On Fri, Feb 20, 2004 at 02:20:16PM -0600, Seth Goodman wrote:
> > [Brian Candler]
> > Well, I don't really care about that, see above.
>
> I care about that. Forged addresses are an excellent spam detector
Today maybe, but not for long if SPF is widely implemented.
> While SPF does not prevent spamming, it forces spammers
> to do so with their addresses exposed, which makes tracking and blacklisting
> more effective. Just as this will put ISP's feet to the fire with regard to
> risking their outgoing mail connectivity if they don't act aggressively, it
> also puts registrars feet to the fire in terms of who they register a domain
> for.
Not really. What about if the spammer has connectivity through "fooisp.net"?
She can send out mail with anything@fooisp.net as the return address. She
doesn't even have to use one of her own domains. All you have learned is
that they sent via fooisp.net, which is *exactly* the same information as
you would get by looking at their IP address. An IP blacklist approach will
continue to work if you want to hurt fooisp for harbouring spammers, and SPF
has gained you exactly nothing.
> > And unless SPF is implemented 100%, we will still have to deal with
> > the fallout from joe jobs.
>
> Not necessarily. You can choose how to deal with SPF softfail or SPF
> unknown yourself. At any point, you can decide to reject anything that does
> not give an explicit SPF pass. Your mailer, your rules.
Sure - you can have a policy which says "if you choose not to implement SPF,
then I choose not to talk to you". But to be useful, you are assuming that
SPF becomes the de-facto norm / best practice. I would argue that since SPF
adds complexity and breaks legitimate users for a small or negligible
long-term benefit, I think it's far from certain that the whole world will
share your view.
Of course, I risk my life by stating such views on a list composed of people
who are almost by definition pro-SPF :-)
> Assuming that you
> do the rejections before DATA, the senders will receive DSN's and will know
> exactly what happened. If they absolutely can't get SPF implemented on
> their domain, you can always whitelist them.
Yes that's true, as with any other aggressive policy which restricts your
E-mail connectivity.
Personally, I like E-mail to just work, and I have not joined in the
anti-spam arms race except for IP-based blacklists. More importantly for me,
even simple whitelists do not scale well to the ISP environment (notice that
pobox.com don't let users manage their own whitelists, for exactly this
reason).
Regards,
Brian.
-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com
> > [Brian Candler]
> > Well, I don't really care about that, see above.
>
> I care about that. Forged addresses are an excellent spam detector
Today maybe, but not for long if SPF is widely implemented.
> While SPF does not prevent spamming, it forces spammers
> to do so with their addresses exposed, which makes tracking and blacklisting
> more effective. Just as this will put ISP's feet to the fire with regard to
> risking their outgoing mail connectivity if they don't act aggressively, it
> also puts registrars feet to the fire in terms of who they register a domain
> for.
Not really. What about if the spammer has connectivity through "fooisp.net"?
She can send out mail with anything@fooisp.net as the return address. She
doesn't even have to use one of her own domains. All you have learned is
that they sent via fooisp.net, which is *exactly* the same information as
you would get by looking at their IP address. An IP blacklist approach will
continue to work if you want to hurt fooisp for harbouring spammers, and SPF
has gained you exactly nothing.
> > And unless SPF is implemented 100%, we will still have to deal with
> > the fallout from joe jobs.
>
> Not necessarily. You can choose how to deal with SPF softfail or SPF
> unknown yourself. At any point, you can decide to reject anything that does
> not give an explicit SPF pass. Your mailer, your rules.
Sure - you can have a policy which says "if you choose not to implement SPF,
then I choose not to talk to you". But to be useful, you are assuming that
SPF becomes the de-facto norm / best practice. I would argue that since SPF
adds complexity and breaks legitimate users for a small or negligible
long-term benefit, I think it's far from certain that the whole world will
share your view.
Of course, I risk my life by stating such views on a list composed of people
who are almost by definition pro-SPF :-)
> Assuming that you
> do the rejections before DATA, the senders will receive DSN's and will know
> exactly what happened. If they absolutely can't get SPF implemented on
> their domain, you can always whitelist them.
Yes that's true, as with any other aggressive policy which restricts your
E-mail connectivity.
Personally, I like E-mail to just work, and I have not joined in the
anti-spam arms race except for IP-based blacklists. More importantly for me,
even simple whitelists do not scale well to the ISP environment (notice that
pobox.com don't let users manage their own whitelists, for exactly this
reason).
Regards,
Brian.
-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com