Comments on: What if everyone used SPF?

By: Pedro Timóteo

Pedro Timóteo — Sun, 29 Nov 2009 10:04:44 +0000

The point of things like these is not to perfectly end spam, just to make things more difficult for spammers (and, in case of SPF, mostly for phishers, as you say). The fact that something isn't a 100% perfect solution for a problem doesn't mean that it isn't still a good idea. I don't know if a domain black list is viable, and it wouldn't be a magical solution, of course, since, again as you say, it's just a matter of registering a new domain. But there's still that additional effort (and expense). In an SPF world, a new domain would have no more than hours of spam sending before being universally blocked for good. Nope, again this wouldn't end spam. But spam works because it's incredibly easy and cheap to send millions of emails; everything that makes it even a tiny little bit less easy or cheap makes a difference.

By: Gonçalo Silva

Gonçalo Silva — Fri, 27 Nov 2009 19:13:36 +0000

So, mailling lists are abusing SMTP protocol.

By: Gonçalo Silva

Gonçalo Silva — Fri, 27 Nov 2009 18:54:07 +0000

Exactly, Spammers fakes emails senders cuz they don’t wanna buy domains, not because is important for the SPAM to successes, and making “From:” and the “To:” the same proves it. SPF world implementation would give godaddy and alikes a little more money, but wouldn´t stop spam. RBL’s would have names instead for numbers, not a big difference, i think.

I could buy one domain, myspam.org, and making thousands of subdomains for free using it for senders address.
If the RBL’s instead of listing all my subdmains, decides to block all with something like *.myspam.org, i would buy some subdomains on co.uk making spam from it, doing a mail DoS to all others legitimize co.uk submains. Not that easy to make an domain black list is it?

By: Pedro Timóteo

Pedro Timóteo — Fri, 27 Nov 2009 17:09:57 +0000

Well, I was using “spammers” as a catch-all term for “bad guys who send email”. Besides, most anti-spam systems treat phishing emails as a form of spam (e.g. Gmail’s spam folder, or SpamAssassin.) However, in my experience a lot of them (actual spammers trying to sell Viagra, not phishers) really fake their email addresses — for instance, using the destination address as both the “From:” and the “To:”. If they are prevented from doing that, it makes it possible — not easy, but certainly doable — to have a sender domain black list, which would, I think, help a lot.

By: Pedro Timóteo

Pedro Timóteo — Fri, 27 Nov 2009 17:08:09 +0000

Weird… the implementation I’m using seems to be indeed checking the “From:”.

The “send to a friend” functionality, as currently implemented, is, IMO, abusing SMTP. If you invite a friend in Facebook, the invitation email should be from Facebook, not “from” you, I believe.

By: Gonçalo Silva

Gonçalo Silva — Fri, 27 Nov 2009 17:02:08 +0000

“The faking of sender addresses. Who ever does that? Spammers”

You confuse Spammers and Phishers, not exactly the same kind of people.
Even if SPF was adopted by the World, SPAM wouldn’t stop. SPAM exists cuz people react to it, meaning in this case people go see the site and perhaps buys the product. For this kind of people doesn’t matter the sender’s domain, only the Subject, if it’s about viagra and they have a small dick they will open it. Today most SPAM comes from domains senders that has nothing to do with the PUB on it

Who normally sends fake senders address are phishers, but this wouldn’t stop phishing, cuz the real problem is people’s brains size.

By: Vítor Pires

Vítor Pires — Fri, 27 Nov 2009 16:22:06 +0000

http://www.openspf.org/FAQ/Envelope_from_scope

Despite believing it could help it’s still possible to use a “sender/return-path” header with a different domain “from” header and the one which is checked is the “sender” one which is the right way in my view.

Imagina the “send to a friend” functionality in some websites. You want it to be identified as you sending but the actual sender to be the site itself so it won’t be marked as spam. Of course this could be used by some spammers to send mails but still obey to the spf check..