Mailing List Archive: SPF: Discuss

Throwaway domains

Index | Next | Previous | View Threaded

erik at arbat

Oct 9, 2003, 5:49 AM

Post #1 of 6 (391 views)
Permalink

Throwaway domains

Hi,

From the FAQ:

We can counter with:

1. fast automated blacklisting using spamtraps and attack detectors
2. simple reputation systems based on factors such as
* age of domain according to whois
* email profile of domain, eg. "too many unknown recipients"
* call-back tests to see if the sender domain is able to receive
mail.
The reputation system can advise a receiving MTA to defer or reject.
3. legal methods following the paper trail of who paid for the domain.

All these things can be done now with IP-based blacklisting.
(The exception is the call-back test, but that's not a very good
test anyway).
Advantages of an SPF-based system:

* A trojaned machine with a dynamic IP can appear on many IP
addresses. The same isn't possible with SPF.
* We don't need help from the ISP to blacklist a spammer with SPF.
* The ownership info for a domain is available centrally (whois)
and publically rather than decentrally (ISP customer records).
* Innocent parties inherit IP addresses. That won't happen with
spammer domains.

Nevertheless detecting throwaway domains will be a big challenge in
an SPF-protected world. The key is the whois information, so:

* How much information can be pulled out of
whois, and how automated can you make that?
+ Date of registry (not that useful - domains can be pre-allocated)
+ Real-world ID of person registering (quite useful)
* Can the whois infrastructure cope with large-scale automated
polling by mail filters?
* Since whois only handles 2nd level domain data can SPF ever
be useful for subdomains?

Other thought:

* The quality of a registrar might well become a filtering
criterion. Registrars that publish good whois info and
are good at checking ID may earn their users a better spam
filtering score.

--
Erik Corry erik [at] arbat
A: Because it messes up the order in which people normally read text.
Q: Why is top-replying such a bad thing?
A: Top-replying.
Q: What is the most annoying thing in email?

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡

markjr at easydns

Oct 9, 2003, 6:15 AM

Post #2 of 6 (385 views)
Permalink

Re: Throwaway domains [In reply to]

Personally I think throw-away domains are out-of-scope. Spf/rmx type
solutions solve one aspect of the spam problem: forged headers, joe
jobs, etc.

> Nevertheless detecting throwaway domains will be a big challenge in
> an SPF-protected world. The key is the whois information, so:
>
> * How much information can be pulled out of
> whois, and how automated can you make that?
> + Date of registry (not that useful - domains can be pre-allocated)
> + Real-world ID of person registering (quite useful)
> * Can the whois infrastructure cope with large-scale automated
> polling by mail filters?
> * Since whois only handles 2nd level domain data can SPF ever
> be useful for subdomains?

With regard to whois, or using it to score throw-away domain detection,
I advise against it. That's not what the whois database is designed
for and they simply were not built with the performance considerations
that this would require.

In the present, many registries and registrars already meter and throttle
connections to their whois databases, and going forward port-43 whois
may not even be around in its current form for long, so building reliance
on this will very likely see it pulled from under in the forseeable
future.

> * The quality of a registrar might well become a filtering
> criterion. Registrars that publish good whois info and
> are good at checking ID may earn their users a better spam
> filtering score.
>

From a personal vantage point I do notice a trend for throw-away domains
to coagulate on identifiable groups of nameservers. You can deal with
throw-away domains in two ways: maintain RBLs of known spam domains
for the existing ones, then null route/blackhole the known nameservers
for them and set your MTA's to reject unknown domains.

-mark

--
Mark Jeftovic <markjr [at] easydns>
Co-founder, easyDNS Technologies Inc.
ph. +1-(416)-535-8672 ext 225
fx. +1-(416)-535-0237

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡

erik at arbat

Oct 9, 2003, 6:39 AM

Post #3 of 6 (383 views)
Permalink

Re: Throwaway domains [In reply to]

On Thu, Oct 09, 2003 at 09:15:56AM -0400, Mark Jeftovic wrote:
>
> Personally I think throw-away domains are out-of-scope. Spf/rmx type
> solutions solve one aspect of the spam problem: forged headers, joe
> jobs, etc.

I was sort of hoping SPF could be used to help prevent spam
too. :-)

The essential feature of SPF is that it allows us to tie
an email to some identity that takes responsibility for its
spam-freeness. It's vital that it's not too simple to create
new identities, otherwise we haven't achieved much.

> In the present, many registries and registrars already meter and throttle
> connections to their whois databases, and going forward port-43 whois
> may not even be around in its current form for long, so building reliance
> on this will very likely see it pulled from under in the forseeable
> future.

Is there even any way to identify the registrar of a given domain?
It would be very useful to at least be able to identify rogue
registrars who don't check ID.

> > * The quality of a registrar might well become a filtering
> > criterion. Registrars that publish good whois info and
> > are good at checking ID may earn their users a better spam
> > filtering score.
>
> From a personal vantage point I do notice a trend for throw-away domains
> to coagulate on identifiable groups of nameservers. You can deal with
> throw-away domains in two ways: maintain RBLs of known spam domains
> for the existing ones, then null route/blackhole the known nameservers
> for them and set your MTA's to reject unknown domains.

If your method becomes popular then it's not that hard to get around
for the spammers. If they have machines that can be used to host
SMTP spews then they can probably be used to host a name server too.
Those trojaned ADSL machines should be usable for both.

Last I checked there was no restriction on which machines you could
use as name servers on a .com domain.

--
Erik Corry erik [at] arbat
A: Because it messes up the order in which people normally read text.
Q: Why is top-replying such a bad thing?
A: Top-replying.
Q: What is the most annoying thing in email?

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡

markjr at easydns

Oct 9, 2003, 8:22 AM

Post #4 of 6 (382 views)
Permalink

Re: Throwaway domains [In reply to]

On Thu, 9 Oct 2003, Erik Corry wrote:

> On Thu, Oct 09, 2003 at 09:15:56AM -0400, Mark Jeftovic wrote:
> >
> > Personally I think throw-away domains are out-of-scope. Spf/rmx type
> > solutions solve one aspect of the spam problem: forged headers, joe
> > jobs, etc.
>
> I was sort of hoping SPF could be used to help prevent spam
> too. :-)
>

It will. By solving the forged header problem extremely large amounts
of spam will never make it through spf enabled MTA's from spf enabled
domains.

> The essential feature of SPF is that it allows us to tie
> an email to some identity that takes responsibility for its
> spam-freeness. It's vital that it's not too simple to create
> new identities, otherwise we haven't achieved much.
>

As I understand it, spf basically enables domain holders to be responsible
for their own domains by eliminating the ability for other people to
do so (by sending out spam with my domain name in the "from" header).

Spf will not prevent anyone from sending spam out from domains they
control, that's out-of-scope for spf/rmx. It solves one specific
problem but believe me, that's one big problem and I'm happy to see
something sensible come along to solve it.

Example: If Hotmail, Yahoo, Msn and Aol started using spf/rmx we could
easily eliminate about a half million spam messages per day from
traversing our mail forwarders.

-mark

--
Mark Jeftovic <markjr [at] easydns>
Co-founder, easyDNS Technologies Inc.
ph. +1-(416)-535-8672 ext 225
fx. +1-(416)-535-0237

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡

bryce at jasmer

Oct 9, 2003, 8:57 AM

Post #5 of 6 (383 views)
Permalink

RE: Throwaway domains [In reply to]

On Thu, Oct 09, 2003 at 11:22:43AM -0400, Mark Jeftovic wrote:
> Example: If Hotmail, Yahoo, Msn and Aol started using spf/rmx we could
> easily eliminate about a half million spam messages per day from
> traversing our mail forwarders.

<devils-advocate>
Yes, but that would only last for a month or two. Don't forget that the spammers are quick to adapt to our solutions. We'll just be pushing them to forge amazon.com, cnn.com, ebay.com until they realize it is a problem. And then they'll forge momandpop.com. When that stops working, they'll move onto other methods of getting their message out.
</devils-advocate>

I'm all for SPF. I just cringe when I hear statements about it eliminating spam.

Bryce

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡

wayne at midwestcs

Oct 10, 2003, 8:02 PM

Post #6 of 6 (384 views)
Permalink

Re: Throwaway domains [In reply to]

In <20031009155709.GA23047 [at] jasmer> Bryce Jasmer <bryce [at] jasmer> writes:

> <devils-advocate>
> Yes, but that would only last for a month or two. Don't forget that
> the spammers are quick to adapt to our solutions. We'll just be
> pushing them to forge amazon.com, cnn.com, ebay.com until they
> realize it is a problem. And then they'll forge momandpop.com. When
> that stops working, they'll move onto other methods of getting their
> message out.
> </devils-advocate>

Yes, but by the time spammers are forced to move to
obscure-momnpop.com, many MTA's will be rejecting email from any
domain that doesn't publish SPF (RMX/etc.) information. This will
cause a very rapid adoption of the system at that point.

Then, the spammers will either go to their own domains, which
has problems, or go to domains that publish SPF *.domain "SPF=allow".
The latter will cause those domains to reconsider allowing anyone to
send email using their name.

SPF will box in the spammers/email-worm authors.

-wayne

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname@©#«Mo\¯HÝÜîU;±¤Ö¤Íµøˆ¡

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads