|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Spammers Skirt IP Authentication Attempts
On Tue, 7 Sep 2004, Paul Vixie wrote: i don't agree. i think it's overengineered and that a simpler solution like the one at <http://sa.vix.com/~vixie/mailfrom.txt> oh, hear hear. Then there's Sender-ID. Bulky XML in DNS, sigh. should have been deployed years ago, but i don't think SPF, or things like SPF, are at all worthless. every time someone forges one of my domains or e-mail addresses as a spam source, i get all kinds of bot-mail telling me that what the spammer tried to do didn't work. quite a lot of challenge/response nonsense. quite a few majordomo/etc listbot error messages. a whole pile of [email protected] errors. True, but bounces, and anything else with NULL return path, can be taken care of with SRS. Bogus bounces are probably the most annoying non-spam email problem, and we do not need SPF to kill those. Hence, given a better solution to the only pressing problem we know SPF can solve, SPF is worthless. For the other problems, well, SPF just isnt going to solve them. So SPF will tell you that client.acme.net is indeed allowed to send mail from foobar.com, but that describes only trust between foobar.com->client.acme.net. I am no wiser at all as to whether foobar.com is worthy enough to send me email. And given that there are *millions* of domains, and they can be registered by anyone within minutes, I'm unlikely *ever* to be able to make any use of the knowledge that foobar.com allows client.acme.net to send mail on their behalf to discriminate between genuine and spam email. (other than whitelisting clients i trust - but i dont need SPF for that). Indeed, you've been saying this for years. ;) (which is largely how i've come to my own opinion ;) ) if all mailbots learned to speak something like SPF, and my domains all advertise the nec'y metadata to enable something like SPF, then i would find it far easier to filter the remaining drivel in my inbox, which would just be spam and e-mail (listed in order by volume) -- no more mailbot responses to messages i never sent. See: http://www.libsrs2.org/ http://www.libsrs2.org/srs/srs.pdf http://asarian-host.net/srs/sendmailsrs.htm And be happy, and realise "SPF is worthless" ;) the economic benefit that will actually cause something like SPF to come into wide use is different yet again -- it's not to make it easier to filter the remainder, and it's not to stop spam. it's to protect trademarks owned by large e-mail providers ("@hotmail.com" being one, "@yahoo.com" being another) from dilution. Ah, ok. Yes, I've read you making above argument before and, aye, it's a very fair point. But, is it enough of a reason? It seems like a fallback reason, for use when other answers to "what actual real problems does SPF solve?" are not forthcoming. Is it really worth it for every domain owner on the planet (including spammers!) to implement SPF records in DNS, and the resulting forwarding breakage, simply to provide some fairly intangible "dilution protection" for, primarily, the very small subset of widely-known domains out there? It would prevent joe-jobs, yes. But how bothersome are those, given that the bounces can be dealt with with the far less intrusive SRS? everything that happens on the internet these days happens for economics-related reasons. i'm glad that companies bigger and richer than i am find it in their own selfish best interests to push something like SPF -- that means it'll happen. that my own reasons differ from theirs is immaterial. that they have to mismarket it as a spamstopper to get corporate and investor support for it is also immaterial. the fact is, it's coming -- and Well that depends. At the moment it looks like the clients will implement a standard that most of the servers will not! Also, I doubt I'll be implementing SPF myself. Indeed, to implement SPF I would have to list the MTAs of at least several irish ISPs, and probably more, as I have users who only receive email via my systems, but dont send it via systems. yes yes, MSA.. but I dont even know most of these people except as usernames in a password file, they're mostly non-technical, and I dont intend to track them down one by one and go visit them to reconfigure their MUAs for them. And even if i did, no doubt they also have /other/ email addresses, eg one from their ISP, and many popular, particularly older versions of, MUAs have problems with allowing one to configure SMTP/MSA according to From address, sigh. it's useful, just not for the advertised reasons, or a universal reason. Ah, absolutely yes. regards, -- Paul Jakma [email protected] [email protected] Key ID: 64A2FF6A Fortune: It does not matter if you fall down as long as you pick up something from the floor while you get up.
|