Re: [Asrg] Re: "worm spam" and SPF

[gep2 at terabites.com]

On Fri, 3 Dec 2004, aseem_jakhar at persistent.co.in wrote:
>>>> Or, alternatively, the problem SPF "solves" is NOT the spam
>>> problem, nor is it the worm problem.

>>> Yes, that's true, SPF attacks the problem of forged MAIL FROM
>> addresses and forged HELO domains.

>> Right, but if that's the ONLY thing it does then it shouldn't be talked
>> about as
>> a cure for spam, since spam DOES NOT HAVE TO USE forged From addresses or
>> forged HELO domains.

> It was never meant to be a cure for spam. 

If not, it's certainly been PRESENTED that way.

> It is just an anti forgery thing.  But still in a way it is related to the 
spam problem because there are spams blocked by checking SPF records.

There are also a GREAT many LEGITIMATE mails "blocked by checking SPF records", 
and that's a good part of the problem with the (ill-conceived) approach.

>>> ...It's indirectly related to spam and worms at the moment, like open
>>> relays
>> were related to the spam problem some years ago.

>> "Indirectly related" is fine, as long as we recognize it ONLY as such.
>> (And as
>> such, I think it gets WAY more discussion and attention than it deserves.)

>> I don't see SPF as the solution for almost ANY questions.

>>> "Many" is good enough, spammers and worm authors won't waste
>> their time with something not working at say AOL or behind SA.

>> The idea of creating a confusing patchwork lattice mesh that the spam
>> would have
>> to work its way through is fine.  But SPF is not at all difficult to
>> defeat...
>> you just send the mail using the infected victim's authorizations.

>Tell me one spmmer who has the time and patience to first email a worm +
>sniffer to a victim and then wait for the sniffer to sniff the victims
>username pwd and other user name pwd. and then start using those ID/pwd
>for sending out mails, worst if the network is switched , then wasting
>time in arp spoofing and waiting to sniff.

Don't be ridiculous and set up these stupid straw men arguments.

First of all, you make it sound like some "extra step" is required by the 
spammer, and that's just not true.

Once a machine is infected, it's generally trivial to find the infected user's 
E-mail address.  And it's nearly as trivial to find their outgoing E-mail 
password, whether from the registry or by monitoring the legitimate outgoing 
E-mails they send.

> There are still open relays , return path forgeries etc used by spammers
>because most ppl rely only on Anti spam wonder products and they don't
>want to take any initiative on their own or just don't know about things
>they can do to prevent spam.

Agreed that most folks are relatively clueless, but what's your point there?

In any case, a fine-mesh permissions list approach such as I propose, combined 
with a good content filter (and the latter can be FAR more effective in 
conjunction with the former) is clearly a SUPERIOR way to both combat spam, and 
virtually eliminate E-mail as a transmission vector for viruses and worms.  
While at the same time not imposing ANY significant restrictions on open relays, 
vanity domains, mailing lists, digests, forwarding, and other legitimate and 
well-established traditional features supported by E-mail.

>>>> undoing the DAMAGE that SPF has done

>>> There's no "damage", if you don't like it just don't publish a
>> sender policy.

>> Again, you're ignoring things like discussion group/mailing lists, message
>> digests, and so forth.  Anybody who makes the mistake of supporting SPF
>> later
>> finds that they can't send mail using their business E-mail address when
>> they
>> are (say) on a cruise ship vacation or at an Internet cafe in some other
>> country.

>SMTP AUTH is a simple and effective way.

ABSOLUTELY NOT!!!!  You are TOTALLY IGNORING the issue of sending mail from 
public access Internet kiosks.  A good example is from cruise ship Internet 
"cafes" where you have **no** choice regarding the SMTP server you MUST use;  
you are NOT (generally) using your own portable computer;  you can NOT change 
(for obvious reasons) the mail server to be used in transmission;  and you 
PROBABLY want to sign your mail using your *own* normal E-mail return address 
(which could well be a personally-owned domain name, but also might be your 
"normal" ISP-provided E-mail address).

But this is a good example of how the SPF-type (and other DNS-based) folks try 
(in vain) to eliminate serious objections and problems with their proposals by 
waving a magic wand with obfuscatory nonsense which in fact changes NOTHING.

We can spend YEARS debating (and then implementing) SPF or some other similar 
DNS-based certification scheme, and when we get done we will have accomplished 
VIRTUALLY NOTHING in the war against spam, and if anything it will be MORE 
disruptive because by then, instead of bounces and such mostly getting T-canned 
as undeliverable, they'll effectively become a DDOS attack on the infected 
victim.  :-((

Gordon Peterson                  http://personal.terabites.com/
1977-2002  Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections!  http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.



_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg