From: "Clarke Brunt" <[EMAIL PROTECTED]>
> jdow wrote:
> > Even more to the point SPF is NOT a reason to accept or reject mail.
> > All it does is verify the domain from which it originated. That is a
> > tool for SCORING spam not for outright elimination of messages that
> > have bad SPF records and accepting those that have good SPF records.
> > It is perfectly legitimate for a spammer to build his own SPF record
> > and get approved by such mal-configured tools. All the SPF record
> > does is give you confidence of the veracity of one hop in the chain.
>
> I agree that a 'pass' result from an SPF test does nothing to show that a
> message isn't spam (so I go on the use SpamAssassin on it), but it seems
to
> me that a 'fail' result is a perfectly good reason to reject a message
> outright, which is what I do (without it even being passed to
SpamAssassin).
>
> After all, a 'fail' result means that the owner of the domain from which
the
> message purports to come has gone to some trouble to set up an SPF record
> saying "mail from my domain will only ever arrive at your mail server
> directly from the following list of servers..., please feel free to reject
> any which pretends to be from my domain but which comes from _other_
> servers". It's more than "one hop in the chain" - it's the _last_ hop,
from
> _somewhere_ to my mail server, the one that I can be certain of without
> looking at headers, because I can _see_ what IP address is talking to my
> server.
We've just had one of the cases wherein a failed SPF record is no help
at all float by our eyes. Rejecting on one single criterion is generally
a bad idea. SPF in itself does not prove a whole lot due to the way ISPs
set themselves up. The chief thing SPF does is clutter up name server
traffic to prove something of little or no use when scoring spam.
Now, if we all had a nice government imposed encrypted stamp to place
on our email to validate it would even that prove squat?
(In the mobile user's case, however, he could help make his SPF more
meaningful and everyone else's if he tunneled email in through a
secure route even as relatively insecure as smtp auth on a port other
than 25. A ppp tunnel to his system'd work even better if slower.)
{^_^}
