Re: [mailop] SPF fragility vs. utility

Fri, 18 Oct 2024 07:50:03 -0700 

On 18/10/2024 15:00, Hans-Martin Mosner via mailop wrote:

Am 18.10.24 um 15:16 schrieb Paul Smith* via mailop:



A spammer can send SPF-authenticated mail 'From: "b...@microsoft.com" 
<na...@evilcorp.com>', but any spam filtering knows that it's not 
really from Microsoft.



What they actually do is register a domain "micorsoft.com", send 
SPF-authenticated mail 'From: "b...@microsoft.com" 
<b...@micorsoft.com>', and neither spam filtering software (which 
doesn't see the similarity) nor the human victim (who doesn't see the 
difference) will notice.



But spam filters will still block it. They may not block it instantly, 
but they'll soon see spammy behaviour from it, people reporting it as 
spam, etc, and then they can *accurately* block it, because the sender 
is kindly proving that they're definitely the sender via SPF and DKIM.



Spam filters CAN NOT block all mail from microsoft.com, they CAN block 
all mail from micorsoft.com, and because of SPF/DKIM they KNOW that it's 
coming from micorsoft.com and not microsoft.com



Domain filters nowadays work heavily on sender reputation. DKIM & SPF 
facilitate that by proving that the sender is who they say they are.




Of course it's only a small fraction of recipients who don't notice 
the fraud and fall for it, but those who see it and would like to stop 
it have absolutely no incentive to report it as they know that neither 
the hoster nor the registrar will do anything to stop the criminals or 
disclose their identity without a court order, and getting such a 
court order is not realistically possible for most people. Would you 
go to the police with a printout of the screenshot and explain it to 
police officers who will most likely send you home without filing 
charges? Of course not, it's futile.


Hmm - that sounds like a problem with registrars.


In the UK, Nominet (the .UK registry) will (a) probably stop that before 
it gets registered (via their 'Domain Watch' system - 
https://registrars.nominet.uk/uk-namespace/security-tools-and-protection/domain-watch/), 
and (b) as soon as it's reported, instantly put a temporary block on it 
while it's investigated.



Obviously other registrars are not as good, but those are often the ones 
where the whole TLD gets blocked...



Paul

_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

























					Reply via email to