On Mon, Feb 23, 2004 at 02:51:18PM +0000, Brian Candler wrote:
|
| The spammer will configure his DNS and SPF to look like a legitimate mail
| user. He will send mail from IP address X; his domain's SPF records will say
| "mail can come from IP address X". If people use callouts, he will have an
| MX record for his domain, which points at his own mailserver which accepts
| (and discards) any mail sent there. Or more likely, he will still forge
| addresses of <randomuser@theisp.net> where 'theisp.net' is a domain owned by
| the ISP the spammer is connected through, and therefore follows their SPF
| policy. Poor old randomuser will receive his joe-job bounces.
|
The intra-domain forgery scenario can be solved by ISPs requiring SMTP
AUTH.
http://archives.listbox.com/spf-discuss@v2.listbox.com/200401/1505.html
I don't care if poor old randomuser gets the bounces, as long as I
don't. If randomuser gets harmed by those bounces, he is free to sue
his ISP for negligence in not requiring AUTH. Market forces apply.
| Neither SPF, nor callouts, will reduce the amount of spam you get. They
| might for a very short time, until the spammers catch up. I don't buy into
| this arms race, as it cannot be won.
I encourage all spammers to publish SPF records, and to mail through
their ISP smarthosts, because that gives the good guys more points of
control.
SPF alone will not reduce the amount of spam you get. SPF is not an
FUSSP; it is a way for me to not get joe-jobbed, and to help keep other
people from getting joe-jobbed.
If you want to reduce spam, you have to involve a reputation system.
http://archives.listbox.com/spf-discuss@v2.listbox.com/200311/0118.html
Since Aspen we have been working under a framework that is, roughly,
On the sender side
authentication
accreditation
On the receiver side
reputation
enforcement
SPF helps with the first half. Receivers use that to do the second half.
Once there is accountability, and traceability, then enforcement methods
become stronger.
-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com
|
| The spammer will configure his DNS and SPF to look like a legitimate mail
| user. He will send mail from IP address X; his domain's SPF records will say
| "mail can come from IP address X". If people use callouts, he will have an
| MX record for his domain, which points at his own mailserver which accepts
| (and discards) any mail sent there. Or more likely, he will still forge
| addresses of <randomuser@theisp.net> where 'theisp.net' is a domain owned by
| the ISP the spammer is connected through, and therefore follows their SPF
| policy. Poor old randomuser will receive his joe-job bounces.
|
The intra-domain forgery scenario can be solved by ISPs requiring SMTP
AUTH.
http://archives.listbox.com/spf-discuss@v2.listbox.com/200401/1505.html
I don't care if poor old randomuser gets the bounces, as long as I
don't. If randomuser gets harmed by those bounces, he is free to sue
his ISP for negligence in not requiring AUTH. Market forces apply.
| Neither SPF, nor callouts, will reduce the amount of spam you get. They
| might for a very short time, until the spammers catch up. I don't buy into
| this arms race, as it cannot be won.
I encourage all spammers to publish SPF records, and to mail through
their ISP smarthosts, because that gives the good guys more points of
control.
SPF alone will not reduce the amount of spam you get. SPF is not an
FUSSP; it is a way for me to not get joe-jobbed, and to help keep other
people from getting joe-jobbed.
If you want to reduce spam, you have to involve a reputation system.
http://archives.listbox.com/spf-discuss@v2.listbox.com/200311/0118.html
Since Aspen we have been working under a framework that is, roughly,
On the sender side
authentication
accreditation
On the receiver side
reputation
enforcement
SPF helps with the first half. Receivers use that to do the second half.
Once there is accountability, and traceability, then enforcement methods
become stronger.
-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-discuss@v2.listbox.com