Re: Phishing, Spam Solutions

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Wed, 12 Jun 2013 15:45:29 +0900, Katsuya Uchida said:

> Some idea is to set  email authenticaton.
> I heard that the email authentication rejects 90% of spam mails.

Which is a good reason *not* to rely on them, as other methods manage
to reject 99% or better of spam.  Anything that's only rejecting 90%
of spam these days is considered horrible.

> What is email authentication (Sender ID, DomainKeys/DKIM, SPF) and how
> do I set it up?
>    http://help.campaignmonitor.com/topic.aspx?t=88

There's several problems with these:

1) Some of the solutions don't actually provide the assertion that you think
they do (in particular, SPF has this problem - it does what it claims, but what
it claims isn't what most people think it does).

2) None of them are of sufficient maturity or widespread adoption that
you can actually get away with saying "We will not accept mail from the
exterior unless it has authentication XYZ".  At best, what you can do is
score a few "might be spam" points if a given piece of mail *fails* a given
authentication (a corrupted/incorrect DKIM signature, a violated SPF constraint
and so on).

About the only exception is that you *sometimes* can get away with saying "All
mail claiming to be from example.edu must have originated from within
example.edu's campus network".  But that won't stop spam claiming to be from
anyplace else (and still has to deal with the compromised user problem, where
it's very difficult to tell the difference between a legitimate user submitting
an e-mail from off campus over a VPN connection and a spammer using a
legitimate user's credentials (often from the user's own machine) over a VPN
connection.

Attachment: _bin
Description: