On Sun, 2010-05-23 at 17:48 -0400, W B Hacker wrote: > And probably would still do so even if 100% of the 'proper' smtp world > published > such records, simply because WinBots will not.
But... you don't know that. For any domain that publishes an SPF record, there is a finite (and growing) chance that a bot or trojan will attempt to use an address within that domain as a sender address. *That* is what SPF is all about: forgeries. Hypothetical example: I register example.com. I provide an SPF record of "-all" for example.com, which means "this domain does not send email". I also publish an address for people to send *to* - hell, say, [email protected]. Imagine an outbreak (it's not very hard) of a bot within a corporate network. These are hosts behind a NAT firewall, forced to send via Windows group policy via a local authenticated SMTP gateway. The bot uses the corporate policy to send junk via the corporate mail gateway using someone's credentials. Eventually, the bot uses [email protected] as the sender address. Everyone using SPF on inbound mail has their MTA say "whoa, this domain uses -all, go away" after only a couple of lookups - or even after only one. I appreciate that the SPF Kool-Aid is strong on the "this is the solution" side (or at least it was), which seems to make arguing for SPF a weak exercise; however on the flip side the "SPF is a complete waste of time" is just as weak. SPF has its place. Don't discount it just because a number of loud voices on both ends of the argument make vociferously opposing points - the middle ground, as per usual, is where it's at. rDNS is not the solution. It isn't even a decent placebo - and neither is SPF. But in conjunction they can (and do) work fairly well; added to other checks they work even more accurately. Graeme -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
