spf at beer
Jan 15, 2007, 8:42 AM
Post #29 of 51
(7657 views)
Permalink
|
> The reason I've concluded that SPF is only a partial solution to the
> problem is because:
>
> 1) For SPF to be a FULL solution, it requires 100% participation
No it doesn't.
Whilst increased participation will obviously lead to more effective
filtering, the solution is there *today*, and works fine. My own domains
(which are probably a little larger than yours) used to get monstered by
forgery, just as yours is - this no longer happens. I've had 5 forgeries
in about 3 years.
> If it's not 100% adopted, it's not a full
> solution, IMO.
My opinion differs from yours. And I don't have forgery problems.
> 2) SPF is IP-based, matching envelope from domain SPF records
> (sanctioned IP's) -vs- the actual mail server that sent the mail.
>
> I see several problems with an IP-related technique. Because hosts
> handle the intricacies of mail server set-up for their clients
So don't let them.
Your choice is simple - take control, or deal with what other people leave
you with. Add up how much time you've spent posting to this thread, and
work out just how much problem-solving you could have done in that time.
> ... mail
> server domain names, designations and IP addresses COULD change.
IP address changes are a fact of life. My own MTA IP address changed just
a fortnight ago.
> If
> they did, legitimate mail may not reach its destination
None of my mail went walkabout. Every single one was safe - although a
couple did get delayed by about 3 hours due to a mix-up in the changeover
process.
> (unless hosts
> informed clients of the change, or clients found out about the change
> and updated their SPF records. Hosts typically doesn't report changes
> they make to clients, so they have to find out
This is part of the service level you get from a provider. If you want to
use their MTAs (and I'd recommend against that for the sort of domain
you're talking about), you need to create appropriate relationships with
your provider to make sure you know what's going on.
> ... HOW? After an
> important email fails to reach its destination?)
If that's what you've planned on, that's what will happen. I would make
other arrangements...
> PLUS, the possibility of (as you call it) "cross-forgery", though (like
> you say) I don't really think this would be a problem and if I found
> out, I'd certainly complain and possibly switch hosts. I only mention
> it as a possibility, plus the concern ... HOW would I find out? Only
> AFTER someone sends mail to abuse [at] randsco?
So what plans are you going to put in place to prevent the problem, rather
than just respond to it retrospectively? Cross-forgery is not completely
avoidable if you use shared servers, but it is trivial to ensure that you
don't tell the world that such forgeries are SPF-authorised.
> 3) Possibility of SPAMMER work-a-round. I have know idea how fool-proof
> is the SPF concept
So think it through. How many times have you seen SPF defeated by a
forger? What mechanism could they use to send email through a machine that
is
authorised according to a rule set up by the owner of the domain[1]?
> but for it to be a FULL solution, spammers couldn't
> defeated it. (i.e., don't know if it's currently possible, but since
> the SPF record is public, couldn't a spammer look it up and then spoof
> emails and also spoof IP addresses within the SPF record?)
How are you going to spoof the IP address during a TCP connection[2]?
Vic.
[1] This is actually possible, apparently, but sufficiently difficult that
such an attack just isn't going to happen - it would be far, far more
profitable to redirect traffic from somewhere like PayPal than to forge a
few emails from my domain.
[2] This is *sort of* possible - but requires the machine with the IP
address in question to collaborate with the attack. As such, it's usually
used to mask the true source of a spam pipe and therefore hide a
particularly spammy identity - but it only works if the spoofed machine is
already compromised.
-------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&user_secret=5f6145ca
|
