RE: [Asrg] Is there anything good enough? - Spoofing stats
Scott Nelson <scott@spamwolf.com> Thu, 08 May 2003 17:43 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA01321 for <asrg-archive@odin.ietf.org>; Thu, 8 May 2003 13:43:07 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h48HqeU02274 for asrg-archive@odin.ietf.org; Thu, 8 May 2003 13:52:40 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h48Hqe802271 for <asrg-web-archive@optimus.ietf.org>; Thu, 8 May 2003 13:52:40 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA01299; Thu, 8 May 2003 13:42:37 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19DpRf-0004cI-00; Thu, 08 May 2003 13:44:39 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19DpRf-0004cF-00; Thu, 08 May 2003 13:44:39 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h48Hn5802080; Thu, 8 May 2003 13:49:05 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h48Hmx802040 for <asrg@optimus.ietf.org>; Thu, 8 May 2003 13:48:59 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA01171 for <asrg@ietf.org>; Thu, 8 May 2003 13:38:55 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19DpO6-0004aU-00 for asrg@ietf.org; Thu, 08 May 2003 13:40:58 -0400
Received: from adsl-66-120-64-133.dsl.snfc21.pacbell.net ([66.120.64.133] helo=magic1.org) by ietf-mx with smtp (Exim 4.12) id 19DpO5-0004aR-00 for asrg@ietf.org; Thu, 08 May 2003 13:40:57 -0400
Message-Id: <aT5vaIe86J8qbrFGp02@x>
To: asrg@ietf.org
From: Scott Nelson <scott@spamwolf.com>
Subject: RE: [Asrg] Is there anything good enough? - Spoofing stats
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Thu, 08 May 2003 10:42:47 -0700
At 09:05 AM 5/8/03 -0600, Vernon Schryver wrote: >No, you are falling for the intentional misrepresentation or lie that >is labelling mail that comes from one domain with another domain as >sender as "forgery." That lie is intended to cause you to misunderstand >what is being abused and by whom. > I think that when I write "scott@spamwolf.com" in the mail envelope and/or message headers it is not forgery, regardless of what IP I send through when I do it. But if a spammer (or anyone else) wrote "scott@spamwolf.com" in the mail envelope and/or message headers then it would be. More abstractly; Putting "yourname@example.com" in a message implies that you are able to receive email sent to "yourname@example.com" and that if you are not, then your are in fact, forging "yourname@example.com" Normally, I'd say the best approach to detecting forgery would be the direct approach. I.e. if you want to know if the sender can read email sent to "yourname@example.com", then you should send an email to "yourname@example.com" and ask. (Most challenge response systems are based on this exact idea.) However, the cost of that is much larger than it appears on the surface. RMX and the related DS proposes a method with a much lower cost. They are not as good as other systems, but the theory is that they do not cost as much to implement, so they might be a reasonable in terms of cost/performance. If we limit the cost by refusing to change existing practices, then they can not distinguish forgery from the standard practice of using an arbitrary IP to inject email. (They also can not distinguish forgery from the standard practice of forwarding email, and mailing lists, but there are some low cost methods of dealing with those.) In that context, I will now repeat something I said earlier; If the IP of the sender matches an RMX record of the domain, then it's a good bet the message is not a forgery. If the IP of the sender does not match an RMX record of the domain, or there is no RMX record, then all bets are off. If, on the other hand, we assume that we are going to impose changes in existing standard practices, then RMX/DS are no longer low cost proposals. Depending on what sort of changes we propose, the ability to detect forgery can be quite good, but I claim the cost spirals out of control rapidly. Scott Nelson <scott@spamwolf.com> _______________________________________________ Asrg mailing list Asrg@ietf.org https://www1.ietf.org/mailman/listinfo/asrg
- RE: [Asrg] Is there anything good enough? - Spoof… Hallam-Baker, Phillip
- RE: [Asrg] Is there anything good enough? - Spoof… Eric D. Williams
- RE: [Asrg] Is there anything good enough? - Spoof… Vernon Schryver
- RE: [Asrg] Is there anything good enough? - Spoof… Scott Nelson
- Re: [Asrg] Is there anything good enough? - Spoof… Alan DeKok