Heavyweight anti-virus researchers Nick Fitzgerald and Vesselin Bontchev have clashed at the Virus Bulletin Conference in Dublin over the utility of SPF (Sender Policy Framework). Nick attacked SPF as “broken” as an anti-spam measure because it is trivial to break and that it tells us nothing about the actual sender or “spaminess” of the message. He also pointed out that botnets could easily be used to send SPF-compliant spam.
Vesselin Bontchev pointed out that that would only work for organizations that do not filter their outgoing mail and that ISPs could use the information to identify compromised PCs.
Our Chief Consultant, Allan Dyer, gives his opinion:
I think Vesselin is missing a trick by bringing in the ISP - Nick is right, ISP's don't have the motivation or margin to follow up these cases (see related story, “Déjà vu: HKISPA Gets Tough on Spam?”, below).
The reason why an organisation should want to publish an SPF record is to protect its reputation; email "From" their domain, arriving from an unlisted IP address is bogus. If the organisation becomes infested with zombies, with the result that the listed mail servers are sending out spam in the organisation's name, they have extremely high motivation to clean up immediately. Recipients can contact the domain's postmaster, and expect immediate response, or conclude that the spam is authorised from the organisation.
The second reason to publish an SPF record is the hope of reducing the number of bounce messages to non-existent users - if the receiving mail server had checked the SPF record, the reject message would not have been sent.
Some anti-spam developers refuse to implement SPF checking in their products, saying that it is easily broken, not very effective, and will not do much to improve their already excellent spam detection accuracy.
I disagree. It is comparable to the MX record in strength. It is effective at preventing machines outside of your domain pretending to be you (Nick's objection is that it does not defend against spam being sent from your machines, when they have been compromised by zombies - if that is the case, you have a massive security breach, and sending spam is just one of your problems).
The effectiveness is limited by its adoption. Publishing an SPF record is cheap (a simple DNS update), and anti-spam vendors could make a major difference to its adoption in receiving servers.
The argument that it will not do much to improve “already excellent” spam detection accuracy is empty – these products use many techniques to give a final result better than any individual technique. So the same argument could be made against any other technique - it could be removed from the cocktail with very little effect on the final result.
Two questions:
- As a domain owner, you can make a one-line change in your zone file to allow recipients to easily identify forged mail supposedly from your domain. What is your justification for not doing so?
- For the anti-spam developers, some domains are choosing to publish information to help recipients identify which messages are from authorised servers, why are you choosing to ignore that information?