[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: @debian.org email forwarding and SPF

>>>>> "Adam" == Adam D Barratt <highvol-debian-devel@adam-barratt.org.uk> writes:

    Adam> It's not stopping the mail because it's spam - it's stopping the
    Adam> mail because the sender address is provably false. What happens
    Adam> when the virus starts sending mail claiming to be from
    Adam> <validuser>@debian.org? It sails straight through the SPF check...

That's not the case.  If the spam is not really sent from a computer that
the SPF record of debian.org approves, no matter whether the user-id is
valid the mail will not be delivered successfully.  This is the whole idea,
and most discomforts also stem from that single idea.  Of course, it is a
different matter if an approved computer of @debian.org get 0wn3d and the
spammer sent from there.

    Adam> ("SPF stops spam" is a roughly equivalent argument to "blocking
    Adam> executables stops viruses" - it's both inaccurate and confusing
    Adam> cause and effect).

I think if all viruses are executables, then the statement "blocking
executables stops viruses" is a correct statement; and if "most" viruses are
executable the statement is not too wrong either.  "SPF stops spam" is a bit
further from truth, since SPF alone really cannot stop spam.  Instead, it
makes sure that mails are authenticated for those organizations that
publishes a stringent SPF record.  Of course, spammers can be authenticated,
too.  But then, other techniques like black listing can be much more
effective if mails are authenticated.  And this also can't deal with the
case when spammers use the sites that have no SPF records.  But at least,
(1) we can have hope that most important sites do have SPF records, so that
we can white-list rather than black-list on those sites; and (2) the sites
with SPF records are guaranteed that it will not be joe-jobbed, which is a
good effect alone, and which gives some intensive for the organization to
actually implement SPF.

Again, whether this is a good enough bargain for the discomfort brought from
SPF is something to be carefully examined, and depend very much on how
convenient the tools (e.g., for correct list management with SPF and for
sending authenticated mails from remote sites) actually are.


Reply to: