[BBLISA] Someone is out to get me - spam pretending to be from me

Dean Anderson dean at av8.com
Fri Jan 14 22:46:08 EST 2005 

On Fri, 14 Jan 2005, Bob Keyes wrote:

> I'd suggest setting up SPF and/or DomainKeys. This will prevent people
> from forging mail from your domains, if the receiving server is also
> running these. If the receiver is not, well, then you can point out that
> it's their fault.

Actually, SPF will not prevent forgery, and will make the abuse problem
much worse.  

        1) Abuser can forge addresses at domain simply by spoofing DNS.
        2) Abuser can use stolen credential
        3) DNS cache problems (more records per domain, same cache size)
        4) DNS load (more records per domain)
        5) Ongoing Maintenance issues
        6) Migration issues
        7) IP Renumbering issues
        8) Lost non-spam emails
        9) Lack of universal compliance.*
	10) SPF indentifies outbound relays to viruses
	11) SPF turns all closed relays into open relays, and eliminates 
the need for scanning for open relays.
	12) SPF makes it possible to achieve 100% blowback (much worse)
	13) SPF enables companies like AOL to prevent email outsourcing, 
and force bundling of email and access or extort unbundling (SPF) fees.
	14) SPF enables companies like AOL (after you pay them to allow 
outsourcing), to interfere with your service level by 
"unreliable intermittently failing" DNS responses. This will be hard to track down.
	15) Attacker can create DOS attack by spoofing DNS.

The overwhelming early adopters of SPF are spammers.

Unless everyone uses SPF, you cannot reject based on SPF. SPF rejection 
creates blockback abuse problems.

If you lower your spam checks because of SPF, you will attract spam (and
spammers) to your internet service. This is why spammers are so excited 
about SPF.

BTW, DNS spoofing requires about 32000 packets, and is quite a bit easier
than say, WEP decryption. 

And if you think that DNSSEC is going to come to the rescue, you will be 
pleased to know that Paul Vixie encouraged the root server operators to 
deploy anycast on the root servers with little discussion.  Recently, it 
was also learned that root DNS anycast is fairly widespread.  Anycast 
works find for UDP, but prevents TCP, and of course impacts DNSSEC.


> BTW, I am shortly going to be setting up a company producing spam-fighting
> tools. Anyone who is interested, please contact me off-list.

SPF is patented by M$.  

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000

More information about the bblisa mailing list