Thursday 4 January 2007

Sender Authentication Doesn't Fix Challenge/Response

Happy new year. Sorry that the first post of January is about challenge/response (again), but surprisingly few people seem to get it.

There's this idea floating around that challenge/response filters are OK if they check SPF, SenderID, or DomainKeys -- only challenging messages that pass those checks.

Twaddle. This idea that SPF or SIDF or DKIM can tell you whether a message is forged is naive.

Firstly, implementation on the sender side is spotty. If there's no SPF record or DKIM header to check, you're back to square one.

Secondly, don't forget that most spam is sent by virus-infected computers (corralled into a botnet). There's nothing to stop virus writers from sending spam that passes an SPF/PRA/DK check at the receiving end.


Anonymous said...

SPF won't work against spam in general but it might help against phishing. If SPF were combined with an IP reputation you might get more reliable phishing detection.

Suppose an email purportedly comes from PayPal or Bank of America and fails an SPF check. Furthermore, assume the IP it is coming from shows an increase in email volume of 200% in the past 24 hours. I think that's a reliable enough algorithm to "guess" that the message is probably phishing and block it without checking the content.

Richi Jennings said...

Ummm, this is true, but off-topic, unless I'm missing something.

Post a Comment