Re: spf record

To: debian-isp@lists.debian.org
Subject: Re: spf record
From: Juha-Matti Tapio <jmtapio@verkkotelakka.net>
Date: Fri, 20 Jan 2006 22:01:06 +0200
Message-id: <[🔎] 20060120200106.GD549@verkkotelakka.net>
In-reply-to: <[🔎] 43D10A66.3020502@goirand.fr>
References: <[🔎] 43D0F355.5050503@rcrcomputing.com> <[🔎] 6640D448BFB97BD51DB8591A@dhcp-2-206.wgops.com> <[🔎] 43D10A66.3020502@goirand.fr>

On Fri, Jan 20, 2006 at 05:05:58PM +0100, Thomas Goirand wrote:
> Michael Loftis wrote:
> >I publish them for some of my personal domains, however, I don't 
> >personally use SPF since I view it as fundamentally broken.  We can't 
> >deploy them for (web hosting) customer records because of all of the 
> >various SMTP and SMTP Submit blocking we run into out there they (our 
> >customers) can't use our mail servers a lot of the time which means 
> >that an SPF record would basically amount to a +all or ?all which 
> >negates the whole reason.
> once, my Qmail server had receive a mail bomb attack using a wide spread 
> virus that was sending mail to my server in order to produce a bounce 
> message for hotmail.com (which was the real goal of this attack). My 
> waiting queue was getting full, as well as my /var, and it was beginning 
> to be a real disaster... until I had the very good idea to implement 
> libspf on my qmail server (using the very good qmail-spp with plugins).

I think the actual problem in your case was Qmail's inability to validate
the recipient during the SMTP session. I had similar problems with bounces
in the old days before I migrated away from Qmail. This specific scenario
does not happen if the server properly rejects the message immediately
instead of bouncing.

> SPF is not a protection for your customer, see it as a protection for 
> you server, just like RBL checks: it's a low cpu filter that help you to 
> disconnect spammers BEFORE the spam is sent...

SPF works only as long as spammers actually start to use it massively
themselves (and I think I have read somewhere that many have already started
to use it). If most servers start checking SPF, eventually all spammers will
start to use valid SPF-configured envelope addresses. After that SPF does
not help at all but merely becomes an extra burden on the DNS and mail
servers (after all, it requires extra lookups from the net).

SPF does not effectively fight spam, but it tries to reduce backscatter
which could be avoided by simple configuring servers so that they do not
send unnecessary backscatter (Qmail is a major problem here).

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: spf record
  - From: Joe Emenaker <joe@emenaker.com>
- Re: spf record
  - From: Craig Sanders <cas@taz.net.au>

References:
- spf record
  - From: Rodney Richison <rodney@rcrcomputing.com>
- Re: spf record
  - From: Michael Loftis <mloftis@modwest.com>
- Re: spf record
  - From: Thomas Goirand <thomas@goirand.fr>

Prev by Date: Re: graphite
Next by Date: Re: spf record
Previous by thread: Re: spf record
Next by thread: Re: spf record
Index(es):
- Date
- Thread