Mailing List Archive: SPF: Discuss

Anti-spam

Index | Next | Previous | View Threaded

spf at nedharvey

Oct 9, 2003, 4:50 AM

Post #1 of 7 (375 views)
Permalink

Anti-spam

Hi, I've written a draft proposal against spam, and one of the people who read it referred me to SMTP+SPF. I've read the information about SPF, and here is my reaction:

Because sender verification is performed by checking the IP address from which the mail was sent, there's a problem whenever a user is travelling, or uses dial-up and doesn't know what his/her address is going to be. I haven't seen any solution to this problem in any of the pages, or in the FAQ, is there?

You seem to think that the problem of sender-verification can't be solved with backward-compatibility. I view this as a bootstrap problem, because nobody will start using it until it's already popular.

My proposal doesn't have these problems. Would you please look at this, and tell me how you feel it compares with SPF?
http://nedharvey.com/stopspam/proposalVSMTP.php

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@½§ÅvÂ¼ð¦çš2b¥yÈbox.com

mengwong at dumbo

Oct 9, 2003, 9:44 AM

Post #2 of 7 (371 views)
Permalink

Re: Anti-spam [In reply to]

On Thu, Oct 09, 2003 at 04:50:26AM -0700, Mr. Ned wrote:
| Hi, I've written a draft proposal against spam, and one of the people who read it referred me to SMTP+SPF. I've read the information about SPF, and here is my reaction:
|
| Because sender verification is performed by checking the IP address from which the mail was sent, there's a problem whenever a user is travelling, or uses dial-up and doesn't know what his/her address is going to be. I haven't seen any solution to this problem in any of the pages, or in the FAQ, is there?

I tried to address this problem at http://spf.pobox.com/objections.html
under "The Traveling Mailman Problem".

"the IP address from which the mail was sent" is not a specific
concept. SPF only operates within the context of a single SMTP
transaction, testing the TCP client IP. if you are travelling, but can
connect to your home SMTP server, there is no problem.

Are you familiar with SASL AUTH?

A cookie-style proposal such as you suggest has been recently posted to
the SPF list.

see
http://archives.listbox.com/spf-discuss [at] v2/200310/0049.html
http://archives.listbox.com/spf-discuss [at] v2/200309/0017.html

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡

paul at xtdnet

Oct 9, 2003, 9:48 AM

Post #3 of 7 (371 views)
Permalink

Re: Anti-spam [In reply to]

On Thu, 9 Oct 2003, Mr. Ned wrote:

> My proposal doesn't have these problems. Would you please look at this, and tell me how you feel it compares with SPF?
> http://nedharvey.com/stopspam/proposalVSMTP.php

A quick look:

"The sender uses his/her username and password to login"

First of all, with all the free email out there, who would need to
adpot this, it just becomes another race again. Second, PC security
sucks. Some people believe most spam already comes from hacked/infected
machines, and the current dictionary attacks we receive seem to support
that theory, since they never connect to me more then once in a spamrun.
If they can hack/infect the machine, they can either 1) create new accounts
at free isps or 2) steal the user's identity, or 3) asks lots of LUMID's.

And now a re-install of his pc wont even help, the identity will be put
on blacklists and this person has to get a new email address.

fighting spam by relying on user's ability to keep their password/token
secret is a lost race.

Paul

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡

spf at nedharvey

Oct 9, 2003, 1:06 PM

Post #4 of 7 (370 views)
Permalink

Re: Anti-spam [In reply to]

Paul Wouters <paul [at] xtdnet> wrote :

> On Thu, 9 Oct 2003, Mr. Ned wrote:
>
> First of all, with all the free email out there, who would need to
> adpot this, it just becomes another race again.

Your argument is unclear. The only thing I understood in those two sentences is the suggestion that spammers will just go get more and more free email accounts.

The more people who go abuse free email providers, those providers will invest to prevention of robots generating new email accounts, or be crushed by the spammers robbing them. Either way is failure for the spammer.

It is one thing to get a free email account someplace like Hotmail or Yahoo, where all of your email is handled through a web interface. Such a service is commonplace, and not expected to go away anytime soon. It is another thing for somebody to offer free SMTP service, especially if it requires username and password to get in. This is almost nonexistent, and when it does exist, it's abused and blacklisted quickly.

When somebody signs up for free email service, they won't get free SMTP. Much less free VSMTP. If the provider provides free SMTP or VSMTP, trust me they will soon be blacklisted.

When somebody writes a program to automatically work through the web interface of a free email provider, they are costing the email provider money, and providing them incentive to stop robots from creating new email accounts. Plus, this spam can only work for a little while before being blacklisted. So sign up for another account. And get blacklisted. Etc etc. The free email provider will soon either be blacklisted, button up security, or go bankrupt.

When you get spam from spammy [at] hotmail, you don't really think that message was sent from hotmail's SMTP servers, do you? The address was forged. If hotmail used VSMTP, the message would be rejected for delivery, unless somebody hacked hotmail's VSMTP server.

I do not claim that hotmail is unhackable for somebody to get in, and start generating LUMIDs on hotmail's MX, but I do claim that such a problem will be handled as fast as hotmail's IT staff can handle it. If somebody cracks their way into hotmail's internal network, you think they don't prosecute?

The problem of protecting passwords is a problem I WANT to have, because it's a whole lot better than letting them do it for free. Worse, if they don't use a password, it's completely legal because it's an unrestricted public service.

> Second, PC security
> sucks. Some people believe most spam already comes from
> hacked/infected

It's true that PC security sucks. But you didn't list your PC's IP address as the MX for your domain, did you. Even if somebody hacks into your PC and starts using you as an SMTP service, they won't have any GUMIDs, and therefore mail is rejected if the receiver (and you) use VSMTP. Even if they set up a program to start verifying GUMIDs on your PC, your PC will never be queried because you're not the MX for your domain.

> If they can hack/infect the machine, they can either 1) create new accounts
> at free isps or 2) steal the user's identity, or 3) asks
lots of LUMID's.

If there's a free ISP, please let me know. Furthermore, if there's a free ISP that doesn't require any time to create an account there, and doesn't require any evidence that I'm a real human, and is actually usable, especially with high speed connection, what a deal. Tell me where to sign. They don't exist.

If a MX, a domain, or somebody's individual account is compromised, they will be abused by unethical individuals, and therefore blacklisted until they correct the problem.

The same goes for generating lots of GUMIDs.

> And now a re-install of his pc wont even help, the identity will be put
> on blacklists and this person has to get a new email address.

There currently exist blacklists. Are you suggesting that these blacklists are immutable, and the person whose security was compromised remains there for life, even after security is regained?

Obviously you can be cleared from a blacklist by showing that you've regained security of your identity.

> fighting spam by relying on user's ability to keep their password/token
> secret is a lost race.

Whenever you see an obstacle, you should look for a way around it. The user isn't necessarily trusted to keep their password secret, if the ISP or whoever enforces it. It's entirely reasonable for the ISP to provide a system generated password for the life of the account, and for the password authorization to be implemented encrypted, according to the policy of the ISP, who obviously has incentive to protect the password.

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@½§ÅvÂ¼ð¦çš2b¥yÈbox.com

spf at nedharvey

Oct 9, 2003, 1:32 PM

Post #5 of 7 (370 views)
Permalink

Re: Anti-spam [In reply to]

Meng Weng Wong <mengwong [at] dumbo> wrote :

> I tried to address this problem at http://spf.pobox.com/objections.html
> under "The Traveling Mailman Problem".
>
> "the IP address from which the mail was sent" is not a specific
> concept. SPF only operates within the context of a single SMTP
> transaction, testing the TCP client IP. if you are travelling, but can
> connect to your home SMTP server, there is no problem.

If my home smtp server is in new england, but i am travelling in australia, the speed and reliability of my connection are bound to be very poor. You and I both recognize the advantage of using a local mail relay instead of always being bound to a single mail relay across the world. Plus, as you said, "if you can connect"... A lot of ISPs and corporate networks filter port 25.

With VSMTP, you are bound to the server across the world, on a well known, unfiltered port, for a very short time. (Port 80.) After that, you may send the message through the local mail relay. Advantage #1: It works. Advantage #2: It's much faster than sending the whole message across the world. #3: 100% backward compatible.

> Are you familiar with SASL AUTH?

I am familiar enough to know that it is used to authenticate the sender. But when a person receives the message, they don't know if the sender was authenticated or not. The message could have come from anybody.

> A cookie-style proposal such as you suggest has been recently posted to
> the SPF list.
>
> see
> http://archives.listbox.com/spf-discuss [at] v2/200310/0049.html
> http://archives.listbox.com/spf-discuss [at] v2/200309/0017.html

Thank you, I very much like what MJD said. I'm trying to contact him now.

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@½§ÅvÂ¼ð¦çš2b¥yÈbox.com

Peter.Viertel at macquarie

Oct 9, 2003, 5:19 PM

Post #6 of 7 (371 views)
Permalink

RE: Anti-spam [In reply to]

Mr Ned Said:

> If my home smtp server is in new england, but i am travelling
> in australia, the speed and reliability of my connection are
> bound to be very poor. You and I both recognize the
> advantage of using a local mail relay instead of always being
> bound to a single mail relay across the world. Plus, as you
> said, "if you can connect"... A lot of ISPs and corporate
> networks filter port 25.
>

What have you guys got against Australia? If you're going to pick on somewhere as an example of a backwater, try not to pick on our continent as an example - maybe Antarctica would be a better choice <g>.

I live on the Australian East Coast, my SMTP outgoing server is in the UK, I use SMTP Auth / SMTP TLS for sending messages, it's not much slower than when i was in the UK. I see absolutely no advantage to having a local SMTP server, it certainly doesn't cost any less to use. I have little desire to choose and evaluate the trustworthiness of SMTP servers every time i connect up to a local ISP.

> > Are you familiar with SASL AUTH?
>
> I am familiar enough to know that it is used to authenticate
> the sender. But when a person receives the message, they
> don't know if the sender was authenticated or not. The
> message could have come from anybody.

Hmm, sounds like a good reason to have SPF.

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡

spf at nedharvey

Oct 9, 2003, 6:58 PM

Post #7 of 7 (371 views)
Permalink

RE: Anti-spam [In reply to]

Peter Viertel <Peter.Viertel [at] macquarie> wrote :

> Mr Ned Said:
>
> > If my home smtp server is in new england, but i am travelling
> > in australia, the speed and reliability of my connection are
> > bound to be very poor. You and I both recognize the
> > advantage of using a local mail relay instead of always being
> > bound to a single mail relay across the world. Plus, as you
> > said, "if you can connect"... A lot of ISPs and corporate
> > networks filter port 25.
> >
>
> What have you guys got against Australia? If you're going to pick on somewhere
> as an example of a backwater, try not to pick on our continent as an example -
> maybe Antarctica would be a better choice .

I don't have anything against Australia. The reason I chose Australia is because it's on the exact oppossite side of the world from New England.

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@½§ÅvÂ¼ð¦çš2b¥yÈbox.com

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads