TMDA Re: [Gllug] New worm doing the rounds?

Bruce Richardson itsbruce at uklinux.net
Wed Feb 18 13:10:20 UTC 2004 

On Tue, Feb 17, 2004 at 06:54:18PM +0000, Alistair wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Thus spaketh Bruce Richardson on Tuesday 17 February 2004 3:48 pm:
> > On Tue, Feb 17, 2004 at 12:25:18PM +0000, Alistair wrote:
> > > I'm less optimistic about SPF. A greater problem than low value for early
> > > adopters will be low value for all once widely adopted, as it is trivial
> > > to circumvent: just make the envelope sender sufficiently accurate.
> >
> > No.  SPF can quite validly be used to validate From and Sender headers
> > as well as the envelope sender.  
> 
> SPF would tend to reduce the utility of email address portability. It is 
> useful for me when onsite to send email from my own work's email address. 

No problem.  Set up SMTP auth on your work mail server and allow
authenticated connections to relay out.  That's what we do.
Alternatively, get your employer's ISP to give you a dial-up account
with a fixed ip address.  Or just have one of your ISP mail relays added
to the SPF records for your domain, if you're really lazy.

> It 
> is useful for sales managers -- bless their cotton socks -- to send from just 
> one email address whether they be in the office, under a hotpoint or in a 
> hotel in Sydney, AU. It is useful for the less computerate (ie, PHBs) to be 
> able to send email from their work address from their dialup connection at 
> home. SPF reduces the ability to do the above.

No, it just requires you to do a small amount of extra work on the admin
side.

> 
> A wildcard would solve these problems, yet this 'cure' could be worse than the 
> problem: a wildcard is useless to you for the reasons you have given 
> elsewhere.

A wildcard is useless to a private organisation but I've just shown you
why you wouldn't need one.

> It is useless to me as it offers nothing extra in return for 
> another point of failure.

If it prevents a spammer from joe-jobbing your organisation, it's
offering you extra.  Same if it lets you reject more spam.

> SPF doesn't identify the sender to any greater level that date/time and IP 
> address already does: dup-1-2-3-4.demon.net could still forge his sender 
> address as dup-5-6-7-8.demon.net, so it is of no additional use in 
> determining compromised machines. 

Time to repeat that you can use SPF to validate the From: header, which
is often more useful than validating the sender.  In fact, checking the
From: header is going to be the most valuable method.

> 
> It is undoutably thinking along the right lines, yet the economics are bad: 
> admins and users face an permanent increase in operating costs

Really?  Justify that.  If you keep having to update the DNS records,
you're doing something wrong.  How much more does it cost you to use an
SPF-enabled version of Postfix or Exim?  I'm intrigued.

> for a one-off 
> increase in the fixed costs of spammers.

Again, justify that.  If an SPF-style solution were to become pervasive,
I could reject any mail that didn't come from a relay that was
specifically authorised to relay for domain X.  In that scenario, the
only way that the spammer can send me.

See, I already reject mail that comes from imaginary domains.  It's an
easy win.   However, there are a lot of domains on the internet that
aren't intended to be sending out any mail at all (mail isn't the only
service on the Internet).  I currently have no way of distinguishing
those domains (or marking one of my own as such).  SPF would fix that.
That's another win and we haven't even got to the bit about designated
mail sources for those domains that do want to send mail.  SPF would
permanently make those domains unavailable for spammers to abuse, so how
is that a one-off cost?  It's a permanent restriction.

> 
> > In fact, it's often more useful to
> > validate the headers than the envelope because some mail clients bollix
> > the envelope sender.
> 
> Yup.

Erm, yes, indeed.  So you agree, then?

-- 
Bruce

What would Edward Woodward do?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20040218/ee2f6652/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list