On 13-Dec-06, at 1:15 PM, Marc Perkel wrote:
[EMAIL PROTECTED] wrote:
Sounds good,
I found this an interesting read about why SPF is ineffective:
http://en.hakin9.org/products/articleInfo/102
Excellent article.
SPF catches no spam - but does create false positives. It's less
than useless. It's dangerous.
That article, at best, disseminates incomplete and outdated
information and at worst, completely false statements.
"Why SPF is bad"
"SPF is supposed to protect against sender address forgery. It
protects only the envelope sender address, not the From: header
address. Mail User Agents such as Outlook Express display only the
unprotected address. Therefore the users are still fooled and
unprotected against joe-jobs, forgery, phishing and various scams."
SPF wasn't designed with MUA in mind. It was designed for use at the
MTA level to block email before DATA. What's the use of accepting
the email only to have the MUA query DNS to determine if it passes
SPF checks. To that end there is nothing stopping the developers of
MUAs from incorporating that functionality in the MUA and flagging
messages based on SPF. The recipient does not need to see the
'envelope sender' address.
"SPF is supposed to protect against spam. A 2004 CipherTrust survey
shows that more mail comes to SPF-protected servers from domains with
SPF records, than from domains with no such records. Spammers have
adopted SPF and are using it even more than legitimate sites to
ensure spam delivery to mailbox."
Citing a study that is over two years old, that was published when
the first stable draft of the SPF spec was only months old is hardly
evidence of a greater trend in regard to the deployment of the
protocol. In my own actual experience, after running an SPF aware
mailer server for a year less than 1 in 100 000 emails have scored an
SPF PASS and been spam.
"SPF breaks many Internet standards. It does not take into
consideration pre-delivery forwarding (and a scheme called SRS
adopted to counteract this is far from perfect). It is based on a
vulnerable protocol (DNS), which makes it easy to spoof SPF records."
Email forwarding is not a standard, it is a feature; used by less
than 0.01% of email users. As well the resulting bounce email informs
the sender of the address that is being forwarded to so the sender
merely has to resend the message. Yes the Internet is built on an
fragile infrastructure that does not take into account the realities
we face today. So we adapt! That is what SPF is all about, adapting
to the realities of today. Also, the DNS protocol is not as
vulnerable as the author makes it out to be, otherwise the Internet
wouldn't be useable at all.
Listen, I can go on and on about that article but you get the point.
It goes on to propose inappropriate uses for SPF and then uses that
to justify why the protocol is flawed. It proposes scenarios that
have no bases in fact and uses those to try and prove the
ineffectiveness of the protocol. Just because someone writes an
article, one lacking any real evidence and citing an ancient study,
doesn't make it true.
--
Gino Cerullo
Pixel Point Studios
21 Chesham Drive
Toronto, ON M3M 1W6
416-247-7740
This email address protect by SPF! Want to protect your domain's
email from forgery? Visit openspf.org
