TMDA Re: [Gllug] New worm doing the rounds?

will will at hellacool.co.uk
Wed Feb 18 17:12:58 UTC 2004 

Jason Clifford wrote:
> On Tue, 17 Feb 2004, will wrote:
> 
> 
>>Only if the MTA was set up badly (stupidly?).  The chances are bruces 
>>mail would have sailed past the SPF checks just fine because UKLinux.net 
>>does not have SPF records, and if you set up SPF properly (ISTR) you 
>>wouldn't fail a check if a domain does not have an SPF record.
> 
> So all a spammer needs to do in order to avoid SPF blocking it's email is 
> to use domains that don't publish SPF records?

Yep, and maybe subject those emails to more thorough spam checking, eg 
RBL checks.  It *will* catch spam because *some* spammers *will* break 
SPF policies.  My spam defence is not a single silver bullet, it relies 
on 'defense in depth'.

> Doesn't sound like a very useful tool in blocking spam and it seems to me 
> to be a recipe for vast numbers of false positive matches in SPF rules 
> causing lots of legitimate email to be bounced.
>
> That, to me, is the worst of both worlds.

It is not *just* a tool for blocking spam, when I get round to setting 
up the SPF records for the company I adminsister the servers for, it 
will be helpful in dealing with possible joe-jobs, as less people will 
have accepted the original spam emails 'from' us.  At the same time, it 
could prevent people from sending messages to a lot of people actually 
claiming to be us ('Phishing'), although in my companies industry that 
is less of a risk.

And that is without me doing any filtering on incoming mail.  When I 
implement filtering on incoming email, I will not recieve any mail that 
has been sent from a host that the administrators of $DOMAIN have not 
said should be sending for $DOMAIN.  I am going to have to assume that 
the administrators for $DOMAIN know best where mail for $DOMAIN should 
be coming from.

Harsh, that.  OK, so someone sends an email from a host that the SPF 
policy says should not be sending mail for a given domain.  I reject it 
based on that own domain administrators rules about who should be 
sending mail for that domain.  OK, no loss there then.

But wait!  There is no SPF policy or a wildcard!  Aren't I depriving 
some people their right to do whatever they god damn well like on the 
internet?  Um, no, mail with wildcard or no SPF policy for sender domain 
will get passed through the spam checks as before.

Result?

SPF gets rid of some spam but not all, but provides another hurdle to 
the spammers in the 'defence in depth' anti spam setup.

Also, it helps alleviate joe-job attacks.  Yeah, sure, the spammer might 
choose a domain that does not have SPF, or has a wildcard, but where is 
my loss there?  They don't use me as the joe-job victim, darn.

What have you lost?  Nothing, I still do my RBL and bayesian filtering 
just the same.  If i didn't accept mail from people with no, or wildcard 
SPF policies, it would be my (unwise) choice and I would lose a lot of 
mail, but I don't, so I won't

> It's nothing like running an open proxy.
> 
> Open proxies are abuse and serve no valid legitimate purpose.

Maybe that was a bad example/metaphor/whatever.  For coherent debate you 
need to be talking to Bruce, he knows longer words than me ;)

> The freedom to use your email address regardless of your current 'net 
> connection is very significant to anyone who is a mobile user or who works 
> from home or who is sending personal email from a work place (where 
> permitted under the employers terms of use) or who is working on a 
> project, etc.

I have never had a problem with this, and the users here won't as soon 
as I have set them up for remote access.  Yeah, SPF might change some 
things on the internet, like more ISPs might bring in SMTP AUTH, but 
there has to be some sort of change or spam will continue to spread. 
You can wait X years for the IETF to sort something out, but I am 
dealing with so much spam/NDA's now that I need to do something about 
it.  When the IETF solve spam, maybe I will use that solution 
aswell/instead.  It is certainly better than having to use outlook to 
send people email, because as Bruce has said, Bill will not be far 
behind trying to solve the spam problem, and I bet he doesn't do it in 
an open sorta way.

> The number of legitimate and significant uses is very great indeed both 
> commercially and non commercially.
> 
>>  Yes, sometimes, but then so is the convenience of not having to use a 
>>password to log into any of our win98 machines at work.
> 
> It's more than convenience. The alternative is being forced into single 
> supplier lock in. That will lead to effective monopolies if carried.

Um, which single supplier are you getting your SPF from?  Or are you 
talking about having to use a single supplier for your SMTP services. 
Well, if you use anything at ukfsn.org or anything at something.ukfsn.org you 
are still using a single supplier, whoever you use for your SMTP.

Will.
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list