SPF doesn't really STOP spam, does it?
We've heard the complaints – Spammers can always get throwaway domains, etc.
At a high level, the answer is that we're moving from one paradigm to another: from "assumed innocent until proven guilty" to "assumed guilty unless proven innocent". The Aspen Framework brings two important tools to bear: reputation and accreditation. (A cartoon guide is available.) SPF is not directly anti-spam. It is not anti-spam in the same way that flour is not food.
We agree that throwaway domains will be the next step in the arms race. We can counter with:
fast automated blacklisting using spamtraps and attack detectors
simple reputation systems based on factors such as...
- age of domain according to whois
- email profile of domain, eg. "too many unknown recipients"
- call-back tests to see if the sender domain is able to receive mail.
The reputation system can advise a receiving MTA to defer or reject.
legal methods following the paper trail of who paid for the domain.
Here's an example of automated blacklisting in action:
- A spammer spams.
- The spam comes from an SPF-conformant domain.
- That domain is on a widely published sender-domain blacklist.
- The MTA rejects the message.
- That domain is a throwaway, just-registered domain, and does not yet appear on blacklists.
- The spam gets accepted by unsophisticated MTAs which do not use other traffic-analysis methods to impose a crude reputation system on unrecognized senders.
- The spam also gets accepted by automated spamtraps.
- The spamtraps add the domain to the blacklist.
- (advanced) Some time later, the user checks email. Immediately before the display phase, the MUA re-tests the message against the blacklists, and discards it.
- Thanks to the greater level of sender accountability, lawsuits may begin against the spammers, and registrars may be subpoenaed for domain owner information. SPF strengthens administrative and legal methods.
- The spam comes from a non-SPF-conformant domain.
- Initially,
- Most legitimate mail will fall into this category.
- Normal content filters get to do their job.
- The usual false-positive/false-negative results apply.
- Later,
- Most legitimate mail will be SPF-conformant.
- Some legitimate mail will not be SPF-conformant.
- SPF-conformant receivers SHOULD receive non-conformant mail but MAY choose to perform additional filtering on it.
- Eventually, as e-mail improves its immunity to spam, we hope spammers will get discouraged.
If the volume of spam decreases, legal and administrative approaches become more effective; right now they are simply swamped. If there are only 10 spammers in the world, law enforcement can focus on catching each one. If there are 10,000 spammers, law enforcement throws up its hands, calls it a societal problem, and says it doesn't have enough resources to tackle it.
- The spam domain was registered with a domain registrar.
- If the registrar is cooperative, we can find out from the registrar who the spammer was; and the registrar can stop accepting their registrations.
- If the registrar is uncooperative, or if a spammer buys and runs a registrar, we can default-blacklist all their domains, in a political move similar to SPEWS's approach.
- Alternatively, since spam is becoming increasingly illegal, we can subpoena the registrar to find out who registered the domain, and sue the spammer directly.
- If the spammer registered the domain using false information, we can still go back to the credit card.
- If the credit card was stolen, that's a crime which can be addressed using traditional means.
(2004-07-02) Scott Kitterman has posted a suggested refinement to the above plan.