On Fri, Apr 24, 2009 at 02:16:57PM +1000, Aaron Mason wrote: > On Fri, Apr 24, 2009 at 11:01 AM, Dan Harnett <dan...@harnett.name> wrote: > >> On top of that, if VeriSign could be tricked into signing a fake > >> Microsoft ActiveX key, can you really trust the authorities? > > > > Are you implying SPF records are validated somewhere and signed by a > > trusted third party? They're not. They're provided by the bad guys. A > > more proper analogy would be that you received an ActiveX control signed > > by "The Bad Guys Who Do Bad Things". They were nice enough to sign it, > > so you accept it. > > > > I was implying no such thing. I was referring to using WHOIS to block > spammers on the basis of the date the domain was registered.
Then your analogy didn't even make sense. No one is being tricked. I can recycle old domains as well. You don't get it. > > asfjsakf1359.com TXT "v=spf1 a:mail.asfjsakf1359.com ip4:0.0.0.0/0 ~all" > > Ok, now that gives us a pointer by which to block fraudulent folk. > That record means anyone and everyone can send an email using that > domain name. A proper SPF record wouldn't have an all-encompassing IP > range. In fact, who in the world would have anything more than a /7 > block? That is a proper SPF record. So, in addition to filtering e-mail, you're going to start using complicated filters to screen out SPF records because you're dumb enough to whitelist everything the spammer tells you to? Go for it. Have fun with that. > However that alone wouldn't deter any spammer - just limit the range > to what's accepted and you're in. And any limit you set will only > cause more dramas. Sure you could limit it to /24 and smaller, or > even to single addresses, but what about those select folk who have > been assigned /8 classless subnets? That's a whole lotta SPF records > for one subdomain. I gave you the simplest and quickest example that came to mind. If you have even half a brain, then you'd realize how trivial it would be to list single IP addresses. I can even obfuscate it to the point of nested 'include:'s to keep the TXT records a decent size. Spammers have always been one step ahead. Anything like auto-whitelisting SPF records would be picked up rather fast and abused easily if it gained widespread acceptance. They don't even need to go as far as my example did. They just need to whitelist their own little spam haven, which you'll happily do. > No solution is perfect, but a small group of imperfect solutions is a > far cry better than no solutions at all and our mailboxes being > inundated with spam. The problem's here to stay, all we can do is > deal with it as best we can. You're auto-whitelisting whatever the spammer tells you to and you think that is preventing spam? LOL. The only hinderance here is the brief moment greylisting was working until you whitelisted the entire internet. I think you still don't get it.
