R. Scott Perry wrote:
In this case, what you should do is use "v=spf1 mx ?all". That says "If the E-mail is coming from an IP in our MX record, we authorize it. If it is coming from any other IP, we can't say whether or not it is legitimate -- treat it the same as if we have no SPF record."
In theory this works perfectly, but even on this list people have suggested adding at least some points for the ?all condition. You have to consider the idiot factor and the problems that this can cause (such as blocking on ?all results, and to a lesser extent adding points). For instance, even AOL is using a system that allows for blocking perfectly legitimate IP's when messages are forwarded to their servers and someone presses their spam submit button. Challenge/Response is another perfect example of mass lunacy, in fact some C|Net figurehead was on CNN just a few days ago talking about how all E-mail will eventually move into a scenario that requires C/R. Mass idiocy abounds, and spam protection has become the same thing as the Internet circa 1996.
So while the danger is minimal with ?all, it is there and I would prefer to not contribute my domains until I can be sure that people can't use their systems to punish my users for not coming from my own server. I have no idea what that would take to accomplish unfortunately. Even scoring SPF-FAIL is somewhat problematic because I'm sure that there are many administrators that don't list ?all conditions when they should, and the potential of false positives aren't worth the benefit currently in spam blocking. The stats that Scott Fisher shared are certainly interesting, although anecdotal without my ability to verify them.
I believe that would be the best answer. Unfortunately, that is a huge undertaking -- the amount of time it would take to get a good group of people to write it and agree to it, plus the time it would take to implement (all mail clients would need to be re-written), would make it very time consuming.
Well, I'm not holding my breath waiting for that to happen :) I would of course support it if it did.
As far as I can tell, the only things that are worth whitelisting are local authenticated users whereas whitelisting (or crediting in a weight system) seems to be what all of this SPF/Caller ID stuff was primarily designed for early on, yet it is it's biggest failure thus far. I don't see any possibility of that working in the foreseeable future.
What I do think would work much better in the near term would be for every mail server to support and require SMTP AUTH through port 587 as proposed, and then have every ISP out there block port 25 which would be used exclusively for non-AUTH'ed E-mail between systems. That would cut the zombie problem down dramatically without interrupting service, but this will probably take 5 years or more to widely implement. I think this would have a much larger effect than SPF in terms of blocking forging E-mail, the majority of which comes from PC's attached to these residential ISP's presently. AUTH hacking, or even server hacking however will become much more predominant when the bar is raised in this manner, but there should be many fewer machines to track. For now, I consider broadband ISP's to be honeypots for both the spammer and for my system of blocking spammers, and I like it that way :) Probably 90% of what gets through my system is from spammers that have their own IP space assigned to them, but haven't yet been tagged.
Matt
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
