What many of you fail to realize is that although SPF was originally
envisioned as an anti-spam tool, because it dealt with a major
characteristic of spam, address forgery, it is in fact a domain
verification tool.
With that in mind, it becomes irrelevant whether spammers publish SPF
policies or not; or if they do, that it covers the entire range of IP
addresses on the planet.
Why?
Because, if every *legitimate* domain owner published an SPF policy
for their domain and every mail server was SPF aware, it becomes
trivial to identify the bad domains and they become that much easier
to deal with.
By publishing an SPF policy for your domain you prevent your domain
from being abused.
Of course this requires the co-operation of everyone and we're not
there yet. Every legitimate domain does not have an SPF policy and
every mail server is not SPF aware but we're getting there.
Now some of you bring up the case of DDOS attacks caused by
backscatter. Listen, there is no profit in DDOS attacks. Spammers
don't make money by taking down mail servers and those interested in
using DDOS attacks to disrupt networks already have enough tools at
their disposal, one more isn't going to make much of a difference in
the grand scheme of things. Spammers only make money if they sell
something.
For those of you who keep harping on the "SPF breaks forwarding"
issue (Marc). When I say "SPF aware mail servers," I mean mailer
servers that support SRS so that becomes a non issue. But, let's look
at the present situation we are faced with even today where most mail
servers don't support SRS. Even when you send an email to someone who
has forwarded their email and it is later bounced, you're made aware
of the email address that the original is being forwarded to so you
can just resend the message to the other address. Since this probably
affects about 0.01% of all email, I've only ever experienced it once
myself, it's only a minute annoyance.
From a Spamassassin point of view, SPF is very effect at assisting
in what Spamassassin is designed to do. Evaluate email based on the
characteristics of the contents of its header as well as the contents
of its body. It the case of the header, SPF is very effect at
contributing to the score of as well as for whitelisting purposes.
For the record, in the one year that my email server has been SPF
aware I've only ever seen one (1) junk email with an SPF PASS. That
is about 0.001% of the total email that has been sent to my server.
On the other hand, about 10% of legitimate email sent to my server
are verified with an SPF PASS (and it's growing all the time) and
I've never had a false positive, no legitimate email has been blocked
as a result of SPF.
Marc, if you really have legitimate concerns about SPF, why don't you
take them to the SPF Discuss mailing list where they belong. If they
are in fact legitimate, then that's the place to discuss them.
To subscribe to the list send an email to subscribe-spf-
[EMAIL PROTECTED]
--
Gino Cerullo
Pixel Point Studios
21 Chesham Drive
Toronto, ON M3M 1W6
416-247-7740
This email address protect by SPF! Want to protect your domain's
email from forgery? Visit openspf.org
