Experts clash over merits of anti-spam authentication

Weak user authentication may be worse than none at all, claims one security expert; others are backing SPF to make a difference

User authentication for email "may be worse than useless" at preventing the spread of spam, according to Nick Fitzgerald, security consultant at Computer Virus Consulting.

"As an anti-spam measure, SPF is broken before it's implemented, as it's not just breakable, it's trivial to break," Fitzgerald told an audience at the Virus Bulletin conference in Dublin on Friday.

"Knowing a message arrived SPF compliantly tells us nothing about the actual sender and the 'spaminess' of the message," Fitzgerald added, claiming that SPF has been "widely hyped" as solving the problem of user authentication.

Fitzgerald's views were challenged by other conference attendees, who insisted that SPF would play a valuable role in fighting unsolicited junk email.

Authentication schemes such as SPF allow the owner of a domain to use DNS records to say which machines within the domain can transmit email. Recipients that use SPF can treat as suspect any email that claims to come from a certain domain but which does not actually match its SPF record.

Supporters say SPF can clamp down on the practice of 'spoofing', where spammers alter the appearance of messages so that they no longer appear to come from the domain that sent them, but another entirely.

There are no reports of spammers breaching SPF, yet Fitzgerald said SPF would be "trivial to break with just a few lines of malicious code".

"Spammers can beat off SPF trivially — they already have large botnets [networks of compromised computers]. 80 percent of spam is from compromised computers running SMTP relays and/or dedicated spam-bots," Fitzgerald claimed.

To do this, a spammer could manipulate a compromised machine and read the settings of its email program, such as its ISP's mail server settings, and use them itself. This would mean that spam could be sent tagged with the ISP's own SPF settings, making it look legitimate.

"A spam-bot could easily pull popular MUA client settings for its own use, use process injection to usurp the installed MUA, use similar techniques to usurp the network stack, and protect itself with a rootkit," Fitzgerald said.

Such behaviour from spammers was widely reported earlier this year, when SpamHaus and MessageLabs both warned of an increasingly fast torrent of spam seemingly coming from ISP's own mailservers, due to infected machines on their networks changing their behaviour to get around spam filtering techniques.

But this trick only works for ISPs that do not filter their own outgoing email. And, as Vesselin Bontchev from antivirus company FRISK pointed out, those who received such spam would be in a better position to take action as the SPF record could act as a paper trail back to the culprit.

"A user could contact the ISP and alert them to the problem, so they can fix the server," Bontchev said.

Fitzgerald, though, disagreed, saying ISPs would not blacklist compromised machines, as that would not be financially viable.

"You get almost no response from ISPs because they can't afford to cut off their customers," Fitzgerald said.