This one time, at band camp, Joe Emenaker said: > Stephen Gran wrote: > >If mail admins can't be bothered to do these most basic > >of things, what makes you htink the entire world is going to switch to > >using one of many competing ideas about sender verification? > > > Um... because AOL, Yahoo, and MSN are already implementing it? But they're not really: yahoo has no spf record ptr:mx.aol.com ?all msn does have strict (~all) records. So one out of three have it actually working as you say. In fact, yahoo is unlikely to ever adopt SPF, as they are pushing their own solution, called domain keys. It is yet another anti-forgery tool, but it is different than SPF, and completely incompatible. > Several years ago, you probably would have asked the same "why would > they bother?" about admins turning off open-relay. In retrospect, the > reason why they bothered is because their failure to do so started > affecting mail delivery. Same thing goes for SPF. If it starts affecting > delivery of your system's mail, your admin is going to start catching > heat until he/she gets with the program. SPF is a very different animal to running an open relay. The problem is that there is a lot of spam, and some of it forges legitimate addresses and domains. SPF would like to address the forgery part (but explicitly not the spam part, which makes it significantly less attractive to make it worth the effort of setting up). At the time people moved away from open relays, there was both a pull and a push towards doing so - authenticated smtp was getting easy to do, and spammers were wasting too many resources on systems that were still open relays. At the moment, there are several competing strategies to combat forgery, and SPF is only one (and notably the most difficult and troublesome of the bunch.) Hotmail announced last year that they were going to stop accepting mail from domains that don't have SPF records. Spammers immediately adopted SPF records, hotmail stareted bouncing legitimate mail (either forwarded or from domains without SPF records, like, er, yahoo), users complained, and the policy was reverted. > >>Yeah.... well, zombie machines are, IMO, outside of the scope of SPF. > >> > >Well, since these appear to be the largest and fastest growing source of > >spam, that about kills spf off as a solution. > > > Well, I haven't seen any authoritative numbers recently, and you used > the word "appear", so I'm going to take that with a grain of salt. http://www.theregister.co.uk/2005/05/24/operation_spam_zombie/ http://www.usatoday.com/tech/news/computersecurity/2004-09-08-zombieuser_x.htm http://www.informationweek.com/story/showArticle.jhtml?articleID=28700163 It looks like zombie machines accounted for roughly 40% of spam at the midpoint of last year. If you look at figures a few years before that, they are nowhere near that high. HTH, -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : sgran@debian.org | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
Attachment:
signature.asc
Description: Digital signature