email from their work address from their dialup connection at 
home. SPF reduces the ability to do the above.

A wildcard would solve these problems, yet this 'cure' could be worse than the 
problem: a wildcard is useless to you for the reasons you have given 
elsewhere. It is useless to me as it offers nothing extra in return for 
another point of failure. It is use/ful/ to the spammer as users may 
erroneously believe that SPF has improved the odds that the email in front of 
them is legitimate.

SPF doesn't identify the sender to any greater level that date/time and IP 
address already does: dup-1-2-3-4.demon.net could still forge his sender 
address as dup-5-6-7-8.demon.net, so it is of no additional use in 
determining compromised machines. 

It is undoutably thinking along the right lines, yet the economics are bad: 
admins and users face an permanent increase in operating costs for a one-off 
increase in the fixed costs of spammers.

> In fact, it's often more useful to
> validate the headers than the envelope because some mail clients bollix
> the envelope sender.

Yup.
- -- 
Alistair
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: As seen at http://search.keyserver.net

iD8DBQFAMmNbEz+/jt85AfsRAsdWAJ41diawxeZMB5NWI+SG+4ww0nSR1gCeMs2g
+VVDhA24NVzMM9nAU+qIuQQ=
=wKtx
-----END PGP SIGNATURE-----

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list