On Fri, Apr 24, 2009 at 10:13:38AM +1000, Aaron Mason wrote:
quoted text
> On Fri, Apr 24, 2009 at 4:39 AM, Dan Harnett <daniel@harnett.name> wrote:
> > Huh?  Spammers have been using throw away domains for ages.  Adding a
> > SPF record to their own domains has been trivial.  No spoofing required.
> > Basically, you're accepting input from the bad guys and treating it as
> > valid and trusted.  Bad idea.
> 
> If they use throw away domains, then another solution would be to go
> on the age of the domain - which a simple WHOIS check can obtain and
> would theoretically be very difficult to forge, especially if you go
> straight to one of the NICs for that info.
> 
> This would come with some caveats - it would be easy to thwart by
> getting throwaway domain names and sitting on them for awhile in a
> sort of FIFO queue, adding new ones to the end when the first gets
> thrown away.  On top of that, it would mean companies who are just
> getting a start in the online business could be waiting awhile to
> email potential clients whose mail servers are using this method to
> filter spam.

Or, you could just not auto-whitelist the bad guys while at the same
time hurting deliverability from the good guys.  Then again, do what you
want.  It doesn't effect me.

quoted text
> On top of that, if VeriSign could be tricked into signing a fake
> Microsoft ActiveX key, can you really trust the authorities?

Are you implying SPF records are validated somewhere and signed by a
trusted third party?  They're not.  They're provided by the bad guys.  A
more proper analogy would be that you received an ActiveX control signed
by "The Bad Guys Who Do Bad Things".  They were nice enough to sign it,
so you accept it.

quoted text
> The reality is that any solution to try and block spammers would be
> thwarted if a spammer were able to acquire the means to use it to
> validify themselves fraudulently.
> 
> Spam is a battle - the least we can hope for is to make it a battle
> for them as well.

A battle where you shoot yourself in the head isn't much of a battle.

Maybe you need an example.  I'll run out and register
'asfjsakf1359.com'.  Times are tough, but I think I can scrounge up the
$9.99 GoDaddy wants for it.  I'll use this domain to send you a single
email.  It'll pass greylisting, because I'm using a normal mail server
with no funny tricks.  It'll be a legit message, too.  I just wanted to
say "hi" and see how you were doing, and maybe talk about my cat.  I've
generously provided an SPF record to make things easier for you.  It is
my domain and I can advertise what I want in my domain.  The SPF record
will look like the following.

asfjsakf1359.com TXT "v=spf1 a:mail.asfjsakf1359.com ip4:0.0.0.0/0 ~all"

Now, you no longer have to worry about greylisting.