SPF for forgery prevention (was Re: [linux-elitists] http get vs post...)

Karsten M. Self kmself@ix.netcom.com
Sat Oct 25 21:39:28 PDT 2003


on Sat, Oct 25, 2003 at 04:15:15AM +0100, Karsten M. Self (kmself@ix.netcom.com) wrote:
> on Fri, Oct 24, 2003 at 04:53:27PM -0400, Gerald Oskoboiny (gerald@impressive.net) wrote:

> > SPF in particular seems to be coming along nicely, and has a growing
> > user/developer community.
> > 
> >     http://spf.pobox.com/

Further follow-up:

In "How SMTP+SPF Helps", we have:

    http://spf.pobox.com/howithelps.html

    SPF will tell you one of four things:

    1. The sender is good, the sender has previously announced that they
       do send mail from that IP address.
    2. The sender is bad, the purported sender has published a list of IP
       addresses they send mail from, and the client IP isn't one of them.
    3. The sender may be good or bad: the sender domain is in a
       transitional phase; it is methodically converting its users to be SPF
       compliant, so we should go easy on any violations for the present.
    4. SPF doesn't know: the sender has not published any IP addresses,
       so the message could be legit, or it could not. 

    SMTP without SPF cannot do that.

While the statement may be strictly true, there are some reasons why
this is irrelevant to a sufficiently intelligent reputation-based MTA.

Suppose that domain example.com is represented in a large number of
received emails, many of which are spoofed spam.  For a classifier, this
would be associated with a relatively high spam predictive score.

Suppose that there are specific originating IPs which tend _not_ to
originate spam, though the mail is from 'example.com'.  For a contextual
filter which looks at both putative sender ('From: ') *and* the
originating IP ('Received: from'), 'example.com' + 'good IP' will have a
low (probably negative) spam score.  _Other_ combinations of example.com
+ 'arbitrary IP' will have high scores.  This information will be based
on the experience and assessment of the local site itself, and isn't
sensitive to the ability of example.com to keep its DNS SPF records up
to date.

Similarly:  if 'example.org' is seldom spoofed,  the raw domain name
itself has a low spam score, and the contextual filter doesn't adjust
this much based on the originating IP (since both are strongly
correlated, there's little difference between the single and
context-based scores).

...all of which effectively accomplishes what SPF sets out to do, though
you do have to gain some knowlwedge of the sending host first.  Likely
this will ramp up quickly for known, trusted hosts.


Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    "Yes," said Marvin. "Why stop now just when I'm hating it?"
    -- HHGTG
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20031026/5f3859dc/attachment.pgp 


More information about the linux-elitists mailing list