From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Spam Solution

Alavan <alavan@...geatech.com> wrote:

> Please correct me if I'm missing something here:

You're not.

You are right and the SPF/Caller-ID/Domain Keys folks are just daft.

>   Microsoft and POBOX.com support Caller ID and SPF to help thwart phishing 
> and SPAM.
> 
> I can see it helping phishing (kind of) as the phishers won't be able to 
> forge the FROM address.  ...

True, and although phishing may be the most costly effect of forged 
Email addresses (a recent Gartner study put it at a US$2.4 billion loss 
_just to US victims_ in the last 12 months), it is far too recent a 
phenomenon to be the main justification or driver of all this idiocy.

SPF was, I believe, originally conceived by some folk who were upset 
about being "joe-jobbed".

Worse -- as sender faking is clearly (at least now) _NOT_ a necessary 
or even vaguely important part of the spamming process (with the 
possible exception of outright fraudulent spam like phishing) -- SPF 
would only ever have partly achieved the solution its proponents have 
always claimed for it.  Under SPF, spammers using a relay or proxy or 
spam bot "inside" a given ISP's network will still be able to forge 
their Email as being from any address at any domain(s) for which that 
ISP's mail servers are "registered" as providing service.  All the 
spammers have to do is change a few lines of code in spamming routines 
and, particularly for the increasing use of spam bots, add a few lines 
that pull local Email client config data from the registry and use 
those settings for their own spamming.

Precisely the same trivial tweaks will need to be made to the "next 
generation" of mass mailers so they no longer forge from addresses, or 
at least, no longer forge "inappropriate" from addresses.

SPF, etc will make no difference to the spread of self-mailing viruses 
nor to the "popularity" or volume of spam.  The reason is obvious - it 
does not "authenticate" the user nor the process sending the Email, 
merely some superficial machine to machine connection details that are 
fundamentally _irrelevant_ to the process of spamming, self-mailing 
virus propagation and so on.

> ...  But, that won't stop naive users from entering 
> their personal information onto the fake site even with some rogue FROM 
> address. Also, the phishers can just claim to be from a hired consulting 
> agency and send the SPAM from a hijacked PC on a domain that sounds 
> somewhat technical (or something like that).

Yep -- there are far too many other things that will more or less work 
here.  It seems that the proponents of these schemes have lost site of 
the social aspects of the problems they claim their proposals will 
"fix".  When a worthwhile payoff is achievable from a 0.001% _or even 
lower_ hit rate, a technological solution has to be bomb-proof to even 
begin to hope that it can work.

As SPF/Caller-ID/Domain Keys and the like are leakier than Dear Liza's 
bucket they are doomed to abject failure.

> Also, if spammers can't forge, so what? They'll just grab the domain name 
> from the PC they've hijacked and send away or go back to using the e-mail 
> client on the machine. Once the spammers change their methodology (which 
> they do all the time to counter anti-spam efforts), these measures will 
> have little to no effect.

Correct.

You sir, clearly have more intellect than the whole SPF cartel rolled 
together (why do images of dung-beetles flash before my eyes?).

> Plus, many people use a FROM address from one of their other POP accounts 
> on other domains. For instance, let's say I'm sending an e-mail from home 
> just before I leave to a business contact and I want them to see my 
> corporate e-mail address instead. In order to accomplish this after Caller 
> ID and SPF, all admins will have to get their users to switch to POP before 
> SMTP to their corporate mail servers to avoid these returned e-mails (when 
> the FROM address is intentionally forged).

Many people do, like me (in fact, my current headers must be really 
screwy because I've half-transitioned from one local ISP and one access 
method to another, and still insist on using the Email address for my 
UK provider who I cannot use for access and who, last I checked, did 
not support SMTP AUTH or TLS).

And many folk who travel _have to_ forge Email (and often do not even 
know they are doing so!).  Most of those hi-speed access methods in US 
(and increasingly European, Asian and Pacific) hotels and WiFi access 
points and all sorts intercept port 25 and silently redirect through 
their own (service providers') mail servers because world plus dog has 
disabled anonymous relaying as an anti-spam measure...  I know, SMTP 
AUTH and/or TLS is supposed to be the solution to that, but as it is 
not part of the original spec, it is not as widely implemented as it 
should be (and many large service providers simply balk at the idea of 
making it available because of the CPU overhead, etc).

_AND_ then there are all those "vanity" and "for life" Email addresses 
and all manner of forwarding arrangements that depend on "forging".

Why should bob <at> ieee.org (sorry Bob -- hope you don't mind me 
picking you out, if you exist), who may have been using that address 
for all his (non-work) Email for a decade or three be deprived of that 
functionality?

And all kinds of _really_ ugly problems are raised for mailing lists 
(which get even worse if you add something like Billy Boy's favourite, 
the so-called "Penny Black" scheme, to the mix.  Of course, I'm sure 
the fact that he could smell some kind of never-ending income stream by 
way of commission or other service charges from having MS/MSN/Hotmail 
provide some significant part of the universal micro-payment scheme 
such would require has nothing to do with Bill's interest in this...)

Sure, from the advantage of today's world view, the provision of 
address forging (well, more correctly, the non-provision of strong 
authentication and non-repudiation) in SMTP at the outset was a 
horrendous mistake -- one we certainly wouldn't make today if we were 
to completely re-design Email from the ground up, right?.  Of course, 
it's easy for smart-a*se kids, who have no grip on what "Email without 
DNS" was like, to make such assessments, just as they entirely fail to 
comprehend the utter ugliness of a massively non-homogeneous "inter-
network" with lots of competing and different messaging services all 
trying to relay and translate messages between each other.  (For the 
record, in case anyone thinks I'm a real old-timer, I'm just old enough 
to have seen the bitter end of support for bang-paths and having to 
know which relays to point your servers at if they got messages 
addressed to Bitnet-hosted and C$ addresses.)

>  From what I've seen, most of the SPAM comes from hijacked machines - even 
> the SPAM from other countries. So, port 25 blocking is good, but not the 
> be-all end-all as some "users" will want to host their own mail.

Indeed.

And, if SPF and the like become at all "successful", in the sense that 
they are actually used coercively to "reduce spam and viruses", the 
spammers and virus writers will update their "m@d 5kI11z" to beat the 
trivial restrictions SPF, etc put in their way, and will do so _MUCH_ 
faster than the broader IT community can "fix" the vast array of 
existing "SMTP but non-SPF compliant" infrastructure.  Thus, if SPF, 
etc ever bites we will see viruses and spam continue apace (there will 
be a momentary drop in activity of a few days to weeks while the "old" 
viruses, spam bots, relays and proxies "die off" and are replaced/ 
updated) while large chunks of the net wallows to catch up and 
implement the function, but not spam and virus, limiting requirements 
of SPF, etc.

Sounds like a really, really great deal to me.

NOT!

> It seems to me that if we make all MTA's register somehow (both SMTP and 
> POST), this would eliminate the hijacked machine as spambot phenomenon. We 
> already have MX records for SMTP, but a lot of providers use different 
> machines to receive (via SMTP) and send mail (POST). So, maybe a new DNS 
> record is introduced for POST. Your machine(s) could do both or not. When 
> your server goes to accept a message, it looks to see if the IP of the 
> sending machine is listed in this new DNS record. If not, return a 5XX error.
> 
> Didn't I read something somewhere about the possibility of this?

Haven't you more or less just described SPF?

And there I was thinking you understood what you were talking about...

Oh well, hopefully the above helps you understand better.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists