On Fri, Jan 20, 2006 at 05:05:58PM +0100, Thomas Goirand wrote: > Michael Loftis wrote: > >I publish them for some of my personal domains, however, I don't > >personally use SPF since I view it as fundamentally broken. We can't > >deploy them for (web hosting) customer records because of all of the > >various SMTP and SMTP Submit blocking we run into out there they (our > >customers) can't use our mail servers a lot of the time which means > >that an SPF record would basically amount to a +all or ?all which > >negates the whole reason. > once, my Qmail server had receive a mail bomb attack using a wide spread > virus that was sending mail to my server in order to produce a bounce > message for hotmail.com (which was the real goal of this attack). My > waiting queue was getting full, as well as my /var, and it was beginning > to be a real disaster... until I had the very good idea to implement > libspf on my qmail server (using the very good qmail-spp with plugins). I think the actual problem in your case was Qmail's inability to validate the recipient during the SMTP session. I had similar problems with bounces in the old days before I migrated away from Qmail. This specific scenario does not happen if the server properly rejects the message immediately instead of bouncing. > SPF is not a protection for your customer, see it as a protection for > you server, just like RBL checks: it's a low cpu filter that help you to > disconnect spammers BEFORE the spam is sent... SPF works only as long as spammers actually start to use it massively themselves (and I think I have read somewhere that many have already started to use it). If most servers start checking SPF, eventually all spammers will start to use valid SPF-configured envelope addresses. After that SPF does not help at all but merely becomes an extra burden on the DNS and mail servers (after all, it requires extra lookups from the net). SPF does not effectively fight spam, but it tries to reduce backscatter which could be avoided by simple configuring servers so that they do not send unnecessary backscatter (Qmail is a major problem here).
Attachment:
signature.asc
Description: Digital signature