[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SPF (was: Re: Bug#257644: ITP: libspf2 -- Sender Policy Framework library, written in C)

>>>>> "Adrian" == Adrian 'Dagurashibanipal' von Bidder <avbidder@fortytwo.ch> writes:

    Adrian> SPF does nothing (almost) against spam. It can be used to
    Adrian> fight certain forgery issues (where it would IMHO be
    Adrian> better to just use PGP or S/MIME anyway)

Unluckily, PGP and S/MIME is very hard to do on the mass.  It is much
easier to ask people to use a MSA for sending mail, than to ask people
to use a signature.  And there is nothing which prevent you from doing
both.  I've tried for 4 years, before Gnus's version stopped
supporting mailcrypt.  Basically, nobody care to verify my signature.
And then, how the others will treat your mail if it lacks a signature?
As far as I can see, nobody even come close to care.

    Adrian> The only thing it can do is specify which IPs are allowed
    Adrian> to send email with a certain domain part. And AFAICT it
    Adrian> does this only for envelope addresses, anyway, and not for
    Adrian> mail headers, so phishing attacks will still be possible
    Adrian> (who looks at envelope addresses?).

Yes.  It is to support forwarding.  At least it gives you a
trust-worthy return address whenever you have something that you find
untrustworthy.

    Adrian> OTOH it *may* make sense for certain companies, they can
    Adrian> say that their email is only to be sent over their
    Adrian> network. But I am not clear what the benefit for those
    Adrian> companies is.

If you're using Linux and still receives mails from other organization
telling you that your E-mail addresses are originating spam or virus,
you can---by publishing your SPF record---tell others to ignore those
mails because they, according to the usage pattern of your
organization, clearly be identified to be not originating from your
organization.  You can then hope that others---by honoring those
records---stop processing those mail, helping them to prevent anything
wrong which is done by those mails, and at the same time helping
yourselves by not having to process and throw away those
bounces---either manually or automatically.

    Adrian> But it will really get used to force users of free
    Adrian> web-email to use the web mail interface to send email
    Adrian> *only* (so the banner ads can be seen...)

When reading the web mails, you must read those little banner ads,
unless the site allows you for POP access, or you have somebody taking
the trouble to access the web to get your mail, filter out the banner
ad, and save it in your local mail spool.  It just says the same can
also happen to sending: you must read those little banner ads, unless
the site allows you for MSA access, or you have somebody taking the
trouble to access the web to send your mail, ignoring those little
banner.  So it is really nothing new.

    Adrian> And it breaks '.forward' style forwarding.

(a) have your MTA support SRS, or (b) have your MTA process the SPF
and turn off SPF processing in your local computer.

Regards,
Isaac.
Reply to: