Re: SMTP+SPF (was: [9fans] Re: new release?)

[David Presotto <presotto@closedmind.org>]

[-- Attachment #1: Type: text/plain, Size: 1644 bytes --]

But that's exactly what I want of SPF, to tell me what machine its
coming from.  ISP's are already starting to require smtp clients to
authenticate to their mail relays.  If in addition, an smtp receiver
will only accept mail from a domain from a relay allowed to send
to that domain, that means that viruses are pretty much stuck with
sending only through their infected machine's relay.  The ISPs
I've talked to don't like viruses.  They very actively shut down
customers that look like they're sending way too much mail.
All of this would put a considerable damper on viruses since, by
trying to spread, they would become obvious.

There's already talk of doing this detection without SPF, i.e.,
to just filter the ISP clients and shut them off if they try
too many SMTP connections to anywhere in a fixed period.  Then
we'll have viruses trying to probe that limit and stay below it
but the result is a similar damping effect.

While I like your greylist hack, it's easily learnable by spammers
and incredibly easily worked around.  They can just as easily keep
a list of everyone that told them to go away and then come back
at an appropriate time.  It's only 8 bytes for every attempt.
The only reason it works now is that you're only stemming your little
corner of the tide and not bothering the spammers at all.  If
everyone did it, it would become utterly useless.  If you want to
stop spam at the door without filtering on content, then you either
need spammers to be genuinely identifiable or people you want to
send you mail identifiable.  Otherwise you're going to have to
accept the mail and look at it.

[-- Attachment #2: Type: message/rfc822, Size: 2226 bytes --]

From: Geoff Collyer <geoff@collyer.net>
To: 9fans@cse.psu.edu
Subject: Re: SMTP+SPF (was: [9fans] Re: new release?)
Date: Wed, 25 Feb 2004 19:42:12 -0800
Message-ID: <e3ee3ace76b65cc3610de64acc24408a@collyer.net>

I don't see that SPF will help much with hijacked machines.  It can
verify that someone or something is sending mail from the claimed
domain, but if the sending machine is a spam engine taken over by a
virus and is working its way through a list of addresses taken from a
CD-ROM of mail addresses, all SPF will do is assure you that the spam
you're getting really came from the hijacked machine it claims to be
from.

I'm spending my energy on solutions that really attack the problem.