--pgp-sign-Multipart_Tue_Nov_14_17:55:52_2006-1
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

At Tue, 14 Nov 2006 07:58:57 -0500,
Steven M. Bellovin wrote:
> 
> The most important reason not to use SPF or DKIM, though, is that as
> anti-spam mechanisms they simply don't work.  Spammers create many new
> domains, use them for a day or so, then abandon them.  In fact, they
> populate their zones with SPF records.  What, precisely, are they good
> for?  Let me put it another way -- how much of the spam you receive would
> have been blocked because it impersonated some zone you know, rather than
> coming from some domain you've never heard of?

None of these schemes really work sufficiently unless the vast majority
of receiving sites implement the checks necessary to validate their own
incoming mail (and of course also participate by providing the necessary
for others to validate their own outbound mail).  Maybe a few giants in
the industry could provide encouragment by requiring all their peers (in
_both_ directions) to use one of these schemes, but so far that seems
like it'll just generate more backpressure against these schemes.


> Yes, it prevents joe jobs.

Actually none of those schemes can do that, not with the current state
of the vast majority of mail servers running on the internet -- and not
against the more common variety backscatter attacks which are perhaps
the most damaging and difficult to deal with.  The best you can hope for
at stopping them is that you can throw bandwidth and enough MX servers
at the problem to soak it all up, and also of course hope that the
addresses being blasted are either non-existant or can be disabled for
the duration.

The last two times sites I work with were hit by major backscatter
attacks we were extremely lucky that no important mailboxes were
targeted.  These simple backscatter attacks can go on for months.

There are millions of domains that will probably never use any of these
schemes and which will also continue to send bounces to forged sender
addresses.  At least not in time to fix any of this problem.  If we
cannot even get these sites to validate recipients before accepting spam
then we'll never get them to implement anything more complex.

Blocking the relatively small amount of backscatter created by anti-spam
and anti-virus software is far easier done than it is to get those that
generate it to implement anything like SPF or DKIM at their end.  In
fact it is usually easier to convince them to simply stop sending back
notices about /dev/null'ed or quarantined mail.



>  *Maybe* it's useful against
> phishing, though I have serious doubts for reasons I won't go into here.

We probably need end-to-end signatures _and_ encryption to really put
any kind of a dent into phishing.



-- 
						Greg A. Woods

H:+1 416 218-0098 W:+1 416 489-5852 x122 VE3TCP RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>       Secrets of the Weird <woods@weird.com>

--pgp-sign-Multipart_Tue_Nov_14_17:55:52_2006-1
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: fNDAwlM5mEwXi+YXSF05awtsySxxdjmz

iQA/AwUBRVpJfWJ7XxTCWceFEQJPMwCfTAQOnz0boH31dauK8B7HureUZ1AAnAj+
GO7ax+a9/diCn8o6QrQcYwO/
=I1pV
-----END PGP SIGNATURE-----

--pgp-sign-Multipart_Tue_Nov_14_17:55:52_2006-1--