Re: spf record

To: debian-isp@lists.debian.org
Subject: Re: spf record
From: Stephen Gran <sgran@debian.org>
Date: Sat, 21 Jan 2006 13:58:07 +0000
Message-id: <[🔎] 20060121135807.GB14124@www.lobefin.net>
Mail-followup-to: debian-isp@lists.debian.org
In-reply-to: <[🔎] 43D1867D.3070409@emenaker.com>
References: <[🔎] 43D0F355.5050503@rcrcomputing.com> <[🔎] 6640D448BFB97BD51DB8591A@dhcp-2-206.wgops.com> <[🔎] 43D10A66.3020502@goirand.fr> <[🔎] 20060120200106.GD549@verkkotelakka.net> <[🔎] 43D14814.5010207@emenaker.com> <[🔎] 20060120234030.GE549@verkkotelakka.net> <[🔎] 43D1867D.3070409@emenaker.com>

This one time, at band camp, Joe Emenaker said:
> Juha-Matti Tapio wrote:
> >
> >In a couple minutes I can think of at least the following ways to go around
> >that:
> >
> >a) Use any domain that either does not have SPF records or allows any
> >sources.
> Well, the "grand plan" for SPF is that these are going to disappear or 
> become as rare as open relays. As SPF becomes more widespread, the spam 
> filters will be more comfortable with being harsh to SPF-failing 
> messages. As that happens, if you run a mail server... and you want your 
> mail to actually get *delivered*, you'll implement SPF.

This is simply not true in the wider world of email.  There are many
legitimate mail servers out there that haven't upgraded to using EHLO.
There are many people running software like qmail or exchange that
can't do recipient verification at smtp time, and produce huge volumes
of backscatter.  If mail admins can't be bothered to do these most basic
of things, what makes you htink the entire world is going to switch to
using one of many competing ideas about sender verification?

Not to mention that of course spf has major implementation problems
(forwarded email being the main one, but there are others).  It also is
a plan that necessitates every mail admin working in concert to make it
useful, which makes it a pipe  dream.  And finally, even if every one
did it, it still won't stop spam (see below).  You can see most of these
arguments said better at http://david.woodhou.se/why-not-spf.html

> >For example I would be really surprised to ever see actually
> >effective SPF-records on debian.org.
> >  
> Why?
> >b) Use the domain of the ISP of the zombie-machines.
> >  
> Yeah.... well, zombie machines are, IMO, outside of the scope of SPF.

Well, since these appear to be the largest and fastest growing source of
spam, that about kills spf off as a solution.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: spf record
  - From: Joe Emenaker <joe@emenaker.com>
- Re: spf record
  - From: Craig Sanders <cas@taz.net.au>

References:
- spf record
  - From: Rodney Richison <rodney@rcrcomputing.com>
- Re: spf record
  - From: Michael Loftis <mloftis@modwest.com>
- Re: spf record
  - From: Thomas Goirand <thomas@goirand.fr>
- Re: spf record
  - From: Juha-Matti Tapio <jmtapio@verkkotelakka.net>
- Re: spf record
  - From: Joe Emenaker <joe@emenaker.com>
- Re: spf record
  - From: Juha-Matti Tapio <jmtapio@verkkotelakka.net>
- Re: spf record
  - From: Joe Emenaker <joe@emenaker.com>

Prev by Date: restrict a root login via ssh to read-only fs access?
Next by Date: Re: restrict a root login via ssh to read-only fs access?
Previous by thread: Re: spf record
Next by thread: Re: spf record
Index(es):
- Date
- Thread