On 8/22/22 12:17, Phil Stracchino wrote: > On 8/22/22 11:50, Viktor Dukhovni wrote: >> On Mon, Aug 22, 2022 at 05:35:54PM +0200, Patrick Proniewski wrote: >>> But the "loophole" here is that blank sender/return-path is allowed >>> (MAILER DAEMON), I could prohibit that, but with huge caveats. >> >> Best to ignore bad advice. You may need a better antispam filter. Ad >> hoc rules for past (and plausibly never again) abuse are not likely to >> be effective. That said, no antispam filter is 100% effective. Some >> spam *will* get through no matter what you do. > > If there was a method of spam filtering that was 100% effective, > *everyone* would be using it. ...And the spammers would be working > night and day to figure out ways to circumvent it. > > A lot of the problems in spam filtering is that the protocols we use for > email delivery were fundamentally designed in insecure, unauthenticated > ways, because they were created in a different, friendlier, arguably > more naïve world in which nobody imagined that anyone would abuse email > on a large scale. Trying to bolt security and authentication onto > anything after the fact is always harder than designing in secure > authentication from the start. > > The other side of that coin, though, is that we are in a lot better > place to do that secure authentication now, because our tools (hardware > and software) are so much better and more capable. But that doesn't > mean it's not still a hard problem.
The correct solution to prevent email forgery is DNSSEC + DKIM + DMARC with p=reject + some way to prevent DMARC from accepting based on SPF alone. In practice, lots of stuff is misconfigured. I don’t run a mail server, but if I did, I would be pretending that Google had p=quarantine, even though it has p=none. I would also be using DNS over TLS to 8.8.8.8 with pinned CA certificates to get Google’s DNS records, and refusing to send mail to Google unless a Google CA signed the server’s TLS cert. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
