Re: Blacklists - URL and IP

[Dave Koontz <dkoontz () MBC EDU>]

Many other Finanical institutions are now beginning to put SPF into place,
either in testing "~all" or production "-all" DNS records.  I am now
beginning to see SPF failures for many bank "Phishing Scams" due to this
trend, and I am sure this trend will continue as it is a cheap and reliable
mechanism to prove the email is actually from them.

Another alternative is now taking legs, DomainKeys Identified Mail.  DKIM is
a cryptographic authentication technology being created through the merger
of Yahoo's DomainKeys with Cisco's Identified Internet Mail.

These technologies are *NOT* designed to detect spam, nor should they be
used to assign a postive value to email that pass the tests.  What they do
is simple, verify that the sender of an email is coming from where they
claim they are.  The rest is up to you and your spam filters.

Cheers!

~Dave Koontz
 Mary Baldwin College

-----Original Message-----
From: Joe St Sauver [mailto:JOE () OREGON UOREGON EDU]
Sent: Thursday, June 16, 2005 4:57 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Blacklists - URL and IP

Information Security <infosecurity () UTPA EDU> commented:

#That's a waste of time.  Spammers have more SPF records in place than
#legitimate senders.

SPF is not about reputation, it is designed to address the question "Did
this mail come from a source that the domain holder views as legitimate?"

Other tools will help you make judgements about reputation (including things
that give thumbsdown, like the SBL or the SURBL), and things that give a
thumbs up (like BondedSender).

#SPF only works in conjunction with a white list.  For example you might
#have a small list of companies such as ebay, yahoo, etc, and reject #mail
from those domains which don't match their SPF records.  However #you cannot
make any conclusions at all about a domain who #you do not specifically
know, based on the presence or absence of an SPF #record.

SPF is not meant to function as a white list, nor does it require an
ancillary whitelist, and it doesn't "help" if the origin of the mail is from
an expected source. Where it *does* help is when the mail is from an
unexpected source.

#SPF is a big fat waste of time in my opinion.  Like most of these things
#sponsored by big corporations, they protect the so-called "legitimate #mass
mailers" more than they help reduce spam.

It is not designed to reduce spam. It is designed to give entities a way to
control mail sources for their domain.

If I'm citibank.com, and I don't originate mail from a coffee shop in Malta,
it is helpful if I can express that policy -- and sure enough, citibank.com
has:

% host -t txt citibank.com
citibank.com text "v=spf1 a:mail.citigroup.com ip4:192.193.195.0/24
ip4:192.193.210.0/24 ~all"

Regards,

Joe