Re: SPF anyone?

Wed, 07 Jan 2004 14:36:34 -0800 

Jim Ramsay <[EMAIL PROTECTED]> writes:

> I've just started looking into SPF (http://spf.pobox.com), and I
> think it looks like a great addition to TMDA - specifically because
> widespread usage will quash the number one argument against C/R:
> "But you're spamming people whose addresses have been forged by
> spammers".

Thanks for the reference to SPF.  When people have ranted and raved
about how C/R will crumble because of forgeries and joe-jobs, I've
always said that that's an MTA-level problem, and one that is easily
solved given sufficient interest/need.  It's nice to see this is
coming to fruition.

> I propose to start using it like this:
>
> If SPF "pass"es a message, I'll assume that it's either from an easily
> blacklistable domain which I will blacklist and stop, or it's from a
> real person.
>
> If SPF "fails" a message, I'll assume the envelope is forged and drop it.
>
> If SPF doesn't know (returns "Unknown") I'll challenge it as usual.
>
> This can be actively checked using a python package (spf.py)

I'm not totally opposed to supporting this in some fashion, but
clearly it's intended to be implemented in the MTA.  You need to know
the connecting IP address of the SMTP client in order to do an SPF
query.  How would TMDA get that information?

> or better yet, just be reading the Received-SPF header on a server
> whose MTA implements SPF.

This won't be as useful for spam blocking because spam won't contain
a Received-SPF header.  It's probably only useful for "whitelisting"
messages relayed by an SPF-aware SMTP receiver ("pass").

> I'll just check for that header in my incoming filter for now, as
> soon as I get this going, but it may be nice to make it easier for
> users to do this, or at least put up a FAQ once I've got the bugs
> out.

At the very least, a "Tips & Tricks" entry in the FAQ would be good,
similar to the one I wrote for Habeas SWE.  Also when (if) SPF becomes
more widely adopted, a pointer to SPF in the FAQ discussing the
problem with C/R and joe-jobs.
_________________________________________________
tmda-workers mailing list ([EMAIL PROTECTED])
http://tmda.net/lists/listinfo/tmda-workers

Reply via email to