Eugene Smiley on 31 Aug 2005 19:58:41 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Verizon blacklist?

George A. Theall wrote:
> On Tue, Aug 30, 2005 at 07:33:37PM -0400, Eugene Smiley wrote:
>>George A. Theall wrote:
>>>Exactly.  And thus, getting back to my original message, the notion
>>>of using SPF for whitelisting addresses is foolish if that's what
>>>AOL and Earthlink are truly doing.
>>How would a whitelist be of any use if you weren't sure that the MAIL
>>FROM hasn't been faked? 
> Let me turn that around...  What good are such whitelists when spammers
> are on one hand publishing SPF records and on the other injecting mail
> through means that SPF records claim are acceptable?

RHSBLs. Once you know that a given email is really from
will be able to check to see if that domain is a known spammer.

Straight from the FAQ:

> SPF doesn't really STOP spam, does it?
> We've heard the complaints -- Spammers can always get throwaway domains, etc.
> At a high level, the answer is that we're moving from one paradigm to another: from "assumed innocent until proven guilty" to "assumed guilty unless proven innocent". The Aspen Framework brings two important tools to bear: reputation and accreditation. (A cartoon guide is available.)
> We agree that throwaway domains will be the next step in the arms race. We can counter with:
>    1. fast automated blacklisting using spamtraps and attack detectors
>    2. simple reputation systems based on factors such as
>           * age of domain according to whois
>           * email profile of domain, eg. "too many unknown recipients"
>           * call-back tests to see if the sender domain is able to receive mail. 
>       The reputation system can advise a receiving MTA to defer or reject.
>    3. legal methods following the paper trail of who paid for the domain. 
> Here's an example of automated blacklisting in action:
>    1. A spammer spams.
>           * The spam comes from an SPF-conformant domain.
>                 o That domain is on a widely published sender-domain blacklist.
>                       + The MTA rejects the message. 
>                 o That domain is a throwaway, just-registered domain, and does not yet appear on blacklists.
>                      1. The spam gets accepted by unsophisticated MTAs which do not use other traffic-analysis methods to impose a crude reputation system on unrecognized senders.
>                      2. The spam also gets accepted by automated spamtraps.
>                      3. The spamtraps add the domain to the blacklist.
>                      4. (advanced) Some time later, the user checks email. Immediately before the display phase, the MUA re-tests the message against the blacklists, and discards it.
>                      5. Thanks to the greater level of sender accountability, lawsuits may begin against the spammers, and registrars may be subpoenaed for domain owner information. SPF strengthens administrative and legal methods. 
>           * The spam comes from a non-SPF-conformant domain.
>                 o Initially,
>                      1. Most legitimate mail will fall into this category.
>                      2. Normal content filters get to do their job.
>                      3. The usual false-positive/false-negative results apply. 
>                 o Later,
>                       + Most legitimate mail will be SPF-conformant.
>                       + Some legitimate mail will not be SPF-conformant.
>                       + SPF-conformant receivers SHOULD receive non-conformant mail but MAY choose to perform additional filtering on it. 
>    2. Eventually, as SMTP improves its immunity to spam, we hope spammers will get discouraged. 
> If the volume of spam decreases, legal and administrative approaches become more effective; right now they are simply swamped. If there are only 10 spammers in the world, law enforcement can focus on catching each one. If there are 10,000 spammers, law enforcement throws up its hands, calls it a societal problem, and says it doesn't have enough resources to tackle it.
>     * The spam domain was registered with a domain registrar.
>     * If the registrar is cooperative, we can find out from the registrar who the spammer was; and the registrar can stop accepting their registrations.
>     * If the registrar is uncooperative, or if a spammer buys and runs a registrar, we can default-blacklist all their domains, in a political move similar to SPEWS's approach.
>     * Alternatively, since spam is becoming increasingly illegal, we can subpoena the registrar to find out who registered the domain, and sue the spammer directly.
>     * If the spammer registered the domain using false information, we can still go back to the credit card.
>     * If the credit card was stolen, that's a crime which can be addressed using traditional means. 
> (20040702) Scott Kitterman has posted a suggested refinement to the above plan.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --