Re: Why no revision to SMTP to include authenticat in http://www.dslreports.com/forum/r10544984 en Sun, 29 Nov 2009 00:51:12 EDT Sun, 29 Nov 2009 00:51:12 EDT Re: Why no revision to SMTP to include authenticat http://www.dslreports.com/forum/remark,10566472 fantomposter :
said by TamaraB See Profile:

He can't! He is not listed as authoritave for comcast IP's, he can use a redirect mechinism, but that does the oposite of what he wants.


I have not seen a spec on SPF that says you check IP addresses. It only checks the SPF records for the domain name in the from field.

quote:

My smtp server gets a connect from that trojened comcast machine, my server checks with COMCAST DNS for spf, not his DNS...


You got that backwards. That is not what SPF does. If I have that wrong point me to a website that explains it is otherwise.

All SPF does is check the authoritative DNS for the DOMAIN name in the from field. It checks the DNS records for that domain name and makes sure there is an SPF record that shows the sending computers IP address. If spammer controls his own domain name then he can put any IP address he wants in the SPF record.

Check here: »spf.pobox.com/faq.html

And scroll down to the part where the headline is:

"It doesn't really prevent spam. Spammers can always get throwaway domains, etc."

Don't get me wrong, SPF is needed, to fix the virus bounces and the forged from address's in spam, it does a great job of that, but not much more.]]> http://www.dslreports.com/forum/remark,10566472 Mon, 21 Jun 2004 08:27:32 EDT Re: Why no revision to SMTP to include authenticat http://www.dslreports.com/forum/remark,10565823 TamaraB :
said by fantomposter See Profile:

Spammer controls his domain. He can set up DNS and SPF any way he wants to point to any machine he wants.


Any machine with an A record within his domain.

said by fantomposter See Profile:
So he lists the comcast trojaned machine as his domains mail server. And SPF fails.


He can't! He is not listed as authoritave for comcast IP's, he can use a redirect mechinism, but that does the oposite of what he wants.

My smtp server gets a connect from that trojened comcast machine, my server checks with COMCAST DNS for spf, not his DNS...

Think of SPF as an extension of MX. Only a list of a domains allowed "sending" servers instead of receiving servers (MX).

Spammer is toast!
--
Motor Vessel - Tamara B. - 43' Long-Range Trawler Cape Elizebeth ME. »www.tamara-b.org
]]> http://www.dslreports.com/forum/remark,10565823 Mon, 21 Jun 2004 03:27:29 EDT Re: Why no revision to SMTP to include authenticat http://www.dslreports.com/forum/remark,10564110 fantomposter :
said by TamaraB See Profile:


Nope! SPF forces all mail from a domain to come ONLY from the allowed (SPF'd) domain's mail servers, which are advertised only by that domain's listed DNS servers. Spammer Fails!



Hopefully you are still here, I did not check this thread recently. been a busy weekend.

Spammer controls his domain. He can set up DNS and SPF any way he wants to point to any machine he wants.

So he lists the comcast trojaned machine as his domains mail server. And SPF fails.]]> http://www.dslreports.com/forum/remark,10564110 Sun, 20 Jun 2004 22:28:27 EDT Re: Why no revision to SMTP to include authenticat http://www.dslreports.com/forum/remark,10546781 nixen :
said by jjoshua See Profile:
This would mostly be an inconvenience for people who don't send SPAM. A lot of people use 3rd party email services because we don't want to use the one provided by our ISP for various reasons.

This is a TIRED argument. Third-party relay providers can simply set up TLS-protected, authenticated SMTP relay service on an alternate port.

-tom
--
"There are 10 types of people in the world... those who understand binary and those who don't."
"That's only 2 types of people, moron"]]> http://www.dslreports.com/forum/remark,10546781 Fri, 18 Jun 2004 16:22:17 EDT Re: Why no revision to SMTP to include authenticat http://www.dslreports.com/forum/remark,10546319 TamaraB :
said by fantomposter See Profile:

Spammer sets up his throw away domain. Puts up DNS for it at a place where it can be changed easily and quickly.

He finds a trojaned Comcast machine to use. He changes his DNS file to show the proper SPF record for that Comcast machines IP addy.


No-Good! the SPF must reside on his domain, and point to a mail server on his domain... No receiving SPF/SMTP server will ever query his spf record for mail originating from a comcast addy, it will query comcast's spf records, and reject the mail. Spammer Fails!

said by fantomposter See Profile:
Then he fires his spamm off from that machine and SPF stops nothing because he controls the domain and the SPF records.


Spammer can't control comcast's SPF records, in the same way he can't control their PTR records! Spammer FAILS!

said by fantomposter See Profile:
Rinse-Lather-Repeat. SPF only stops someone from using my or your address as a forged from, and it stops the virus that use forged froms.


Nope! SPF forces all mail from a domain to come ONLY from the allowed (SPF'd) domain's mail servers, which are advertised only by that domain's listed DNS servers. Spammer Fails!

said by fantomposter See Profile:
It will not stop spam nor will it slow it down much.


If implemented net-wide it will kill almost ALL spam. That which is left, will only come from spammer-owned/SPF'd domains. These domains will be easy to identify and block on site; black-lists will only have to deal with direct spammer domains. Spammer is toast!

Bob
--
Motor Vessel - Tamara B. - 43' Long-Range Trawler Cape Elizebeth ME. »www.tamara-b.org
]]> http://www.dslreports.com/forum/remark,10546319 Fri, 18 Jun 2004 15:28:53 EDT Re: Why no revision to SMTP to include authenticat http://www.dslreports.com/forum/remark,10544984 fantomposter :
Spammer sets up his throw away domain. Puts up DNS for it at a place where it can be changed easily and quickly.

He finds a trojaned Comcast machine to use. He changes his DNS file to show the proper SPF record for that Comcast machines IP addy.

Then he fires his spamm off from that machine and SPF stops nothing because he controls the domain and the SPF records.

Rinse-Lather-Repeat. SPF only stops someone from using my or your address as a forged from, and it stops the virus that use forged froms.

It will not stop spam nor will it slow it down much.]]> http://www.dslreports.com/forum/remark,10544984 Fri, 18 Jun 2004 12:59:06 EDT Re: Why no revision to SMTP to include authenticat http://www.dslreports.com/forum/remark,10544786 anon : tough - i'm sick of spam, and i'm even more sick about spam from bogus email addresses. true, some jerks have ruined it for the rest of us, but we all learned to deal with things like that when we were 6 years old..]]> http://www.dslreports.com/forum/remark,10544786 Fri, 18 Jun 2004 12:32:44 EDT Re: Why no revision to SMTP to include authenticat http://www.dslreports.com/forum/remark,10543794 jjoshua : This would mostly be an inconvenience for people who don't send SPAM. A lot of people use 3rd party email services because we don't want to use the one provided by our ISP for various reasons.]]> http://www.dslreports.com/forum/remark,10543794 Fri, 18 Jun 2004 10:23:23 EDT Re: Why no revision to SMTP to include authenticat http://www.dslreports.com/forum/remark,10543742 ParanoiaInc : I would think that by only allowing subscribers to send out email through the ISP's authenticating-email servers (block port 25), and disallowing subscriber-centered email servers, this could help address the problem.]]> http://www.dslreports.com/forum/remark,10543742 Fri, 18 Jun 2004 10:15:27 EDT Re: Why no revision to SMTP to include authenticat http://www.dslreports.com/forum/remark,10543596 Megladon13 : ...and right now thats about 99% of the spam we are all getting.]]> http://www.dslreports.com/forum/remark,10543596 Fri, 18 Jun 2004 09:57:16 EDT Re: Why no revision to SMTP to include authenticat http://www.dslreports.com/forum/remark,10543512 fantomposter :
said by keyboard5684 See Profile:
The problem is not authenticating clients that use SMTP, the problem is authenticating email servers.


Exactly. And SPF does not stop spam, it stops forged from addresses. Nothing more.]]> http://www.dslreports.com/forum/remark,10543512 Fri, 18 Jun 2004 09:44:04 EDT Re: Why no revision to SMTP to include authenticat http://www.dslreports.com/forum/remark,10543490 keyboard5684 : The problem is not authenticating clients that use SMTP, the problem is authenticating email servers. For example, a client sending mail can authenticate with there ISP's mail server to send mail but how do we authenticate that ISP's mail server when it send to the remote domain.

We could not possibly make up logins for every single mail server in the world so they all could communicate.

SPF addresses this in a good way. This way the domain provider themselves says what specific mail servers are allowed to send email with that from address. ]]> http://www.dslreports.com/forum/remark,10543490 Fri, 18 Jun 2004 09:41:21 EDT Why no revision to SMTP to include authentication? http://www.dslreports.com/forum/remark,10543464 ParanoiaInc : I've wondered about this for years, but why do we see a need to authenticate only on the POP-side and not on the SMTP-side? Also, why are there no new email protocols using a new POP/SMTP that affords not just authentication but security features as well.

I would think a company in a business for email servers could go long ways (with free clients) in this area.]]> http://www.dslreports.com/forum/remark,10543464 Fri, 18 Jun 2004 09:36:04 EDT