[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: @debian.org email forwarding and SPF

On Fri, Jul 02, 2004 at 10:17:29AM +0200, Wouter Verhelst wrote:
> Op do 01-07-2004, om 20:19 schreef Matthew Palmer:
> > throwing his shit out through open proxies and zombies.  So unless you're
> > going to refuse all mail that doesn't verify OK with SPF, you're not going
> > to stop any spam at all.
> At the moment, that indeed isn't possible. However, if SPF use would
> continue to increase, we would eventually get at a point where such
> behaviour would be acceptable. Once we reach that point, SPF could help
> stop spam (but that's indeed a long shot from now).

No it couldn't.  Spammers already use throwaway domains with expected
lifespans measured in days or even hours.  Adding the requirement for a
spammer to publish SPF records is not even a challenge.

Do you think, for instance, that debian.org would *ever* reject e-mail from
domains that didn't publish SPF records?[1]  There's too much outcry against
suggestions to use a responsibly-run DNSBL -- do you think we're ever going
to be able to deploy what amounts to a whitelist of "known-good" SMTP
servers?  Especially given the fact the SPF records are trivial to implement
for a spammer domain?

The situation is similar for companies -- in a lot of cases, they will not
consent to losing potentially valuable e-mail purely because the sender
doesn't meet some technical requirement.  As much as we want everyone to
play the game properly, there is far too much breakage out there, and you
are often in the position of needing to communicate with someone for your
benefit, RFC compliance be damned.  You're going to need to be able to
demonstrate probably less than 1 in 10,000 false positives in order to be
able to deploy it at most companies.

> For the time being, it's fair to say that SPF helps "protect your
> digital identity", whatever that means -- even if I've already seen some
> spam that invalidly sent mail from a domain which did publish SPF
> data...

There are lots of things that might stop some spam -- rejecting based on
lack of RDNS, mismatched RDNS, and what have you.  I wouldn't really call
them anti-spam measures.  Same with SPF -- it's not an anti-spam measure. 
It loses a lot of credibility when the creator of the standard refers to SPF
as such.

- Matt

Reply to: