Marc Perkel wrote:
Justin Mason wrote:
Marc --
Please pay attention to what Matt wrote yesterday. Repeat: SPF is *NOT*
for catching spam. It works great at what we use it for in SpamAssassin
-- as an authentication mechanism, to detect legit ham and whitelist it.
This is what you use authentication mechanisms for: similarly, DK, DKIM,
and many other proposed standards are for authentication, not for
reputation. It *does* work well for that, in our experience.
If you want to rail against SPF as a bad anti-spam technology, perhaps a
personal blog would be a more appropriate venue?
--j.
Two things Jason,
First - I agree with you that SPF is totally useless at detecting spam.
I would say it is also useless at detecting ham.
Marc, I'm not Justin, or Jason, but stop being ridiculous. If I've
decided (and thus configured my systems appropriately) that mail sent to
me from [EMAIL PROTECTED] is to be considered ham, SPF is extremely effective in
determining that mail sent from hosts in eBay's SPF records is ham and
not some forgery.
Second - tell it to everyone here who is suggesting that SPF is a spam
solution of some sort.
You've already told everyone that. There's no need to tell everyone
again. Perhaps those interested in furthering this debate would be
better off (and will likely find even more interested parties to debate
with) taking it to spf-discuss or spam-l.
As Justin said, those who completely grasp the workings of the SMTP and
the SPF long ago realized that its only solid use is as a *positive*
authorization mechanism. This is why we (and AOL and others)
implemented SPF based whitelisting years ago. You'll also see that
other mail policy technologies such as DKIM also realize the utility of
positive authorization, but not negative authorization.
Any technology which can help you determine that a message was sent by a
host authorized by a domain allows for you to use reputation systems
(such as personal whitelists or much larger scale reputation systems) to
assess the probability of the message being ham/wanted. To claim
otherwise is asinine.
SPF really has no useful function at all.
Many of us don't agree, but that doesn't affect you one bit. If you
don't like SPF, don't use it. If you don't like SRS envelope rewriting
of forwarded mail envelopes (something that around here is quite rare
anyway) then tell your users not to use SRS.
Daryl