On Thu, 14 Dec 2006, Magnus Holmgren wrote:
On Thursday 14 December 2006 01:37, Marc Perkel wrote:
How do you deal with people forwarding email from another domain when
using SPF?
*If* you intend to reject mail based on hard SPF failures, then you *must*
allow for exceptions for forwarded mai
May I second, third, fourth or whatever that comment?
{+_+}
- Original Message -
From: "Justin Mason" <[EMAIL PROTECTED]>
Folks -- as requested yesterday, can we drop this thread?
--j.
John D. Hardin writes:
On Thu, 14 Dec 2006, Gino Cerullo wrote:
> > Marc: Since you already requir
--On 14 December 2006 10:50:34 -0500 "Coffey, Neal" <[EMAIL PROTECTED]>
wrote:
3) Let's say you bank with Bank of MyBank BankCorp. MyBank.com
specifies an SPF record. You receive a message claiming to be from
mybank.com, and it passes SPF. You can be reasonably certain it is
legitimate.
Folks -- as requested yesterday, can we drop this thread?
--j.
John D. Hardin writes:
> On Thu, 14 Dec 2006, Gino Cerullo wrote:
>
> > > Marc: Since you already require that your customers modify their MX
> > > records to have their email sent to your servers, why not update /
> > > add the
On Thu, 14 Dec 2006, Gino Cerullo wrote:
> > Marc: Since you already require that your customers modify their MX
> > records to have their email sent to your servers, why not update /
> > add the appropriate SPF records at the same time? That would
> > prevent any problems caused by SPF chec
On 14-Dec-06, at 4:35 PM, j o a r wrote:
On 14 dec 2006, at 20.40, Gino Cerullo wrote:
I presume the answer you gave is an admission that you are, in
fact, using email forwarding as the method behind your spam
filtering system.
The link from perkel.com -> junkemailfilter.com is pretty se
On Thu, 14 Dec 2006, j o a r wrote:
> Marc: Since you already require that your customers modify their
> MX records to have their email sent to your servers, why not
> update / add the appropriate SPF records at the same time? That
> would prevent any problems caused by SPF checks.
Not quite.
An
On 14 dec 2006, at 20.40, Gino Cerullo wrote:
I presume the answer you gave is an admission that you are, in
fact, using email forwarding as the method behind your spam
filtering system.
The link from perkel.com -> junkemailfilter.com is pretty self
explanatory. It all makes sense now...
On 14-Dec-06, at 10:30 AM, Marc Perkel wrote:
I'm not the one who brought it up.
Gino Cerullo wrote:
Marc,
I get the impression that you run a business that markets itself
as an anti-spam solution and it's based on forwarding email and
that business model is threatened by the growing adop
On Thursday 14 December 2006 01:37, Marc Perkel wrote:
> How do you deal with people forwarding email from another domain when
> using SPF?
*If* you intend to reject mail based on hard SPF failures, then you *must*
allow for exceptions for forwarded mail. Mail can only be forwarded from
specific
On Thursday 14 December 2006 01:51, Giampaolo Tomassoni wrote:
> From: Marc Perkel [mailto:[EMAIL PROTECTED]
>
> > OK Daryl,
> >
> > How do you deal with people forwarding email from another domain when
> > using SPF?
>
> Right. That's the big reason for using +all (or not using SPF at all).
>
> Us
Marc Perkel wrote:
> Since spammers can just as easily used SPF on their domains they can
> whitelist themselves if you use SPF for whitelisting.
No, they don't!
Here's an example.
The follwoing is from a "whitelist" file used by our mail gateway:
---8<---
Verified_Sender [EMAIL PROTECTED]
Ver
Marc Perkel wrote:
> I'm still waiting for anyone to describe any used for SPF
> that doesn't create false positives on normal email forwarding
> or allow spammers to whitelist themselves by using correct SPF
> to send spams.
Marc, this is very, very simple, and all these points have been raised
Marc,
I get the impression that you run a business that markets itself as
an anti-spam solution and it's based on forwarding email and that
business model is threatened by the growing adoption of SPF.
Now, I maybe I'm completely wrong but your incessant rants over this
leads me to think o
tt Kettler
Cc: users@spamassassin.apache.org
Subject: Re: SPF is hopelessly broken and must die!
Matt Kettler wrote:
Marc Perkel wrote:
>From openspf.org
http://old.openspf.org/aspen.html
Marc, this link is not describing SPF as an anti-spam technology. It's
describing how SPF can be c
>>> Marc Perkel <[EMAIL PROTECTED]> 12/14/06 09:06AM >>>
It's being kept alive artificially. They themselves knows that it's
broken because they are now running away for the spam solution label
that way Bush is running away from "mission acomplished". I say it's
time to pull the feeding tube an
Matt Kettler wrote:
Marc Perkel wrote:
From openspf.org
http://old.openspf.org/aspen.html
Marc, this link is not describing SPF as an anti-spam technology. It's
describing how SPF can be coupled with an accreditation service to
create an anti-spam technology.
It was marketed as a
> Why was this topic not started on the SPF list? Was the original
poster of
> this topic looking to get MORE attention on the SpamAssassin list?
I was wondering the same thing. This list was once useful for people
maintaining SA installations but now at least half the traffic is
useless.
Jef
Marc Perkel wrote:
> From openspf.org
>
> http://old.openspf.org/aspen.html
>
Marc, this link is not describing SPF as an anti-spam technology. It's
describing how SPF can be coupled with an accreditation service to
create an anti-spam technology.
Nobody's saying SPF has no use in anti-spam, it ha
Am Donnerstag, 14. Dezember 2006 03:53 schrieb Matt Kettler:
> > Yep - they are using "normal" email technology.
>
> No they're not. They're falsifying mail headers. Something last I
> checked was actually illegal in the united states under CAN-SPAM.
and a russian criminal sitting in litavia, usi
Marc Perkel wrote:
>
>
> Matt Kettler wrote:
>>
>> Mark, SPF isn't an anti-spam technology. Anyone who says it is, is an
>> imbecile. SPF is an anti-forgery technology. Those who continue to think
>> of SPF purely as a spam control technology are doomed to be disappointed
>> and/or endlessly make p
Marc Perkel wrote:
Daryl C. W. O'Shea wrote:
Marc Perkel wrote:
So - if you use it for whitelisting - how do you distinguish a good
sender using SPF and a spammer using SPF? Wouldn't you be
whitelisting spam?
A good sender is someone or an organization I know I want to receive
mail from.
Daryl C. W. O'Shea wrote:
Marc Perkel wrote:
I'm not the one who started this discussion. I did change the subject
line when the pro SPF lobby entered my other thread and moved it off
the topic I was talking about.
Right, I forgot. Your original topic was about securing consumer
networks
Marc Perkel wrote:
I'm not the one who started this discussion. I did change the subject
line when the pro SPF lobby entered my other thread and moved it off the
topic I was talking about.
Right, I forgot. Your original topic was about securing consumer
networks, something that is way off t
Daryl C. W. O'Shea wrote:
Marc Perkel wrote:
OK Daryl,
How do you deal with people forwarding email from another domain when
using SPF?
Marc, please stop for a moment and make sure you have a clear picture
of what you're trying to achieve by this debate which is really close
to turning i
Marc Perkel wrote:
OK Daryl,
How do you deal with people forwarding email from another domain when
using SPF?
Marc, please stop for a moment and make sure you have a clear picture of
what you're trying to achieve by this debate which is really close to
turning into a big flame war. If you
Marc Perkel wrote:
Second - tell it to everyone here who is suggesting that SPF is a spam
solution of some sort.
Oddly enough, the people who seem to be most adamant in stating that SPF
is a spam solution are those like yourself who consider it useless.
Those who find it useful seem to think
From: Marc Perkel [mailto:[EMAIL PROTECTED]
>
>
> OK Daryl,
>
> How do you deal with people forwarding email from another domain when
> using SPF?
Right. That's the big reason for using +all (or not using SPF at all).
Using +all means to me: "Look, I - the postmaster - I'm aware of SPF, but
OK Daryl,
How do you deal with people forwarding email from another domain when
using SPF?
Bookworm wrote:
I think I can say that even as a casual user of the list (I only take
care of about 10 smaller mail systems), I find the discussions more
useful than not. I would have little to no use for the direct SPF
mailing list - but in so far as it applies to anti-spam, I'm more than
Marc Perkel wrote:
> "SPF is not anti-spam in the same way that flour is not food: it is part of
> the solution."
>
> The solution - to what? SPAM!
"part of the solution", not "the solution". Big difference.
Controlling forgeries is just one step at taking one of the tools out of
the tool bag.
On 13-Dec-06, at 6:38 PM, Marc Perkel wrote:
From openspf.org
http://old.openspf.org/aspen.html
What's your point? Did you bother reading the article. It talks
about accreditation and reputation and only uses spam as an example.
You saw a couple of graphics that say spam and ham and now
Robert Blayzor wrote:
Marc Perkel wrote:
From openspf.org
http://old.openspf.org/aspen.html
Also from the SPF FAQ:
"Sender Policy Framework (SPF) is an attempt to control forged e-mail.
SPF is not directly about stopping spam – junk email. It is about giving
domain owners a way to
John Rudd wrote:
Spam Assassin wrote:
Why was this topic not started on the SPF list? Was the original
poster of
this topic looking to get MORE attention on the SpamAssassin list?
Whether you and the other amateur-topic-police* like it or not, the
subject is related to the more general subj
Marc Perkel wrote:
Justin Mason wrote:
Marc --
Please pay attention to what Matt wrote yesterday. Repeat: SPF is *NOT*
for catching spam. It works great at what we use it for in SpamAssassin
-- as an authentication mechanism, to detect legit ham and whitelist it.
This is what you use authe
Marc Perkel wrote:
> From openspf.org
>
> http://old.openspf.org/aspen.html
Also from the SPF FAQ:
"Sender Policy Framework (SPF) is an attempt to control forged e-mail.
SPF is not directly about stopping spam – junk email. It is about giving
domain owners a way to say which mail sources are le
Marc Perkel wrote:
Justin Mason wrote:
Marc Perkel writes:
[EMAIL PROTECTED] wrote:
Sounds good,
I found this an interesting read about why SPF is ineffective:
http://en.hakin9.org/products/articleInfo/102
Excellent article.
SPF catches no spam - but does create false positi
On 14 dec 2006, at 00.38, Marc Perkel wrote:
From openspf.org
http://old.openspf.org/aspen.html
This is a description of something that you could conceivably build
on top of SPF.
What is your point?
j o a r
From openspf.org
http://old.openspf.org/aspen.html
Justin Mason wrote:
Marc Perkel writes:
[EMAIL PROTECTED] wrote:
Sounds good,
I found this an interesting read about why SPF is ineffective:
http://en.hakin9.org/products/articleInfo/102
Excellent article.
SPF catches no spam - but does create false positives. It's less than
Marc Perkel wrote:
> SPF catches no spam - but does create false positives. It's less than
> useless. It's dangerous.
SPF's job is not to catch spam, period! No matter how many times you
claim it's supposed to "catch spam", you could never be more wrong.
It's sole purpose is to allow domain owne
Thomas Bolioli wrote:
You are speaking for me... This became a very relevant topic when the
spf tests were packaged with SA by default. As someone who is having a
major issue with spf, it is very important that those making these
decisions here about the issues that most are having with SPF. I
On 13 dec 2006, at 15.21, Marc Perkel wrote:
True - SPF his hopelessly broken and must die.
Not so. It does exactly what it sets out to do. That it allows you to
specify that messages for fraud.com can be sent from any IP-address,
doesn't change the fact that it's a very concrete advantag
John Rudd wrote:
Spam Assassin wrote:
Why was this topic not started on the SPF list? Was the original
poster of
this topic looking to get MORE attention on the SpamAssassin list?
Whether you and the other amateur-topic-police* like it or not, the
subject is related to the more general subj
Spam Assassin wrote:
Why was this topic not started on the SPF list? Was the original poster of
this topic looking to get MORE attention on the SpamAssassin list?
Whether you and the other amateur-topic-police* like it or not, the
subject is related to the more general subject matter of the l
Why was this topic not started on the SPF list? Was the original poster of
this topic looking to get MORE attention on the SpamAssassin list?
Gino Cerullo wrote:
On 13-Dec-06, at 12:53 PM, Marc Perkel wrote:
Yep - they are using "normal" email technology. That's supposed to
work. That's what SPF breaks. It also breaks email forwarding.
I prefer to say "email forwarding breaks SPF" but that's just semantics.
The truth of the matte
Justin Mason wrote:
SPF is *NOT*
for catching spam. It works great at what we use it for in SpamAssassin
-- as an authentication mechanism,
Just to pick nits:
SPF is not an authentication mechanism, it's an authorization mechanism.
It is VERY important to not confuse the two. (and, while
On 13-Dec-06, at 1:15 PM, Marc Perkel wrote:
[EMAIL PROTECTED] wrote:
Sounds good,
I found this an interesting read about why SPF is ineffective:
http://en.hakin9.org/products/articleInfo/102
Excellent article.
SPF catches no spam - but does create false positives. It's less
than useles
On 13-Dec-06, at 12:53 PM, Marc Perkel wrote:
Mark, SPF isn't an anti-spam technology. Anyone who says it is, is an
imbecile. SPF is an anti-forgery technology. Those who continue to
think
of SPF purely as a spam control technology are doomed to be
disappointed
and/or endlessly make posts l
Marc Perkel wrote:
SPF blocks no spam but
it does create false positives on legitimate email.
Well, so does any other method of trying to decide if a message is legit
or not. If I work for $company, and $company publishes a restrictive
SPF record, then (presuming the sysadmin is competent) a
What many of you fail to realize is that although SPF was originally
envisioned as an anti-spam tool, because it dealt with a major
characteristic of spam, address forgery, it is in fact a domain
verification tool.
With that in mind, it becomes irrelevant whether spammers publish SPF
poli
Marc Perkel writes:
> [EMAIL PROTECTED] wrote:
> > Sounds good,
> > I found this an interesting read about why SPF is ineffective:
> > http://en.hakin9.org/products/articleInfo/102
>
> Excellent article.
>
> SPF catches no spam - but does create false positives. It's less than
> useless. It's d
[EMAIL PROTECTED] wrote:
Sounds good,
I found this an interesting read about why SPF is ineffective:
http://en.hakin9.org/products/articleInfo/102
Excellent article.
SPF catches no spam - but does create false positives. It's less than
useless. It's dangerous.
Sounds good,
I found this an interesting read about why SPF is ineffective:
http://en.hakin9.org/products/articleInfo/102
Quoting Kelson <[EMAIL PROTECTED]>:
Resending this since I originally sent it from a misconfigured client
(forgot to enable SMTP-AUTH, but POP-before-SMTP let it through)
Matt Kettler wrote:
Marc Perkel wrote:
Agreed Phil
True - SPF his hopelessly broken and must die.
Repeat after me SPF breaks email forwarding. SRS breaks the ability to
do conditionals based on the true from address. SPF blocks no spam but
it does create false positives o
Resending this since I originally sent it from a misconfigured client
(forgot to enable SMTP-AUTH, but POP-before-SMTP let it through) and got
labeled as spam by my own server...
Repeat after me: SPF is not an anti-spam solution. It is an address
validation solution.
If a spammer puts 0.0.0
Marc
While you may be entitled to your opinion some people may read this list's
archives and think that your _opinion_ were actually fact.
Your statement is obviously based on a complete misunderstanding of SPF -
what it's even got to do with the SA users list is another matter ...
Regards
M
Marc Perkel wrote:
>
>>
> Agreed Phil
>
> True - SPF his hopelessly broken and must die.
>
> Repeat after me SPF breaks email forwarding. SRS breaks the ability to
> do conditionals based on the true from address. SPF blocks no spam but
> it does create false positives on legitimate email. It'
59 matches
Mail list logo
