SPF helps fight spam
Top tip to can spam
Comment February 4th, 2008
By Roger Howorth

I had a watershed moment recently – I started receiving spam that contained only a single Portable Document Format (PDF) file. I’ve never had this stuff before, but I’ve got a feeling more is on the way. Fortunately the developers of the spam filter I use – called the Anti Spam SMTP Proxy (ASSP) – appear to be on the case. They recently replied to a question about how best to filter PDF spam saying that with a little training the Bayesian filter in the latest version of ASSP should do the job.

But the trouble is with most anti-spam technologies, the more people use them, the more likely it is that spammers will try to defeat them. For example, when a greylisting feature was added to ASSP about 18 months ago, it proved very effective, cutting my spam to mail ratio from about 85% spam to around 60%.

However, greylisting has become a common feature in most spam filters, and a few spammers have already updated their software to deal with it.

The interesting thing about Sender Policy Framework (SPF) is that this “less is more” rule does not hold true. The only thing spammers can do to bypass SPF filtering is to register more and more legitimate domains from which they could send their mail. People could then block those domains, either by manual methods, or more likely by having their spam filter automatically update itself from a spam blacklist. This would mean the newly registered domains would only be effective until they were spotted and added to the blacklists, and this would probably take less than a few hours. Registering domains would also be unpopular with spammers because each one would cost them money, and because it makes them traceable and therefore accountable for their actions.

Some argue there’s no point is using technologies such as SPF because they are not widely used. While this is partly true, there are already some notable exceptions, including AOL and Google’s Gmail service. And while spam filters probably can’t use an SPF “fail” result to positively identify spam, they can use an SPF “pass” result as a pretty good indicator that the mail is not spam.

SPF has also been criticised because it doesn’t handle mail forwarding very well. Messages that were forwarded from domains using SPF to mail servers that also used SPF would be rejected. However, the complementary Sender Rewriting Scheme (SRS) handles this problem. Implementing SPF and SRS is a little more complicated than installing a basic spam filter. For example, you need to update your DNS servers with appropriate records. But it’s not too onerous, and most organisations would say it’s a price worth paying in order to reduce the volume of spam in their users’ mailboxes. Both SPF and SRS can identify a message as spam by looking at the headers, so the mail servers can reject spam before they have received and inspected the entire message, which means much less of your internet bandwidth is consumed by spam messages. Less spam and more available bandwidth, sounds like a win-win to me.

Leave a Response