Re: @debian.org email forwarding and SPF
On Thu, Jul 01, 2004 at 10:13:46AM -0400, John Belmonte wrote:
> Marco d'Itri wrote:
> >On May 17, Julian Mehnle <bulk@mehnle.net> wrote:
> >
> >>Marco d'Itri wrote:
> >>
> >>>Does SPF use increase?
> >>
> >>Yes, it does. See:
> >>http://spf.pobox.com/takeup.png
> >
> >No, it does not. This is the list of hosts publishing SPF records.
> >The relevant number is the list of hosts refusing mail because of SPF
> >records.
>
> "according to some estimates, the number of sites checking SPF doubles
> every three weeks" (http://www.circleid.com/article/634_0_1_0_C/)
That would be from the "pull it out of your arse" school of statistics.
Credible.
I'm estimating that SPF is a joke. "According to some estimates, SPF is a
joke.". It has about the same level of authority.
Actually, I'm quite glad you posted that article -- it summed up for me
exactly why SPF is such a useless scheme. It relies on trusting things
which are all controlled by the sender. Return-Path:, From:, HELO, Sender:,
Resent-From:, MAIL FROM:, and the rest, are all spoofable to be from a
throwaway domain that doesn't publish SPF records, so spammy can keep
throwing his shit out through open proxies and zombies. So unless you're
going to refuse all mail that doesn't verify OK with SPF, you're not going
to stop any spam at all. And nobody is going to toss mail without SPF's OK
on it -- that's effectively a whitelist of SMTP servers. Since far too many
people get far too shitty about blacklists, I can't see a whitelist as being
any more palatable, seeing as it's a hell of a lot more restrictive.
Oh, and before anyone gets started with "SPF isn't about anti-spam",
according to the bloke who kicked it off, it is.
Hey, turns out my estimate was accurate. Cool.
- Matt
Reply to: