Two comments. First, to simon, rejecting messages before receipt is definitely not the best answer. It might be best for sysadmins, but it's not the best for users. The reason is, that when rejecting a message before actual receipt, you have a very limited amount of information upon which you can decide whether it is spam or it is not spam.
Therefore I find the use of SPF or any similar techniques abusive and extremely harmful. Besides, it breaks the basics of mail systems. Disables pre-delivery forwarding, disables the use of aliases in other domains, eg. single-usage mail addresses offered by certain services. It's harmful, and from my experiences completely useless, as it's being adopted by spammers more and more often (domains with no SPF records are being used by spammers, as well as special domains registered by spammers with non-restrictive SPF records).
The real pain in all this is the fact, that we're being served such useless systems due to the fact, that they're being supported by huge corporations. If Microsoft didn't "invent" Sender ID (or actually steal SPF), and Yahoo! and Cisco didn't invent DKIM, if both projects were created by small companies, they'd never be as popularized. We would not have special summits on server-side authentication. And we would not be blinded by these large corporations, saying that this is the answer to spam.
IT IS NOT AN ANSWER TO SPAM!
There exists a MUCH BETTER way to authenticate, but it is not promoted by Microsoft, Yahoo! or AOL. The answer is PERSONAL E-MAIL CERTIFICATES! I find it unbelievable, that this is completely overlooked, whilst if every user used such a certificate (free and installed in 5 minutes thanks to Comodo or thawte - they both offer free certificates), we'd be certain that the sender addresses are not falsified. Why use a server-based system which is much easier to compromise and much more problematic (due to the impossibility to use pre-delivery forwarding, aliases or mailing lists such as in DKIM or Caller ID), if you can use a personal system, which is implemented in 99% mail clients (S/MIME support), and only requires the users to get a free certificate?
Why?
Because Microsoft, AOL, Yahoo! have completely no interest in certificates, because they can't make money using them. That's why.
Therefore let me be an advocate of an alternative solution. Drop SPF, drop DKIM, drop Sender ID. Get a personal e-mail certificate and use it to promote it. If almost everybody uses them (especially banks and other entities abused by phishing) and users get used to the fact, that only an e-mail with a valid cert can be considered to truely be sent by the originator, then we'd have mail spoofing under control.
So go get your cert now, wherever you find one. It might be Comodo, it might be thawte, it might be anywhere else, as I'm sure there are other options.
--
Tomasz Andrzej Nidecki
Journalist, Sysadmin, Spamfighter
http://spam.jogger.pl |
Posted on Saturday, April 22 2006 @ 12:07 CEST by Thomas De Maesschalck