Educause Security Discussion mailing list archives
Re: Blacklists - URL and IP
From: Dave Koontz <dkoontz () MBC EDU>
Date: Thu, 16 Jun 2005 18:46:39 -0400
Many other Finanical institutions are now beginning to put SPF into place, either in testing "~all" or production "-all" DNS records. I am now beginning to see SPF failures for many bank "Phishing Scams" due to this trend, and I am sure this trend will continue as it is a cheap and reliable mechanism to prove the email is actually from them. Another alternative is now taking legs, DomainKeys Identified Mail. DKIM is a cryptographic authentication technology being created through the merger of Yahoo's DomainKeys with Cisco's Identified Internet Mail. These technologies are *NOT* designed to detect spam, nor should they be used to assign a postive value to email that pass the tests. What they do is simple, verify that the sender of an email is coming from where they claim they are. The rest is up to you and your spam filters. Cheers! ~Dave Koontz Mary Baldwin College -----Original Message----- From: Joe St Sauver [mailto:JOE () OREGON UOREGON EDU] Sent: Thursday, June 16, 2005 4:57 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Blacklists - URL and IP Information Security <infosecurity () UTPA EDU> commented: #That's a waste of time. Spammers have more SPF records in place than #legitimate senders. SPF is not about reputation, it is designed to address the question "Did this mail come from a source that the domain holder views as legitimate?" Other tools will help you make judgements about reputation (including things that give thumbsdown, like the SBL or the SURBL), and things that give a thumbs up (like BondedSender). #SPF only works in conjunction with a white list. For example you might #have a small list of companies such as ebay, yahoo, etc, and reject #mail from those domains which don't match their SPF records. However #you cannot make any conclusions at all about a domain who #you do not specifically know, based on the presence or absence of an SPF #record. SPF is not meant to function as a white list, nor does it require an ancillary whitelist, and it doesn't "help" if the origin of the mail is from an expected source. Where it *does* help is when the mail is from an unexpected source. #SPF is a big fat waste of time in my opinion. Like most of these things #sponsored by big corporations, they protect the so-called "legitimate #mass mailers" more than they help reduce spam. It is not designed to reduce spam. It is designed to give entities a way to control mail sources for their domain. If I'm citibank.com, and I don't originate mail from a coffee shop in Malta, it is helpful if I can express that policy -- and sure enough, citibank.com has: % host -t txt citibank.com citibank.com text "v=spf1 a:mail.citigroup.com ip4:192.193.195.0/24 ip4:192.193.210.0/24 ~all" Regards, Joe
Current thread:
- Blacklists - URL and IP Dennis Meharchand, CEO Valt.x (Jun 16)
- <Possible follow-ups>
- Re: Blacklists - URL and IP Joe St Sauver (Jun 16)
- Re: Blacklists - URL and IP Bill Kyle (Jun 16)
- Re: Blacklists - URL and IP James Riden (Jun 16)
- Re: Blacklists - URL and IP Information Security (Jun 16)
- Re: Blacklists - URL and IP Joe St Sauver (Jun 16)
- Re: Blacklists - URL and IP Dave Koontz (Jun 16)
- Re: Blacklists - URL and IP Graham Toal (Jun 17)
- Re: Blacklists - URL and IP Dave Koontz (Jun 23)
- Re: Blacklists - URL and IP Valdis Kletnieks (Jun 23)