New Spam Killing Technique

newer
Re: [nznog] New Spam Killing...

older
Heads up - Webcasting Activity...

Jamie Baddeley

23 Jan 2004 23 Jan '04

3 p.m.

http://www.nwfusion.com/news/2004/0122aoltest.html?net http://spf.pobox.com/ worth looking at.... jamie

Show replies by date

I don't see how this would work. Lets say I connect to xtra as my ISP, however I have a clear.net.nz email address and use xtra's smtp server to send my email. This sort of system would block it as being spam because it wouldn't be going through the correct poviders smtp server. One alternative would be to allow pop to smtp auth, but I don't see large providers doing such a thing. Barry ----- Original Message ----- From: "Jamie Baddeley"

...

http://www.nwfusion.com/news/2004/0122aoltest.html?net

http://spf.pobox.com/

worth looking at....

jamie

Jamie Baddeley

3:27 p.m.

I think you might have it around the wrong way. If you were connecting via xtra, and were trying to use telstraclear's smtp server it would fail using this approach, but if memory serves me correctly you can't do this now anyway ( I could be wrong). from the faq: How does it work? Suppose a spammer forges a hotmail.com address and tries to spam you. He connects from an IP address somewhere. When he declares MAIL FROM: , you don't have to believe him. You can ask Hotmail if the IP address comes from their network. (In this example) Hotmail publishes an SPF record. That record tells you how to find out if the client IP address belongs to them. hotmail.com IN TXT "v=spf1 ptr -all" You execute the "ptr" mechanism, which means: find out the hostname of the client; if it ends in hotmail.com, it's legit. If the message fails SPF tests, it's a forgery. That's how you can tell it's probably a spammer. jamie On Sat, 2004-01-24 at 23:11, Barry Murphy wrote:

...

I don't see how this would work.

Lets say I connect to xtra as my ISP, however I have a clear.net.nz email address and use xtra's smtp server to send my email. This sort of system would block it as being spam because it wouldn't be going through the correct poviders smtp server. One alternative would be to allow pop to smtp auth, but I don't see large providers doing such a thing.

Barry

----- Original Message ----- From: "Jamie Baddeley"

...
http://www.nwfusion.com/news/2004/0122aoltest.html?net

http://spf.pobox.com/

worth looking at....

jamie

James Spooner

3:35 p.m.

Jamie Baddeley wrote:

...

I think you might have it around the wrong way. If you were connecting via xtra, and were trying to use telstraclear's smtp server it would fail using this approach, but if memory serves me correctly you can't do this now anyway ( I could be wrong).

See Below.. Both of the following SMTP servers would allow me to fake an email address because I am in their ADSL pool. If I was connected via Xtra I can use Xtra SMTP server to send from any address, which is fine. Under SPF, these would have failed because neither xtra nor paradise are listed as valid SPF SMTP servers for bar.com. It occurs to me that SPF could/may fail open, that is, if the domain does not have an authoritive SPF list, then the mail is accepted. If however, it does, then it may choose to use SMTP after POP to let arbiturary IP's forward mail through it's legitment servers. Also rememeber that most of the 'big' email providers are web based, which means that this should work well for a good deal of forged addresses. Regards James --- Paradise: Trying 203.96.152.32... Connected to smtp.paradise.net.nz. Escape character is '^]'. 220 smtp-1.paradise.net.nz ESMTP Postfix MAIL From: foo(a)bar.com 250 Ok RCPT To: jbs3(a)cs.waikato.ac.nz 250 Ok DATA 354 End data with <CR><LF>.<CR><LF> . 250 Ok: queued as DFF248281B Xtra: Trying 203.96.92.131... Connected to smtp.xtra.co.nz. Escape character is '^]'. 220 mta2-rme.xtra.co.nz ESMTP server ready Sat, 24 Jan 2004 23:27:57 +1300 MAIL From: foo(a)bar.com 250 Sender Ok RCPT TO: jbs3(a)cs.waikato.ac.nz 250 Recipient Ok data 354 Ok Send data ending with <CRLF>.<CRLF> . 250 Message received: 20040124102820.NHJT20103.mta2-rme.xtra.co.nz@[<snip>]

Jamie Baddeley

24 Jan 24 Jan

1:25 a.m.

On Sat, 2004-01-24 at 23:35, James Spooner wrote:

...

It occurs to me that SPF could/may fail open, that is, if the domain does not have an authoritive SPF list, then the mail is accepted.

Yep, and that's what I would expect. Otherwise you couldn't implement SPF incrementally.

...

If however, it does, then it may choose to use SMTP after POP to let arbiturary IP's forward mail through it's legitment servers. Also rememeber that most of the 'big' email providers are web based, which means that this should work well for a good deal of forged addresses. ahh, but I believe that the 'big' spammers don't use http as an interface for a spam run.

Regards

James

---

Paradise:

Trying 203.96.152.32... Connected to smtp.paradise.net.nz. Escape character is '^]'. 220 smtp-1.paradise.net.nz ESMTP Postfix MAIL From: foo(a)bar.com 250 Ok RCPT To: jbs3(a)cs.waikato.ac.nz 250 Ok DATA 354 End data with <CR><LF>.<CR><LF> . 250 Ok: queued as DFF248281B

Xtra:

Trying 203.96.92.131... Connected to smtp.xtra.co.nz. Escape character is '^]'. 220 mta2-rme.xtra.co.nz ESMTP server ready Sat, 24 Jan 2004 23:27:57 +1300 MAIL From: foo(a)bar.com 250 Sender Ok RCPT TO: jbs3(a)cs.waikato.ac.nz 250 Recipient Ok data 354 Ok Send data ending with <CRLF>.<CRLF> . 250 Message received: 20040124102820.NHJT20103.mta2-rme.xtra.co.nz@[<snip>]

James Spooner

3:33 a.m.

Jamie Baddeley wrote:

...

...
If however, it does, then it may choose to use SMTP after POP to let arbiturary IP's forward mail through it's legitment servers. Also rememeber that most of the 'big' email providers are web based, which means that this should work well for a good deal of forged addresses. ahh, but I believe that the 'big' spammers don't use http as an interface for a spam run.

My Point here was that spammers will no longer be able to send from a hotmail/yahoo/aol/etc address using an arbitrary open SMTP relay, which means they will have a harder time maintaining anonymity. James

Simon Byrnand

23 Jan 23 Jan

3:33 p.m.

...

I don't see how this would work.

Lets say I connect to xtra as my ISP, however I have a clear.net.nz email address and use xtra's smtp server to send my email. This sort of system would block it as being spam because it wouldn't be going through the correct poviders smtp server.

Which is one of the major sticking points of SPF. There are legitimate uses of "forging" domains like this...

...

One alternative would be to allow pop to smtp auth, but I don't see large providers doing such a thing.

Well not sure if you mean POP before SMTP or SMTP AUTH, as they're two different things....POP before STMP is hack, and should go away and die, but SMTP AUTH is a sensible way to do it, is supported by nearly all modern email clients, (at the very least, Outlook Express, Eudora, and Netscape support it) and in fact is supported by a lot of ISP's already. How to tell if your ISP supports it ? Easy, telnet to port 25 of your ISP's nominated smtp server, and type: EHLO test if one of the lines includes: 250-AUTH PLAIN LOGIN Then they support SMTP auth. Note there are two different mechanisms for SMTP auth (actually there are some others as well) PLAIN and LOGIN, and your ISP doesn't necessarily support both.

...

From memory Netscape and Eudora use "LOGIN" and Outlook Express uses "PLAIN", but don't quote me there...

SPF would be reasonably workable provided that the ISP thats added SPF entries for their own domains provided SMTP auth access for their customers. One major hole of SPF or any similar plan though, is that open relays are still going to work as spam conduits - since SPF is an opt in system, any open relay which didnt have an SPF entry could still relay spam, or if they did have an SPF entry, but were accidentally an open relay, spammers would just have to make sure that they used return addresses which belonged to the domain hosted by the open relay in question. The only way around that would be if your mailsystem added a "penalty" for those domains that don't have an SPF entry (for example adding extra points on spamassassin) but that doesn't seem like a very good idea either... One good side would be that those who did list their domains with an SPF entry would be less likely to be the victim of a "joe job", provided that a large enough proportion of the recipients of such spam were checking SPF... Regards, Simon

Jamie Baddeley

24 Jan 24 Jan

1:27 a.m.

On Sat, 2004-01-24 at 23:33, Simon Byrnand wrote:

...

One major hole of SPF or any similar plan though, is that open relays are still going to work as spam conduits - since SPF is an opt in system, any open relay which didnt have an SPF entry could still relay spam, or if they did have an SPF entry, but were accidentally an open relay, spammers would just have to make sure that they used return addresses which belonged to the domain hosted by the open relay in question.

Very true Simon. But there is no silver bullet for spam. Just lots of bronze ones. Let's fire them instead. jamie

Simon Blake

2:39 a.m.

On Sat, Jan 24, 2004 at 11:33:54PM +1300, Simon Byrnand said:

...

...
I don't see how this would work.

Lets say I connect to xtra as my ISP, however I have a clear.net.nz email address and use xtra's smtp server to send my email. This sort of system would block it as being spam because it wouldn't be going through the correct poviders smtp server.

Which is one of the major sticking points of SPF. There are legitimate uses of "forging" domains like this...

At the risk of appearing stoopid, such as? If a domain lists all the IP addresses that mail from that domain could originate from, then presumably they're saying that greeting card sites and the like aren't going to be usable from this domain. Sounds like a good idea to me :-).

...

One good side would be that those who did list their domains with an SPF entry would be less likely to be the victim of a "joe job", provided that a large enough proportion of the recipients of such spam were checking SPF...

And that seems like a useful outcome in itself. It would also be a useful defence against the mindless joejobs that you see from the worm/virus de jour these days. Having watched the classic example yesterday where some random Bagle infected machine sent a mail to a list my SO runs, with From line forged so that it appeared to come from her. It had the right From line, so it got right through the "only allow posting from subscribers" check, and she's been getting harangued by noobs on the list ever since. SPF looks like it could stop that sort of nonsense happening. Cheers Si

Simon Byrnand

8:02 a.m.

...

On Sat, Jan 24, 2004 at 11:33:54PM +1300, Simon Byrnand said:

...
...
I don't see how this would work.

Lets say I connect to xtra as my ISP, however I have a clear.net.nz email address and use xtra's smtp server to send my email. This sort of system would block it as being spam because it wouldn't be going through the correct poviders smtp server.

Which is one of the major sticking points of SPF. There are legitimate uses of "forging" domains like this...

At the risk of appearing stoopid, such as? If a domain lists all the IP addresses that mail from that domain could originate from, then presumably they're saying that greeting card sites and the like aren't going to be usable from this domain. Sounds like a good idea to me :-).

Well, how about all those people, like me, that have active email addresses with more than one ISP, but usually dialup using only one of them. To send email "from" the domain of one you're not currently dialed up to with SPF universally in place, that ISP would have to support SMTP AUTH, otherwise you simply couldn't send using that email address unless you were connected to that ISP at the time. Another example is webhosting/email hosting companies who host email domains but don't provide connections, some of them dont even provide outgoing SMTP servers at all at the moment, but with SPF in place they would have to, and would out of necessity have to provide SMTP AUTH. At the moment some, but hardly all ISP's support SMTP AUTH, so my only hope is that if SPF did get widely accepted, that those ISP's that start using it also allow SMTP AUTH, which would largely negate the downsides it would otherwise introduce. However when you look at ISP's like Xtra who now don't even allow POP3 access outside their own networks let alone SMTP AUTH, for purely commercial reasons, one has to wonder whether all ISP's would play ball in an SPF environment...

...

...
One good side would be that those who did list their domains with an SPF entry would be less likely to be the victim of a "joe job", provided that a large enough proportion of the recipients of such spam were checking SPF...

And that seems like a useful outcome in itself. It would also be a useful defence against the mindless joejobs that you see from the worm/virus de jour these days. Having watched the classic example yesterday where some random Bagle infected machine sent a mail to a list my SO runs, with From line forged so that it appeared to come from her. It had the right From line, so it got right through the "only allow posting from subscribers" check, and she's been getting harangued by noobs on the list ever since. SPF looks like it could stop that sort of nonsense happening.

I agree. The first and most obvious effect of something like SPF would be a reduction (and eventually elimination perhaps) of joe jobs against those domains who decided to participate in SPF. As to whether it would cut back significantly on spam or not, I don't think that it would in the long run, spammers would just adapt, but it certainly may minimize the damage to innocent bystanders... Regards, Simon

Don Stokes

4:43 a.m.

Jamie Baddeley wrote:

...

http://www.nwfusion.com/news/2004/0122aoltest.html?net

http://spf.pobox.com/

worth looking at....

It has a nasty fishhook: Consider: I have a mailbox at "me(a)bigisp". You have a vanity domain "vanity" held at an anotherisp, which forwards all mail to it mail to your mailbox "you(a)smallisp". bigisp and smallisp both support SPF; bigisp publishes SPF records pointing only to their own mail forwarders, and smallisp looks them up. So if I send mail me(a)bigisp -> you(a)vanity, anotherisp forwards the message, with envelope addresses me(a)bigisp -> you(a)smallisp, from anotherisp's forwarder. smallisp sees mail from bigisp, but bigisp's SPF record doesn't include anotherisp's forwarder, so smallisp rejects it. Bad bad bad. http://spf.pobox.com/srs.html describes how anotherisp can avoid the problem, but I have to say it looks seriously ugly. And it requires anotherisp to do do something it wouldn't have otherwise had to do. It's not just vanity domains that are affected. Any kind of forwarding, such as forwarding from corporate mail servers to an external address (e.g. home, or place of secondment) will be affected if the external address's mail servers implement SPF. Also, it won't solve the problem. All a spammer has to do is register a vanity domain for a while, create SPF records for all relays they're using (or not use SPF records at all, or just "borrow" other domains that don't have SPF records; there will be heaps of those for many many years), and then forge the header From: address. Who the heck looks at the envelope addresses anyway? Checking the envelope addresses against the header addresses will get false positives against mailing lists etc, which usually rewrite the envelope from address to point back to the mailing list owner. I can't say I like the idea of overloading the SPF functionality on TXT records either. Some kind of "mail source" record type in the DNS would be a better solution, IMAO. But it would need to deal with the third party forwarder problem somehow. It's messy, ugly and ultimately pointless, I'm afraid. -- don

7638

Age (days ago)

7639

Last active (days ago)

List overview

Download

10 comments

6 participants

participants (6)

Barry Murphy
Don Stokes
James Spooner
Jamie Baddeley
Simon Blake
Simon Byrnand