From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <3db1e6810c8017b124583f99daa3fc51@plan9.bell-labs.com> From: David Presotto To: 9fans@cse.psu.edu Subject: Re: SMTP+SPF (was: [9fans] Re: new release?) In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="upas-wuthtkddwczegmkwfqktyzlkrl" Date: Wed, 25 Feb 2004 23:36:16 -0500 Topicbox-Message-UUID: f79d77fa-eacc-11e9-9e20-41e7f4b1d025 This is a multi-part message in MIME format. --upas-wuthtkddwczegmkwfqktyzlkrl Content-Disposition: inline Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit But that's exactly what I want of SPF, to tell me what machine its coming from. ISP's are already starting to require smtp clients to authenticate to their mail relays. If in addition, an smtp receiver will only accept mail from a domain from a relay allowed to send to that domain, that means that viruses are pretty much stuck with sending only through their infected machine's relay. The ISPs I've talked to don't like viruses. They very actively shut down customers that look like they're sending way too much mail. All of this would put a considerable damper on viruses since, by trying to spread, they would become obvious. There's already talk of doing this detection without SPF, i.e., to just filter the ISP clients and shut them off if they try too many SMTP connections to anywhere in a fixed period. Then we'll have viruses trying to probe that limit and stay below it but the result is a similar damping effect. While I like your greylist hack, it's easily learnable by spammers and incredibly easily worked around. They can just as easily keep a list of everyone that told them to go away and then come back at an appropriate time. It's only 8 bytes for every attempt. The only reason it works now is that you're only stemming your little corner of the tide and not bothering the spammers at all. If everyone did it, it would become utterly useless. If you want to stop spam at the door without filtering on content, then you either need spammers to be genuinely identifiable or people you want to send you mail identifiable. Otherwise you're going to have to accept the mail and look at it. --upas-wuthtkddwczegmkwfqktyzlkrl Content-Type: message/rfc822 Content-Disposition: inline Received: from plan9.cs.bell-labs.com ([135.104.9.2]) by plan9; Wed Feb 25 22:43:26 EST 2004 Received: from mail.cse.psu.edu ([130.203.4.6]) by plan9; Wed Feb 25 22:43:24 EST 2004 Received: by mail.cse.psu.edu (CSE Mail Server, from userid 60001) id 92F7A19B13; Wed, 25 Feb 2004 22:43:21 -0500 (EST) Received: from psuvax1.cse.psu.edu (psuvax1.cse.psu.edu [130.203.4.6]) by mail.cse.psu.edu (CSE Mail Server) with ESMTP id A01FD19B21; Wed, 25 Feb 2004 22:43:17 -0500 (EST) X-Original-To: 9fans@cse.psu.edu Delivered-To: 9fans@cse.psu.edu Received: by mail.cse.psu.edu (CSE Mail Server, from userid 60001) id 7906419AF0; Wed, 25 Feb 2004 22:42:15 -0500 (EST) Received: from collyer.net (dnspac16.collyer.net [63.192.14.226]) by mail.cse.psu.edu (CSE Mail Server) with ESMTP id D4DF319ADA for <9fans@cse.psu.edu>; Wed, 25 Feb 2004 22:42:13 -0500 (EST) Message-ID: To: 9fans@cse.psu.edu Subject: Re: SMTP+SPF (was: [9fans] Re: new release?) From: Geoff Collyer In-Reply-To: <6616fcacdcb85189b46c900dfdd6d81e@plan9.bell-labs.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Sender: 9fans-admin@cse.psu.edu Errors-To: 9fans-admin@cse.psu.edu X-BeenThere: 9fans@cse.psu.edu X-Mailman-Version: 2.0.11 Precedence: bulk Reply-To: 9fans@cse.psu.edu List-Id: Fans of the OS Plan 9 from Bell Labs <9fans.cse.psu.edu> List-Archive: Date: Wed, 25 Feb 2004 19:42:12 -0800 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on psuvax1.cse.psu.edu X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.63 X-Spam-Level: I don't see that SPF will help much with hijacked machines. It can verify that someone or something is sending mail from the claimed domain, but if the sending machine is a spam engine taken over by a virus and is working its way through a list of addresses taken from a CD-ROM of mail addresses, all SPF will do is assure you that the spam you're getting really came from the hijacked machine it claims to be from. I'm spending my energy on solutions that really attack the problem. --upas-wuthtkddwczegmkwfqktyzlkrl--