On Fri, Oct 22, 2004 at 11:49:14AM -0400, Jean-Marc Pigeon wrote:
| SPF is a tool to avoid E-mail forgery adding "?all"
| is just breaking down the detector... should we
| tag all received E-mail under the "?all" status
| as SPAM?
There are two sides of the coin.
On one side it helps sites prevent forgery. Suppose
NeverSendsMail.com publishes with "v=spf1 -all". That's an
easy way for people to immediately block all spam forged
from NeverSendsMail, or at least score it.
Not too far away from that example, large sites like eBay
and Amazon, who are worried about phishing, also benefit
from -all.
But -all has a problem: false positives due to forwarding.
The other side of the coin is whitelisting: SPF helps
receivers whitelist mail from trusted senders and skip
potentially error-prone content filtering.
Most sites will probably want to explore the benefits of
whitelisting before moving on to forgery prevention. AOL
for example is using SPF in that way first.
We hope to solve the forwarding problem by getting SRS code
out into MTAs over the next year, and improve confidence in
rejecting based on -all.
Until that happens, if you're concerned about phishing, you
have to consider the tradeoffs of using -all.
But using SPF for whitelisting is something you can do today
without any fear.
-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-deployment@v2.listbox.com
| SPF is a tool to avoid E-mail forgery adding "?all"
| is just breaking down the detector... should we
| tag all received E-mail under the "?all" status
| as SPAM?
There are two sides of the coin.
On one side it helps sites prevent forgery. Suppose
NeverSendsMail.com publishes with "v=spf1 -all". That's an
easy way for people to immediately block all spam forged
from NeverSendsMail, or at least score it.
Not too far away from that example, large sites like eBay
and Amazon, who are worried about phishing, also benefit
from -all.
But -all has a problem: false positives due to forwarding.
The other side of the coin is whitelisting: SPF helps
receivers whitelist mail from trusted senders and skip
potentially error-prone content filtering.
Most sites will probably want to explore the benefits of
whitelisting before moving on to forgery prevention. AOL
for example is using SPF in that way first.
We hope to solve the forwarding problem by getting SRS code
out into MTAs over the next year, and improve confidence in
rejecting based on -all.
Until that happens, if you're concerned about phishing, you
have to consider the tradeoffs of using -all.
But using SPF for whitelisting is something you can do today
without any fear.
-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-deployment@v2.listbox.com